The basic AuthType is used for both authentication and authorization process.
This is the most common way of doing.
The credentials are encrypted and stored in a file.
The command to create/update this credential file is htpasswd.
htpasswd -c /PATH/.htpasswd USER1 htpasswd /PATH/.htpasswd USER2 htpasswd /PATH/.htpasswd USER2
The -c option should be used if the password file does no exist yet.
You will be prompted for each username to create the corresponding password
To use it, you have to define it into your host configuration
AuthName "Nagios Access" AuthType Basic AuthUserFile /PATH/.htpasswd Require valid-user
It can be defined globally in httpd.conf, directly in Virtualhost or in a <Directory> or <Location> context
The “Require valid-user” instruction manages the authentication/authorization (user is authenticated and authorized if the introduced password matchs the expected one)
The username is stored in the REMOTE_USER system variable
Reverse Proxy Example with file mapping
This example is an implementation of create_apache_remote_user_from_header
- Front-end virtualhost is used to authenticate/authorize users
- Backend virtualhost serves Nagios Core web interface. It does not handle authentication/authorizationIt but expects REMOTE_USERS system variable.
- The authentication is made on front-end virtualhost
- The authorization is made further in the virtual host thanks to a mapping file which binds an username on the front-end to an username on the backend
The backend configuration on create_apache_remote_user_from_header can be used
┌─────────────────────┐
│ User │
└─────────▲───────────┘
│
│ HTTP Request
▼
┌─────────────────────────────────┐
│ Front-End │
│ (Reverse Proxy, Auth Gateway) │
└──────────────▲──────────────────┘
│
│ 1. Forward Request
│ + user mapping thanks to mapping file (REMOTE_USER -> NAGIOS_USER)
│ + Add Custom Header (NAGIOS_USER -> X-NAGIOS_USER)
▼
┌─────────────────────────────────┐
│ Header Added: │
│ X-NAGIOS-USER: nagiosdba │
└──────────────▲──────────────────┘
│
│ Secure Internal Forwarding
▼
┌─────────────────────────────────┐
│ Back-End │
└──────────────▲──────────────────┘
│
│ 2. Read Header
│ → Set Environment Variable:
│ X-NAGIOS_USER → REMOTE_USER = nagiosdba
▼
┌─────────────────────────────────┐
│ Application uses │
│ REMOTE_USER as trusted │
│ authenticated identity │
└─────────────────────────────────┘
The complete front-end configuration.
<VirtualHost *:80>
ServerName nagios-tri
ServerAlias nagios-tri.DOMAIN.TLD
# Redirect all HTTP traffic to HTTPS
Redirect 301 / https://nagios-tri.DOMAIN.TLD/
CustomLog logs/nagios-tri-redirect.log http
</VirtualHost>
<VirtualHost *:443>
ServerName nagios-tri
ServerAlias nagios-tri.DOMAIN.TLD
# ------------------------------
# Logs
# ------------------------------
ErrorLog logs/nagios-tri-error.log
CustomLog logs/nagios-tri-access.log tls
# ------------------------------
# Enable SSL
# ------------------------------
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/nagios.DOMAIN.TLD.crt
SSLCertificateKeyFile /etc/pki/tls/private/nagios.DOMAIN.TLD.key
# ------------------------------
# Maps SSO username to Nagios role
# ------------------------------
RewriteMap usermap txt:/etc/httpd/conf/user_map.txt
# ------------------------------
# Authentication via SSO (Basic Auth example)
# ------------------------------
<Location />
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwdtestTRI
Require valid-user
# ------------------------------
# Map authenticated user to Nagios role
# This creates an environment variable NAGIOS_USER
# ------------------------------
RewriteEngine On
RewriteCond %{REMOTE_USER} (.+)
RewriteRule ^ - [E=NAGIOS_USER:${usermap:%1}]
# ------------------------------
# Pass headers to backend
# X-NAGIOS-USER = mapped Nagios role
# X-REAL-USER = original SSO user for audit/log
# ------------------------------
RequestHeader set X-NAGIOS-USER "%{NAGIOS_USER}e"
RequestHeader set X-REAL-USER "%{REMOTE_USER}s"
</Location>
# ------------------------------
# Reverse Proxy to Nagios backend
# ------------------------------
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
ProxyPreserveHost On
ProxyPass /nagios https://127.0.0.1:8443/nagios
ProxyPassReverse /nagios https://127.0.0.1:8443/nagios
# Redirect root "/" only
RedirectMatch ^/$ /nagios/
</VirtualHost>
Front-end virtualhost explanations
Two external files are used
- /etc/nagios/passwdtestTRI (credential files created with passwd)
- /etc/httpd/conf/user_map.txt (mapping files)
/etc/nagios/passwdtestTRI
AdminUSER:$apr1$ecEe8v5F$V0rqKBFHk4t/MN2NoiiLb1 DBAUSER:$apr1$aeFMUyBl$X./oIHqFxty2KgrYEN9TP1 USER:$apr1$M5fbvvMa$qvXv/ZAnKejqOQSf3LZhC/
Three users : AdminUSER (encrypted password is “AdminUSER”), DBAUSER (encrypted password is “DBAUSER”), USER (encrypted password is “USER ”)
/etc/httpd/conf/user_map.txt
AdminUSER nagiosadmin DBAUSER nagiosdba USER helpdesk
Map the 3 users to 3 different Nagios users (AdminUSER → nagiosadmin, DBAUSER → nagiosdba, USER → helpdesk)
The key changes are
RewriteEngine On
RewriteCond %{REMOTE_USER} (.+)
RewriteRule ^ - [E=NAGIOS_USER:${usermap:%1}]
...
RequestHeader set X-NAGIOS-USER "%{NAGIOS_USER}e"
If REMOTE_USER system variable is defined (and it should be defined because of the authentication process before), Apache defines NAGIOS_USER based on the mapping file.
Apache then defines the X-NAGIOS-USER header based on NAGIOS_USER variable. This X-NAGIOS-USER will be used by the backend virtualhost