Rest 302 error - ssl configuration
30 views
Skip to first unread message
Cullen Philippson
Mar 31, 2017, 1:20:38 PM3/31/17
to nagrestconf-users
Hello,
I am trying to add SSL my nagios(centos 6.8 - apache) configuration. I have nagios and pnp4nagios working correctly but when I connect via a browser to nagrestconf I get the following error.
Could not execute query using REST.
Please check system settings.
REST return code: 302
I am not seeing errors in the apache ssl_error_logs and am seeing 200s in the ssl_access_logs.
apache conf file:
# Last Modified: 03-30-2017
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.
Listen 443
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost *:443>
ServerName nagios.domain.net
ServerAlias nagios nagios.domain.com
ServerAdmin n...@domain.com
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
<Directory /usr/lib64/nagios/cgi-bin/>
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory /usr/share/nagios/html>
SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagrestconf "/usr/share/nagrestconf/htdocs/nagrestconf"
<Directory /usr/share/nagrestconf/htdocs/nagrestconf/>
SSLRequireSSL
Options ExecCGI
AllowOverride All
Require authentication
AuthName "REST Access"
AuthType Basic
AuthUserFile /etc/nagios/nagrestconf.users
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
Allow from all
Require valid-user
</IfModule>
</Directory>
Alias /rest /usr/share/nagrestconf/htdocs/rest
<Directory /usr/share/nagrestconf/htdocs/rest/>
SSLRequireSSL
Options ExecCGI
AllowOverride All
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAll>
Require all granted
# Require local
#Require valid-user
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
# Only allow from the local host
Order deny,allow
Deny from all
#Allow from 127.0.0.1
Allow from all
#Require valid-user
</IfModule>
</Directory>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star.domain.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.domain.pvt.key
SSLCACertificateFile /etc/pki/tls/certs/star.domain.net.crt.chain
</VirtualHost>
I am trying to add SSL my nagios(centos 6.8 - apache) configuration. I have nagios and pnp4nagios working correctly but when I connect via a browser to nagrestconf I get the following error.
Could not execute query using REST.
Please check system settings.
REST return code: 302
I am not seeing errors in the apache ssl_error_logs and am seeing 200s in the ssl_access_logs.
apache conf file:
# Last Modified: 03-30-2017
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.
Listen 443
LoadModule ssl_module modules/mod_ssl.so
<VirtualHost *:443>
ServerName nagios.domain.net
ServerAlias nagios nagios.domain.com
ServerAdmin n...@domain.com
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
<Directory /usr/lib64/nagios/cgi-bin/>
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory /usr/share/nagios/html>
SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
Require valid-user
</Directory>
Alias /nagrestconf "/usr/share/nagrestconf/htdocs/nagrestconf"
<Directory /usr/share/nagrestconf/htdocs/nagrestconf/>
SSLRequireSSL
Options ExecCGI
AllowOverride All
Require authentication
AuthName "REST Access"
AuthType Basic
AuthUserFile /etc/nagios/nagrestconf.users
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
Allow from all
Require valid-user
</IfModule>
</Directory>
Alias /rest /usr/share/nagrestconf/htdocs/rest
<Directory /usr/share/nagrestconf/htdocs/rest/>
SSLRequireSSL
Options ExecCGI
AllowOverride All
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAll>
Require all granted
# Require local
#Require valid-user
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
# Only allow from the local host
Order deny,allow
Deny from all
#Allow from 127.0.0.1
Allow from all
#Require valid-user
</IfModule>
</Directory>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/star.domain.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/star.domain.pvt.key
SSLCACertificateFile /etc/pki/tls/certs/star.domain.net.crt.chain
</VirtualHost>
Cullen Philippson
Mar 31, 2017, 2:19:24 PM3/31/17
to nagrestconf-users
After further searching, this may be as a result of my redirect to a new domain. Is there a proper way to do this that will result in successful rest communication?
default.conf
<VirtualHost *:80>
ServerName nagios.newdomain.net
Redirect / https://nagios.newdomain.net/
</VirtualHost>
default.conf
<VirtualHost *:80>
ServerName nagios.newdomain.net
Redirect / https://nagios.newdomain.net/
</VirtualHost>
Cullen Philippson
Mar 31, 2017, 2:37:23 PM3/31/17
to nagrestconf-users
Using version: nagrestconf-1.174.4-1.noarch
Mark Clarkson
Apr 2, 2017, 4:35:43 PM4/2/17
to nagrestconf-users
Hi,
Maybe you could try curl directly to see if it works on the REST url. Something like:
$ curl -LknX GET 'https://127.0.0.1/rest/check/nagiosconfig?json=\{"folder":"local","verbose":"false"\}'
["Total Warnings: 0, Total Errors: 0"]
-L for redoing the request for redirects. Try with and without this option.
