I can login to Nagios but not to Thruk


(Giorgio Zarrelli) #1

Nagios: Nagios® Core™ Version 4.3.4
Thruk: Version 2.20-2
OS: Debian 9.4

Something strange with the authentication. I tried and created a new user but I could not login into Thruk. Checked into Nagios and I could login with no problems.

Then, I logged out from Thruk from my thrukadmin user and tried to login and I could not. So, until I was logged in as thrukadmin, the user worked, once I logged out I could not login again. Neither with new users. But I can login to Nagios with all the users I created.

In Nagios I use AuthUserFile /etc/thruk/htpasswd

This is the thruk.conf in conf-enable for apache2:

cat thruk.conf

<IfModule mod_fcgid.c>
  AddHandler fcgid-script .sh
  IPCCommTimeout 120

  # uncomment these lines to increase the default timeout
  #FcgidCmdOptions /usr/share/thruk/fcgid_env.sh \
  #  IOTimeout 120

  <Directory /usr/share/thruk>
    Options FollowSymLinks
    AllowOverride All
    # apache 2.2
    <IfModule !mod_authz_core.c>
      order allow,deny
      allow from all
    </IfModule>
    # apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
    # apache 2.4 with compat module
    <IfModule mod_access_compat.c>
      order allow,deny
      allow from all
    </IfModule>
  </Directory>
  <Directory /etc/thruk/themes>
    Options FollowSymLinks
    # apache 2.2
    <IfModule !mod_authz_core.c>
      allow from all
    </IfModule>
    # apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
    # apache 2.4 with compat module
    <IfModule mod_access_compat.c>
      order allow,deny
      allow from all
    </IfModule>
  </Directory>
  <Directory /etc/thruk/plugins>
    Options FollowSymLinks
    # apache 2.2
    <IfModule !mod_authz_core.c>
      allow from all
    </IfModule>
    # apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
    # apache 2.4 with compat module
    <IfModule mod_access_compat.c>
      order allow,deny
      allow from all
    </IfModule>
  </Directory>

  Alias /thruk/documentation.html /usr/share/thruk/root/thruk/documentation.html
  Alias /thruk/startup.html /usr/share/thruk/root/thruk/startup.html
  AliasMatch ^/thruk/(.*\.cgi|.*\.html)  /usr/share/thruk/fcgid_env.sh/thruk/$1
  AliasMatch ^/thruk/plugins/(.*?)/(.*)$  /etc/thruk/plugins/plugins-enabled/$1/root/$2
  Alias /thruk/themes/  /etc/thruk/themes/themes-enabled/
  Alias /thruk /usr/share/thruk/root/thruk

  <Location /thruk/>
    Options ExecCGI FollowSymLinks
    AuthName "Thruk Monitoring"
    AuthType Basic
    AuthUserFile /etc/thruk/htpasswd
    Require valid-user
  </Location>
  <Location /thruk/cgi-bin/remote.cgi>
    # apache 2.2
    <IfModule !mod_authz_core.c>
      Order Deny,Allow
      Allow from all
      Satisfy any
    </IfModule>
    # apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
    # apache 2.4 with compat module
    <IfModule mod_access_compat.c>
      Order Deny,Allow
      Allow from all
      Satisfy any
    </IfModule>
  </Location>
</IfModule>

# use compressed output if available
<IfModule mod_deflate.c>
  <Location /thruk/>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
  </Location>
</IfModule>

Any ideas?


#2

Are there any hints in the Apache logs?

BTW: Please format your code to enhance readability using the buttons shown at the top of your posting, or take a look at the FAQ.


(Giorgio Zarrelli) #3

Thank you Wolfgang for your reply and sorry for the readability of the code. I modified the format and now it should be better.

Here is what I see for a legit login which fails (just obfuscated some sensitive infos):

cat thruk.log

[2018/05/24 07:55:53][CSO-Script-Server-Belfast][INFO][Thruk] login failed for readonly on /thruk/ from yyy.yyy.yyy.yyy

cat error.log 

[Thu May 24 06:25:03.457204 2018] [mpm_prefork:notice] [pid 4163] AH00163: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2l mod_wsgi/4.5.11 Python/2.7 configured -- resuming normal operations
[Thu May 24 06:25:03.457426 2018] [core:notice] [pid 4163] AH00094: Command line: '/usr/sbin/apache2'

