To Ensure security between the end user’s web browser and Nagios Log Server requires to configure SSL/TLS in Nagios Log Server.
As a part of our Server Management Services, we help our customers with Nagios-related requests regularly.
Let us see how to set up Nagios Log Server to use SSL/TLS to provide encrypted connections to the Nagios Log Server
Configure SSL/TLS in Nagios Log Server
To implement SSL, we need to generate a certificate. When we generate a certificate, we create a request that needs to be signed by a Certificate Authority (CA).
Configuring SSL/TLS in the Nagios Log server involves a series of steps. Those include:
- Installing Necessary Components
- Generate Private Key File
- Generate Certificate Request File
- Sign Certificate Request
- Update Apache Configuration
Let us look into these steps one by one.
Installing Necessary Components
The initial step that our Support Engineers follow is to install OpenSSL. First, establish a terminal session to Nagios Log Server as root and execute the following command:
RHEL|CentOS
# yum install -y mod_ssl openssl
Debian|Ubuntu
# apt-get install -y openssl
The steps to install SSL needs to be performed from the /usr/local/nagioslogserver/var/certs/ directory. Execute the following commands to create the directory (if it does not exist) and then change into it:
# mkdir -p /usr/local/nagioslogserver/var/certs
# cd /usr/local/nagioslogserver/var/certs/
Generate Private Key File
The first step is to generate the private key file, execute the following command:
# openssl genrsa -out nagioslogserver.key 2048
That would have generated some random text.
Generate Certificate Request File
Next, we will generate the certificate request file by executing the following command:
# openssl req -new -key nagioslogserver.key -out nagioslogserver.csr
This will ask to enter some values as shown below. The common name should match the domain name that we use to access the Nagios Log Server in our web browsers. This is particularly important, if these do not match, then we will get warnings in our web browser.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Sign Certificate Request
At this point, we have created a certificate request that needs to be signed by a CA.
If we are going to use a trusted company like VeriSign to provide us with a certificate, we will need to send them a copy of the certificate request. This can be viewed by executing the following command:
# cat nagioslogserver.csr
We will get a lot of random text, this is what we will need to provide to a trusted CA. We must provide the CA with everything including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines.
Once they send us the signed certificate, we will need to copy the certificate into a new file called nagioslogserver.crt. The certificate we receive will also be a lot of random text, so we can just paste that text into the new file which we can open with the vi editor:
# vi nagioslogserver.crt
We must paste everything including the —–BEGIN CERTIFICATE —– and —–END CERTIFICATE —– lines when pasting them into the file.
Save the file and close the file.
Self Signing The Certificate
We can also self-sign the certificate by executing the following command:
openssl x509 -req -days 365 -in nagioslogserver.csr -signkey nagioslogserver.key -out nagioslogserver.crt
This should produce output saying the Signature was OK and it was Getting Private Key.
When we self-sign a certificate, we will get warnings in our web browser.
Set Permissions
We need to set permissions on the files. For it, execute the following commands:
# chmod go-rwx nagioslogserver.*
Update Apache Configuration
Now we need to update the Apache webserver configuration with the certificate. The configuration file for this differs depending on the operating system (OS). Open the SSL configuration file in a text editor by executing the following command:
RHEL|CentOS
# vi /etc/httpd/conf.d/ssl.conf
Debian|Ubuntu
# vi /etc/apache2/sites-available/default-ssl.conf
Find these lines and update them as follows:
SSLCertificateFile /usr/local/nagioslogserver/var/certs/nagioslogserver.crt
SSLCertificateKeyFile /usr/local/nagioslogserver/var/certs/nagioslogserver.key
In that same file, navigate to the end and before the line </VirtualHost>, add the following lines:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
</IfModule>
Save the changes and close the file.
We have to update the Apache webserver config file to force SSL to be used. The configuration file for this differs depending on the OS. Open the SSL file in any text editor by executing the following command:
RHEL|CentOS
# vi /etc/httpd/conf.d/nagioslogserver.conf
Debian|Ubuntu
# vi /etc/apache2/sites-available/nagioslogserver.conf
Add the following lines to the end of the file:
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
It is most likely that we only need to add the two lines in bold above, the end result is that all the lines need to exist.
Save the changes and close the file.
Restart Apache
We need to restart the Apache for the new certificate key to be used.
RHEL 7+|CentOS 7+|CentOS Stream
# systemctl restart httpd.service
Debian|Ubuntu 16/18/20
# a2ensite default-ssl
# a2enmod ssl
# systemctl restart apache2.service
Firewall Rules
If we cannot access the Nagios Log Server while testing the certificate, then it is likely that we will need to run these commands:
RHEL 7+|CentOS 7+|CentOS Stream
# firewall-cmd --zone=public --add-port=443/tcp
# firewall-cmd --zone=public --add-port=443/tcp --permanent
Debian
The local firewall is not enabled on Debian by default and no steps are required here. If it is enabled, then the commands are:
# iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT
Ubuntu
The local firewall is not enabled on Ubuntu by default and no steps are required here. If it is enabled, then the commands are:
# sudo ufw allow https
# sudo ufw reload
Update Settings to Configure SSL/TLS in Nagios Log Server
The Nagios Log Server GUI settings also need updating. Open up the Nagios Log Server interface to https://yourservername/nagioslogserver/ and navigate to Admin > General > Global Settings.
Change the Interface URL to https instead of the default http and click the Save Settings button.
It is very important that the IP Address/DNS name is the same here as it was typed in the certificate key “common name”.
We are now set to use https with our Nagios Log Server web interface.
With this configuration, if a user types http://logserver in their web browser, it will redirect them to https://logserver which can cause certificate warnings in certain scenarios. If we want to redirect them to https://logserver.yourdomain.com, then we simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file:
RewriteRule (.*) https://logserver.yourdomain.com%{REQUEST_URI}
Then restart the httpd service.
[Need any further assistance to configure SSL/TLS in Nagios Log Server? – We’re available 24*7]
Conclusion
In short, to configure SSL/TLS in Nagios Log Server we need to follow a series of steps. Today, we saw how our Support Engineers perform this.
0 Comments