From 1caf08622309ac86361e8967e4ee68c377f3f280 Mon Sep 17 00:00:00 2001
From: Alex Dehnert <alex@dehnerts.com>
Date: Sun, 9 Jul 2023 05:03:42 +0000
Subject: [PATCH] nagios4: Update Apache config

---
 apache2.conf | 103 ++++++++++++++++++++++-----------------------------
 cgi.cfg      |   3 +-
 2 files changed, 47 insertions(+), 59 deletions(-)

diff --git a/apache2.conf b/apache2.conf
index f0f8b2f..43488c2 100644
--- a/apache2.conf
+++ b/apache2.conf
@@ -1,67 +1,54 @@
-# apache configuration for nagios 3.x
-# note to users of nagios 1.x and 2.x:
-#	throughout this file are commented out sections which preserve
-#	backwards compatibility with bookmarks/config for older nagios versios.
-#	simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+# apache configuration for nagios 4.x
 
-ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
-ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
-# nagios 1.x:
-#ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
-#ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
-# nagios 2.x: 
-#ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
-#ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
 
 # Where the stylesheets (config files) reside
-Alias /nagios3/stylesheets /etc/nagios3/stylesheets
-# nagios 1.x:
-#Alias /nagios/stylesheets /etc/nagios3/stylesheets
-# nagios 2.x:
-#Alias /nagios2/stylesheets /etc/nagios3/stylesheets
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
 
 # Where the HTML pages live
-Alias /nagios3 /usr/share/nagios3/htdocs
-# nagios 2.x: 
-#Alias /nagios2 /usr/share/nagios3/htdocs
-# nagios 1.x:
-#Alias /nagios /usr/share/nagios3/htdocs
-
-<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
-	Options FollowSymLinks
-
-	DirectoryIndex index.php index.html
-
-	AllowOverride AuthConfig
-
-
-    <IfVersion < 2.3>
-        Order Allow,Deny
-        Allow From All
-    </IfVersion>
-
-    <IfVersion >= 2.3>
-        Require all denied
-    </IfVersion>
-
-	AuthName "Nagios Access"
-	AuthType Basic
-	AuthUserFile /etc/nagios3/htpasswd.users
-	# nagios 1.x:
-	#AuthUserFile /etc/nagios/htpasswd.users
-	require valid-user
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    # 
+    Require ip	::1/128 fc00::/7 fe80::/10 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16
+    <Files "cmd.cgi">
+	AuthDigestDomain "Nagios4"
+	AuthDigestProvider file
+	AuthUserFile	"/etc/nagios4/htdigest.users"
+	AuthGroupFile	"/etc/group"
+	AuthName	"Nagios4"
+	AuthType	Digest
+	Require all	granted
+	#Require	valid-user
+    </Files>
 </DirectoryMatch>
 
-<Directory /usr/share/nagios3/htdocs>
-	Options	+ExecCGI	
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI	
 </Directory>
 
-# Enable this ScriptAlias if you want to enable the grouplist patch.
-# See http://apan.sourceforge.net/download.html for more info
-# It allows you to see a clickable list of all hostgroups in the
-# left pane of the Nagios web interface
-# XXX This is not tested for nagios 2.x use at your own peril
-#ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
-# nagios 1.x:
-#ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
-
+<Directory /usr/lib/cgi-bin/nagios4/>
+    Options	+ExecCGI	
+</Directory>
diff --git a/cgi.cfg b/cgi.cfg
index cd540b5..99b7672 100644
--- a/cgi.cfg
+++ b/cgi.cfg
@@ -74,7 +74,8 @@ use_pending_states=1
 # use the authentication functions (the default).
 
 use_authentication=1
-
+# TODO: Use auth again??
+use_authentication=0
 
 
 
-- 
2.34.1