cat access.log

yyy.yyy.yyy.yyy - - [24/May/2018:07:54:39 +0000] "GET /thruk HTTP/1.1" 302 545 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:39 +0000] "GET /thruk/ HTTP/1.1" 302 592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:39 +0000] "GET /thruk/cgi-bin/login.cgi?thruk/ HTTP/1.1" 302 594 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:40 +0000] "GET /thruk/cgi-bin/login.cgi?thruk/ HTTP/1.1" 200 4739 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:41 +0000] "GET /thruk/themes/Thruk2/stylesheets/all_in_one-2.20-2.css HTTP/1.1" 200 10917 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:41 +0000] "GET /thruk/javascript/cal/jscal2.css HTTP/1.1" 200 1924 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:41 +0000] "GET /thruk/javascript/all_in_one-2.20-2.js HTTP/1.1" 200 88038 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:42 +0000] "GET /thruk/themes/Thruk2/images/logo_thruk.png HTTP/1.1" 200 7784 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:42 +0000] "GET /thruk/themes/Thruk2/images/logo_thruk_mid.png HTTP/1.1" 200 4508 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:42 +0000] "GET /thruk/themes/Thruk2/images/github.png HTTP/1.1" 200 5459 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:42 +0000] "GET /thruk/themes/Thruk2/fonts/roboto-v15-latin-700.woff2 HTTP/1.1" 200 15039 "https://xxx.xxx.xxx.xxx/thruk/themes/Thruk2/stylesheets/all_in_one-2.20-2.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:54:42 +0000] "GET /thruk/themes/Thruk2/fonts/roboto-v15-latin-regular.woff2 HTTP/1.1" 200 14918 "https://xxx.xxx.xxx.xxx/thruk/themes/Thruk2/stylesheets/all_in_one-2.20-2.css" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
127.0.0.1 - - [24/May/2018:07:55:53 +0000] "POST /thruk/cgi-bin/restricted.cgi HTTP/1.1" 401 689 "-" "thruk_auth"
127.0.0.1 - - [24/May/2018:07:55:53 +0000] "POST /thruk/cgi-bin/restricted.cgi HTTP/1.1" 401 689 "-" "thruk_auth"
127.0.0.1 - readonly [24/May/2018:07:55:53 +0000] "POST /thruk/cgi-bin/restricted.cgi HTTP/1.1" 302 539 "-" "thruk_auth"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:53 +0000] "POST /thruk/cgi-bin/login.cgi HTTP/1.1" 302 666 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:53 +0000] "GET /thruk/cgi-bin/login.cgi?/thruk/ HTTP/1.1" 200 3644 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:53 +0000] "GET /thruk/themes/Thruk2/stylesheets/all_in_one-2.20-2.css HTTP/1.1" 200 10917 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?/thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:53 +0000] "GET /thruk/javascript/cal/jscal2.css HTTP/1.1" 200 1924 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?/thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:54 +0000] "GET /thruk/themes/Thruk2/images/error.png HTTP/1.1" 200 848 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?/thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
yyy.yyy.yyy.yyy - - [24/May/2018:07:55:54 +0000] "GET /thruk/themes/Thruk2/images/icon_close.gif HTTP/1.1" 200 402 "https://xxx.xxx.xxx.xxx/thruk/cgi-bin/login.cgi?/thruk/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"

#4

The string “readonly” in the log files looks odd. Please check the permissions / group memberships of the newly added user and try to adjust them according to the thrukadmin user. Both GUIs access different directories on the file system so permissions might be the source of the problem.


(Giorgio Zarrelli) #5

Sorry, I did not realize that “readonly” could look deceiving. It is the name of the user (which is only allowed to view), I used to try and login. The same happens with each and all users. The readonly user has the permission to read all the infos, thrukadmin, obviously, all the permissions, but it fails for both.

I am not sure it could be a file system issue. Before logging out from thrukadmin, I could administer everything, seems more like Truk cannot “sense” that the user has been authenticated by Apache.

Is it correct to say that Thruk relies on Apache basic auth to authenticate users?


(Sven Nierlein) #6

Yes, thats correct. Apache does the authentication and Thruk does the authorization.


(Giorgio Zarrelli) #7

@sni Looks like the issue is caused by this redirect in 000-default.conf:

<Location /thruk>
#redirect all http traffic to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

With this in place I can login to Nagios but not in Thruk. If I comment it out I can login in both. This is a Debian Stretch with packages from your repository.


(Sven Nierlein) #8

Please have a look at https://thruk.org/documentation/faq.html#enable-https-tls-ssl-in-apache-webserver-for-thruk
You need to change the cookie auth url as well as adding an include the ssl vhost when changing to ssl.


(Giorgio Zarrelli) #9

@sni So, I tested a bit. I added the:

cookie_auth_restricted_url: — cookie_auth_restricted_url = https://localhost/thruk/cgi-bin/restricted.cgi

in thruk_local.conf and now if I call the https url directly I can login but if I call the http and gets rewritten I cannot login. Wonder why…could it be my rewriterule?


(Sven Nierlein) #10

in case you use https, you should redirect http traffic to https, not just rewrite it internally in the apache.