Using Apaches HTTP-Server you may authenticate using x509 client certificates. Two things have to be done. First is, acitvate SSL in the HTTP-Server:
---cut from vitual host config---
<VirtualHost [YOUR_VITUAL_HOST]:443>
ServerName nagios.example.doman
SSLEngine On
SSLOptions +StdEnvVars +ExportCertData
# This 'RequestHeader set SSL_CLIENT_S_DN' is an option as I run Cati behind a SSL reverse proxy. So this is
# the way to get the userser certificate attributes to the HTTP server in the back. Running Cacti on a SSL server
# *should* run without it becaus of the 'StdEnvVar' directive.
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
# You could even relay the whole certificate.
RequestHeader set SSL_CLIENT_S_DN_x509 %{SSL_CLIENT_S_DN_x509}e
DocumentRoot /var/www/html
ServerSignature Off
LogLevel warn
ErrorLog "|/usr/sbin/rotatelogs -f /var/log/httpd/nagios.csc-fra.vw.de_443-%Y%m%d_error.log 86400"
CustomLog "|/usr/sbin/rotatelogs -f /var/log/httpd/nagios.csc-fra.vw.de_443-%Y%m%d.log 86400" combined_CN
# Set server certificate and key
SSLCertificateFile /etc/httpd/ssl/certs/cacti-cert.pem
SSLCertificateKeyFile /etc/httpd/ssl/keys/cacti-key.pem
# You need this CA for authenticating the client certificates. This means in the first place,
# you trust all contaned CAs that a certificate signed by them belongs to the person it claims to be.
SSLCACertificateFile /etc/httpd/ssl/ca/CA_Bundle.pem
# I'ts a idea to track your CAs revocation lists, butr it's only an option.
# SSLCARevocationPath /etc/httpd/ssl/crl/
# This directives make sure, that only users with a certificate of a trusted CA will come in here at the first.
# This is not authentication it self.
SSLVerifyClient require
SSLVerifyDepth 10
# Cacti stuff...
Alias /cacti /usr/share/cacti
<Directory /usr/share/cacti/>
Options +FollowSymLinks
Order allow,deny
Allow from all
AddType application/x-httpd-php .php
DirectoryIndex index.php
</Directory>
<Directory /usr/share/cacti/install>
# mod_security overrides.
# Uncomment these if you use mod_security.
# allow POST of application/x-www-form-urlencoded during install
#SecRuleRemoveById 960010
# permit the specification of the rrdtool paths during install
#SecRuleRemoveById 900011
</Directory>
<Directory /usr/share/cacti/log>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
<Directory /usr/share/cacti/rra>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
[...]
</VirtualHost>
---cut from vitual host config---
Have a look at the attached patch. With this, you can set 'Authentication Method' to 'Web Basic' and treat the certificates CN as a logon name.
Implement x509 authentication for Cacti
Moderators: Developers, Moderators
-
- Posts: 1
- Joined: Mon Oct 28, 2013 10:20 am
Implement x509 authentication for Cacti
- Attachments
-
- auth_login.patch
- (1.25 KiB) Downloaded 301 times
Who is online
Users browsing this forum: No registered users and 2 guests