Home / server / Questions / 159022
Accepted
Bill Weiss
Asked: 2010-07-10 08:33:05 +0800 CST

Authenticate http requests EXCEPT for from this IP

  • 772

I've got Nagios running on a server here (CentOS 5.3 w/ Apache 2.2.3-22.el5.centos) authenticating to my LDAP server, and all works well. However, I'd like to have some IP able to see the Nagios status page without authenticating. Nagios has this option to assign a user to someone who doesn't auth:

authorized_for_read_only=guest
default_user_name=guest

Which sounds right, but that doesn't take care of the Apache authentication. My current apache config looks like:

<Directory "/usr/lib64/nagios/cgi">
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/misc/htpasswd.users
   Require valid-user

   AuthBasicProvider file ldap
   AuthzLDAPAuthoritative off
   AuthBasicAuthoritative On
   AuthLDAPGroupAttribute LDAPmember
   AuthLDAPURL (my server stuff)
   Require ldap-group CN=nagios,ou=groups,DC=local
</Directory>

That's working, but I'd like some way to say "this IP over here, he can skip that auth stuff". The Apache Satisfy directive looks like it would work, so I tried this:

<Directory "/usr/lib64/nagios/cgi">
   AllowOverride None
   Order allow,deny
   Allow from (IP)  <---- changed
   Deny from all    <---- changed
   Satisfy any      <---- changed
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/misc/htpasswd.users
   Require valid-user

   AuthBasicProvider file ldap
   AuthzLDAPAuthoritative off
   AuthBasicAuthoritative On
   AuthLDAPGroupAttribute LDAPmember
   AuthLDAPURL (my server stuff)
   Require ldap-group CN=nagios,ou=groups,DC=local
</Directory>

But it didn't change the behavior of the site. Thoughts? "Works for me"s? Pointers to appropriate upgrade notes saying that I'd get around this problem if I got around to upgrading my server? :)

---- update w/ answer ----

I took out the file-or-LDAP stuff, and satisfy worked for me. I was probably doing something wrong in there, but whatever, it works now. Here's what my final config looks like:

<Directory "/usr/lib64/nagios/cgi">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from 192.168.42.213
   Satisfy any
   AuthName "Nagios Access"
   AuthType Basic

   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthBasicAuthoritative On
   AuthLDAPGroupAttribute LDAPmember
   AuthLDAPURL (my server stuff)
   Require ldap-group CN=nagios,ou=groups,DC=local
</Directory>
apache-2.2 authentication httpd

1 Answers

  1. Best Answer

    "satisfy any" is indeed what you need to use. There is a good example on the Apache wiki. To quote directly from that source:

    <Directory /home/www/site1/private>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
  Order allow,deny
  Allow from 172.17.10
  Satisfy any
</Directory>
    • 8