Implement x509 authentication for Cacti

Anything that you think should be in Cacti.

Moderators: Developers, Moderators

Post Reply
amdrescher
Posts: 1
Joined: Mon Oct 28, 2013 10:20 am

Implement x509 authentication for Cacti

Post by amdrescher »

Using Apaches HTTP-Server you may authenticate using x509 client certificates. Two things have to be done. First is, acitvate SSL in the HTTP-Server:

---cut from vitual host config---

<VirtualHost [YOUR_VITUAL_HOST]:443>
ServerName nagios.example.doman

SSLEngine On
SSLOptions +StdEnvVars +ExportCertData

# This 'RequestHeader set SSL_CLIENT_S_DN' is an option as I run Cati behind a SSL reverse proxy. So this is
# the way to get the userser certificate attributes to the HTTP server in the back. Running Cacti on a SSL server
# *should* run without it becaus of the 'StdEnvVar' directive.
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
# You could even relay the whole certificate.
RequestHeader set SSL_CLIENT_S_DN_x509 %{SSL_CLIENT_S_DN_x509}e
DocumentRoot /var/www/html
ServerSignature Off

LogLevel warn
ErrorLog "|/usr/sbin/rotatelogs -f /var/log/httpd/nagios.csc-fra.vw.de_443-%Y%m%d_error.log 86400"
CustomLog "|/usr/sbin/rotatelogs -f /var/log/httpd/nagios.csc-fra.vw.de_443-%Y%m%d.log 86400" combined_CN

# Set server certificate and key
SSLCertificateFile /etc/httpd/ssl/certs/cacti-cert.pem
SSLCertificateKeyFile /etc/httpd/ssl/keys/cacti-key.pem

# You need this CA for authenticating the client certificates. This means in the first place,
# you trust all contaned CAs that a certificate signed by them belongs to the person it claims to be.
SSLCACertificateFile /etc/httpd/ssl/ca/CA_Bundle.pem

# I'ts a idea to track your CAs revocation lists, butr it's only an option.
# SSLCARevocationPath /etc/httpd/ssl/crl/

# This directives make sure, that only users with a certificate of a trusted CA will come in here at the first.
# This is not authentication it self.
SSLVerifyClient require
SSLVerifyDepth 10

# Cacti stuff...

Alias /cacti /usr/share/cacti
<Directory /usr/share/cacti/>
Options +FollowSymLinks
Order allow,deny
Allow from all
AddType application/x-httpd-php .php
DirectoryIndex index.php
</Directory>

<Directory /usr/share/cacti/install>
# mod_security overrides.
# Uncomment these if you use mod_security.
# allow POST of application/x-www-form-urlencoded during install
#SecRuleRemoveById 960010
# permit the specification of the rrdtool paths during install
#SecRuleRemoveById 900011
</Directory>

<Directory /usr/share/cacti/log>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
<Directory /usr/share/cacti/rra>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>

[...]

</VirtualHost>
---cut from vitual host config---

Have a look at the attached patch. With this, you can set 'Authentication Method' to 'Web Basic' and treat the certificates CN as a logon name.
Attachments
auth_login.patch
(1.25 KiB) Downloaded 301 times
Top
Post Reply

Return to “Feature Requests”

Who is online

Users browsing this forum: No registered users and 2 guests