Thanks for your response. I looked at the docs for that and I'm not sure what it does. After experimenting with it, it appears to just disable authentication for the cgi, leaving just the apache config to protect you.
Is this the same as disabling authentication in cgi.cfg? Would we still be vulnerable to attacks directly at the cgi (bypassing basic apache authentication)? Or would the attacker have to somehow know the default_user_name? Thanks again! > try "default_user_name" in cgi.cfg > > > On Wed, Jul 20, 2011 at 3:35 AM, <[email protected]> wrote: >> We use Nagios with normal authentication (the nagios apache config file, much >> like >> .htaccess combined with Nagios's cgi.cfg) and want to allow a few internal >> hosts >> (with RFC1918 addresses) to access nagios withOUT user authentication. These >> are >> basically large displays with no keyboard input. >> >> Doing the apache config for this was pretty straightforward: >> >> AuthType Basic >> Require valid-user >> Allow from 192.168.199.99 >> Satisfy any >> >> However, although the main Nagios page come up fine, one cannot access any of >> the >> Monitoring links. You get: >> >> It appears as though you do not have permission to view information for any >> of >> the services you requested >> >> Googling for docs on this, I figured the cgi.cfg was the culprit, but there >> does >> not seem to be any way in there to define hosts or IP addresses to give them >> unauthenticated access. We already have this: >> >> authorized_for_all_services=* >> authorized_for_all_hosts=* >> >> We obviously need to leave authentication/authorization enabled for all other >> hosts. Is there a way around this? >> >> Thanks in advance! >> >> ------------------------------------------------------------------------------ >> Magic Quadrant for Content-Aware Data Loss Prevention >> Research study explores the data loss prevention market. Includes in-depth >> analysis on the changes within the DLP market, and the criteria used to >> evaluate the strengths and weaknesses of these DLP solutions. >> http://www.accelacomm.com/jaw/sfnl/114/51385063/ >> _______________________________________________ >> Nagios-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nagios-users >> ::: Please include Nagios version, plugin version (-v) and OS when reporting >> any >> issue. >> ::: Messages without supporting info will risk being sent to /dev/null >> > > ------------------------------------------------------------------------------ > 10 Tips for Better Web Security > Learn 10 ways to better secure your business today. Topics covered include: > Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, > security Microsoft Exchange, secure Instant Messaging, and much more. > http://www.accelacomm.com/jaw/sfnl/114/51426210/ > _______________________________________________ > Nagios-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nagios-users > ::: Please include Nagios version, plugin version (-v) and OS when reporting > any > issue. > ::: Messages without supporting info will risk being sent to /dev/null > ------------------------------------------------------------------------------ 10 Tips for Better Web Security Learn 10 ways to better secure your business today. Topics covered include: Web security, SSL, hacker attacks & Denial of Service (DoS), private keys, security Microsoft Exchange, secure Instant Messaging, and much more. http://www.accelacomm.com/jaw/sfnl/114/51426210/ _______________________________________________ Nagios-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
