To Ensure security between the end user's web browser and Nagios Log Server requires to configure SSL/TLS in Nagios Log Server.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Nagios queries.

In this context, we shall look into how to set up Nagios Log Server to use SSL/TLS to provide encrypted connections to the Nagios Log Server

Configure SSL/TLS in Nagios Log Server

To implement SSL, we need to generate a certificate. When we generate a certificate, we create a request that needs to be signed by a Certificate Authority (CA).

Configuring SSL/TLS in the Nagios Log server involves a series of steps. Those include:

• Installing Necessary Components.
• Generate Private Key File.
• Generate Certificate Request File.
• Sign Certificate Request.
• Update Apache Configuration.

Let us look into these steps one by one.

1. Installing Necessary Components

The initial step that our Support Engineers follow is to install OpenSSL. First, establish a terminal session to Nagios Log Server as root and execute the following command:

RHEL|CentOS

# yum install -y mod_ssl openssl

Debian|Ubuntu

# apt-get install -y openssl

The steps to install SSL needs to be performed from the  /usr/local/nagioslogserver/var/certs/ directory. 

Execute the following commands to create the directory (if it does not exist) and then change into it:

# mkdir -p /usr/local/nagioslogserver/var/certs
# cd /usr/local/nagioslogserver/var/certs/

2. Generate Private Key File

The first step is to generate the private key file, execute the following command:

# openssl genrsa -out nagioslogserver.key 2048

That would have generated some random text.

3. Generate Certificate Request File

Next, we will generate the certificate request file by executing the following command:

# openssl req -new -key nagioslogserver.key -out nagioslogserver.csr

This will ask to enter some values as shown below. 

The common name should match the domain name that we use to access the Nagios Log Server in our web browsers. 

This is particularly important, if these do not match, then we will get warnings in our web browser.

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Sign Certificate Request

At this point, we have created a certificate request that needs to be signed by a CA.

If we are going to use a trusted company like VeriSign to provide us with a certificate, we will need to send them a copy of the certificate request. This can be viewed by executing the following command:

# cat nagioslogserver.csr

We will get a lot of random text, this is what we will need to provide to a trusted CA. We must provide the CA with everything including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines.

Once they send us the signed certificate, we will need to copy the certificate into a new file called nagioslogserver.crt. The certificate we receive will also be a lot of random text, so we can just paste that text into the new file which we can open with the vi editor:

# vi nagioslogserver.crt

We must paste everything including the —–BEGIN CERTIFICATE —– and —–END CERTIFICATE —– lines when pasting them into the file.

Save the file and close the file.

5. Self Signing The Certificate

We can also self-sign the certificate by executing the following command:

openssl x509 -req -days 365 -in nagioslogserver.csr -signkey nagioslogserver.key -out nagioslogserver.crt

This should produce output saying the Signature was OK and it was Getting Private Key.

When we self-sign a certificate, we will get warnings in our web browser.

6. Set Permissions

We need to set permissions on the files. For it, execute the following commands:

# chmod go-rwx nagioslogserver.*

7. Update Apache Configuration

Now we need to update the Apache webserver configuration with the certificate. The configuration file for this differs depending on the operating system (OS).

Open the SSL configuration file in a text editor by executing the following command:

RHEL|CentOS

# vi /etc/httpd/conf.d/ssl.conf

Debian|Ubuntu

# vi /etc/apache2/sites-available/default-ssl.conf

Find these lines and update them as follows:

SSLCertificateFile /usr/local/nagioslogserver/var/certs/nagioslogserver.crt
SSLCertificateKeyFile /usr/local/nagioslogserver/var/certs/nagioslogserver.key

In that same file, navigate to the end and before the line </VirtualHost>, add the following lines:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
</IfModule>

Save the changes and close the file.

We have to update the Apache webserver config file to force SSL to be used.

The configuration file for this differs depending on the OS.
Open the SSL file in any text editor by executing the following command:

RHEL|CentOS

# vi /etc/httpd/conf.d/nagioslogserver.conf

Debian|Ubuntu

# vi /etc/apache2/sites-available/nagioslogserver.conf

Add the following lines to the end of the file:

RewriteEngine on
RewriteCond $1 !^(index\.php|scripts|media|app|js|css|img|font|vendor|config.js)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagioslogserver/(.*)$ /var/www/html/nagioslogserver/www/index.php/$1 [L,QSA]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

It is most likely that we only need to add the two lines in bold above, the end result is that all the lines need to exist.

Save the changes and close the file.

How to Restart Apache ?

We need to restart the Apache for the new certificate key to be used.

RHEL 7+|CentOS 7+|CentOS Stream

# systemctl restart httpd.service

Debian|Ubuntu 16/18/20

# a2ensite default-ssl
# a2enmod ssl
# systemctl restart apache2.service

Firewall Rules

If we cannot access the Nagios Log Server while testing the certificate, then it is likely that we will need to run these commands:

RHEL 7+|CentOS 7+|CentOS Stream

# firewall-cmd --zone=public --add-port=443/tcp
# firewall-cmd --zone=public --add-port=443/tcp --permanent

Debian

The local firewall is not enabled on Debian by default and no steps are required here. If it is enabled, then the commands are:

# iptables -I INPUT -p tcp --destination-port 443 -j ACCEPT

Ubuntu

The local firewall is not enabled on Ubuntu by default and no steps are required here. If it is enabled, then the commands are:

# sudo ufw allow https
# sudo ufw reload

Update Settings to Configure SSL/TLS in Nagios Log Server

The Nagios Log Server GUI settings also need updating. Open up the Nagios Log Server interface to https://yourservername/nagioslogserver/ and navigate to Admin > General > Global Settings.

Change the Interface URL to https instead of the default http and click the Save Settings button.

It is very important that the IP Address/DNS name is the same here as it was typed in the certificate key “common name”.

We are now set to use https with our Nagios Log Server web interface.

With this configuration, if a user types http://logserver in their web browser, it will redirect them to https://logserver which can cause certificate warnings in certain scenarios. If we want to redirect them to https://logserver.yourdomain.com, then we simply need to change the RewriteRule in the /etc/httpd/conf/httpd.conf file:

RewriteRule (.*) https://logserver.yourdomain.com%{REQUEST_URI}

Then restart the httpd service.

[Need any further assistance to configure SSL / TLS in Nagios Log Server? – We're available 24*7. ]