If that works then try modifying the file, '/usr/share/nagrestconf/htdocs/nagrestconf/index.php'.
Copy that file somewhere safe then edit it.
Find the function 'setCurlOpts' and add a follow-redirects option.
This is the original function:
# --------------------------------------------------------------------
protected function setCurlOpts (&$curlHandle)
# --------------------------------------------------------------------
{
curl_setopt($curlHandle, CURLOPT_TIMEOUT, 300);
curl_setopt($curlHandle, CURLOPT_PROXY, "");
curl_setopt($curlHandle, CURLOPT_URL, $this->url);
curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curlHandle, CURLOPT_HTTPHEADER, array ('Accept: ' . $this->acceptType));
}
And add the line:
to make it look like:
# --------------------------------------------------------------------
protected function setCurlOpts (&$curlHandle)
# --------------------------------------------------------------------
{
curl_setopt($curlHandle, CURLOPT_TIMEOUT, 300);
curl_setopt($curlHandle, CURLOPT_PROXY, "");
curl_setopt($curlHandle, CURLOPT_URL, $this->url);
curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curlHandle, CURLOPT_HTTPHEADER, array ('Accept: ' . $this->acceptType));
}
Hopefully this will work for you.
ALTERNATIVELY you could put the redirect address directly into /etc/nagrestconf.ini.
Cheers!
Mark
Maybe you could try curl directly to see if it works on the REST url. Something like:
$ curl -LknX GET 'https://127.0.0.1/rest/check/nagiosconfig?json=\{"folder":"local","verbose":"false"\}'
["Total Warnings: 0, Total Errors: 0"]
-L for redoing the request for redirects. Try with and without this option.
If that works then try modifying the file, '/usr/share/nagrestconf/htdocs/nagrestconf/index.php'.
Copy that file somewhere safe then edit it.
Find the function 'setCurlOpts' and add a follow-redirects option.
This is the original function:
# --------------------------------------------------------------------
protected function setCurlOpts (&$curlHandle)
# --------------------------------------------------------------------
{
curl_setopt($curlHandle, CURLOPT_TIMEOUT, 300);
curl_setopt($curlHandle, CURLOPT_PROXY, "");
curl_setopt($curlHandle, CURLOPT_URL, $this->url);
curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curlHandle, CURLOPT_HTTPHEADER, array ('Accept: ' . $this->acceptType));
}
And add the line:
curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, true);to make it look like:
# --------------------------------------------------------------------
protected function setCurlOpts (&$curlHandle)
# --------------------------------------------------------------------
{
curl_setopt($curlHandle, CURLOPT_TIMEOUT, 300);
curl_setopt($curlHandle, CURLOPT_PROXY, "");
curl_setopt($curlHandle, CURLOPT_URL, $this->url);
curl_setopt($curlHandle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curlHandle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curlHandle, CURLOPT_HTTPHEADER, array ('Accept: ' . $this->acceptType));
}
Hopefully this will work for you.
ALTERNATIVELY you could put the redirect address directly into /etc/nagrestconf.ini.
Cheers!
Mark
Cullen Philippson
Apr 3, 2017, 3:11:03 AM4/3/17
to nagrestconf-users
Thank you!
Turns out I had to do both to get everything working.Second change:
; Configuration file for nagrestconf
resturl = "https://127.0.0.1/rest"
;resturl = "http://127.0.0.1/rest"
Mark Clarkson
Apr 3, 2017, 4:02:44 AM4/3/17
to nagrestconf-users
On Monday, 3 April 2017 08:11:03 UTC+1, Cullen Philippson wrote:
The first change allowed the nagrestconf page to load w/o the 302, the second allow REST changes to be made with the web GUI. My first attempts(without the change to nagrestconf.ini) resulted in a Null error when updating an IP to a host.Thank you!Turns out I had to do both to get everything working.
Second change:
; Configuration file for nagrestconf
resturl = "https://127.0.0.1/rest"
;resturl = "http://127.0.0.1/rest"
Great! Glad you got it working and thanks for reporting back.
Maybe it would have worked without any source code changes by entering https://nagios.newdomain.net/ as the resturl (?).
I've committed the FOLLOWLOCATION option to github so it will be in future releases. Thanks!
Reply all
Reply to author
Forward
0 new messages