Dashing with Icinga 2 authentication required

Hi all,

I have deployed Dashing with Icinga 2 on my Debian 9. I configured my Raspberry Pi to run Chromium browser with Kiosk mode that shows http://debian9:8005. They are separate hosts. Everything almost works well. However, The bottom two sections are asking username and password. All I can see is Icinga Web 2 login page. Other sections work fine. Are there any people having the same issues? I would appreciate if I could get any help. Cheers.

That’s required as you cannot pass basic auth details via Iframe. Or you’ll configure an entry point to Icinga Web 2 where authentication is disabled for exactly these views.

Thanks Michael,

Are there any ways to input the authentication tokens automatically for that instead of disabling authentication? Also, when you say disabling authentication, do you mean tweaking Apache configuration? Thanks.

Eoin

You can use autologin with external authentication, and let Apache/Nginx handle the rest (set REMOTE_USER to a specified user string, if for example a specific IP addresse range is given, IIRC the Apache setting is called SetEnvIf, use your Google foo). That specified user should get a role with permissions assigned in Icinga Web 2 then too (read only).

https://www.icinga.com/docs/icingaweb2/latest/doc/05-Authentication/#external-authentication

Hi Michael,

Thanks again. Our Icinga Web 2 is using authentication via Active Directory. If I add autologin with external authentication, will it be overwritten? Thanks.

Eoin

Sorry Michael,

If you don’t mind, could you please give me more clues? I set the Apache 2 configuration on Icinga Web 2 host as below and I didn’t get any hopes so far.

<Directory "/usr/share/icingaweb2/public">
Options SymLinksIfOwnerMatch
AllowOverride None

SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

EnableSendfile Off

<If "%{REMOTE_ADDR} -ipmatch '172.16.0.18/32'">
    AuthType Basic
    AuthName "Icinga Web 2"
    AuthUserFile /etc/icingaweb2/.http-users
    Require valid-user
    SetEnv REMOTE_USER=testuser
</If>

htpasswd command has been already issued, the user permission has been modified and confirmed. However, still no luck. Am I missing something? Cheers.

Eoin

Looks sane, although I haven’t implemented this myself, just remembering old topics in here. The apache log should probably give more clues here.

If you are not so concerned about having forced manual username and password entry to the Icinga interface, wouldn’t it be easier to just save your authentication credentials via the Chromium browser rather than edit Apache configs?

1 Like

All sorted now. I am not sure if this is correct or not but it looks like when LDAP authentication is used for Icinga Web 2 authentication, external autologin also should use LDAP authentication not htpasswd. I created a user in Samba AD and created a corresponding role in Icinga Web 2. After that, it started working. All I put in the Apache 2 configuration was this:

<If "%{REMOTE_ADDR} -ipmatch '172.16.0.18/32'">
        SetEnv REMOTE_USER testuser
</If>

Thanks guys.

1 Like

Ok, glad you’ve solved it yourself :slight_smile:

Another option would have been to serve a different “kiosk” instance of Icinga Web 2 which solely has this one user up front, but uses the same installation in the background. Something like /icingaweb2-public served with that htpasswd option (or free to view, but restricted with the REMOTE_USER then in Icinga Web 2).

Such a thing would be a good candidate for the #community:howto category too :slight_smile:

Hi Eoin,

Please, could you share your complete configuration for solve the login issue?
Unfortunately i cloud not implemented your workaround to avoid the ask login on the dashing page :frowning:
Let me know

Best Regards