Freebsd – Apache 403 Forbidden for Nagios on FreeBSD

apache-2.4freebsd

I have the following conf file in /usr/local/etc/apache24/Includes and when I try to sign in to Nagios GUI, I get a 403 forbidden. I guess this a permissions issue with Apache accessing Nagios data, but I am not sure how to resolve this. I did add www user to nagios group and the files are in /usr/local/www/nagios/cgi-bin/ are executable and readable by nagios group. I also have cgi_modules enabled in the httpd.conf file

ScriptAlias /nagios/cgi-bin/ /usr/local/www/nagios/cgi-bin/

Alias /nagios /usr/local/www/nagios/
<Directory /usr/local/www/nagios>

   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Basic
   AuthUSerFile /usr/local/etc/nagios/htpasswd.users
   Require valid-user

</Directory>

<Directory /usr/local/www/nagios/cgi-bin>

   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthName "Nagios Access"
   AuthType Basic
   AuthUSerFile /usr/local/etc/nagios/htpasswd.users
   Require valid-user

</Directory>

How do I resolve this issue?

Nagios Version: 4.3.4

Apache Version: 24

FreeBSD 11

Update 1:

I modified the directory index part in httpd.conf file to include index.php

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

And I see the following webpage

<?php
include_once(dirname(__FILE__).'/includes/utils.inc.php');
// Allow specifying main window URL for permalinks, etc.
$url = $cfg['cgi_base_url'].'/tac.cgi';

if ("yes" == "yes" && isset($_GET['corewindow'])) {

    // The default window url may have been overridden with a permalink...
    // Parse the URL and remove permalink option from base.
    $a = parse_url($_GET['corewindow']);

    // Build the base url.
    $url = htmlentities($a['path']).'?';
    $url = (isset($a['host'])) ? $a['scheme'].'://'.$a['host'].$url : '/'.$url;

    $query = isset($a['query']) ? $a['query'] : '';
    $pairs = explode('&', $query);
    foreach ($pairs as $pair) {
        $v = explode('=', $pair);
        if (is_array($v)) {
            $key = urlencode($v[0]);
            $val = urlencode(isset($v[1]) ? $v[1] : '');
            $url .= "&$key=$val";
        }
    }
    if (preg_match("/^http:\/\/|^https:\/\/|^\//", $url) != 1)
        $url = "main.php";
}

$this_year = '2017';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">

<html>
<head>
    <meta name="ROBOTS" content="NOINDEX, NOFOLLOW">
<script LANGUAGE="javascript">
    var n = Math.round(Math.random() * 10000000000);
    document.write("<title>Nagios Core on " + window.location.hostname + "</title>");
    document.cookie = "NagFormId=" + n.toString(16);
</script>
    <link rel="shortcut icon" href="images/favicon.ico" type="image/ico">
</head>

<frameset cols="180,*" style="border: 0px;">
    <frame src="side.php" name="side" frameborder="0" style="">
    <frame src="<?php echo $url; ?>" name="main" frameborder="0" style="">

    <noframes>
        <!-- This page requires a web browser which supports frames. -->
        <h2>Nagios Core</h2>
        <p align="center">
            <a href="https://www.nagios.org/">www.nagios.org</a><br>
            Copyright &copy; 2010-<?php echo $this_year; ?> Nagios Core Development Team and Community Contributors.
            Copyright &copy; 1999-2010 Ethan Galstad<br>
        </p>
        <p>
            <i>Note: These pages require a browser which supports frames</i>
        </p>
    </noframes>
</frameset>

</html>

But the error Cannot serve directory /usr/local/www/nagios/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive hasn't gone away.

Best Answer

So the directory index may be the issue here.

<IfModule dir_module>
    DirectoryIndex index.php index.html index.htm AddType application/x-httpd-php .phpAddType application/x-httpd-php-source .phps
</IfModule>

Full documentation is here: https://support.nagios.com/kb/article.php?id=96#FreeBSD

Related Solutions

Apache 403 forbidden error when adding an alias, windows

after reviewing your httpd.conf, I'd recommend you going over following document: Upgrading to 2.4 from 2.2 - Apache HTTP Server Version 2.4 AND posting part of your error_log so it can be future troubleshoot, as for alias itself, your syntax seems correct.

Linux – Random 403 Forbidden error (Apache 2.4)

I was having this exact problem, I am not sure if the below reason is what always causes this error(specifically in the described in the question way) but this was the case for me, so I just wanted to share my thoughts.

Debian 7 wheezy (7.7), apache 2.2.2

I was making a feature when the user should change the messages' status as read/unread, while clicking on a "link", when ajax was being sent to server, so, while testing - quickly clicking on that link to see if it works fine(so it wont be 2 concurrent ajax requests) I got this error

Forbidden

You don't have permission to access /messages on this server.

The strange part was that before that there were a few successful ajax requests with normal path including the domain name like http://example.com/messages/changeStatus/11. Which means the code was ok. But, on the other hand if I could just wait a few seconds and try again, it would work fine.

I had mod-security and mod-evasive installed, so after this error I found these last lines from /var/log/apache2/modsec_audit.log file.

--ba0f4035-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /messages/changeStatus/24
on this server.</p>
</body></html>

--ba0f4035-H--
Apache-Error: [file "mod_evasive20.c"] [line 246] [level 3] client denied by server configuration: /home/user_name/www/example/messages, referer: http://example.com/messages
Stopwatch: 1421177262896100 4724 (- - -)
Stopwatch2: 1421177262896100 4724; combined=10, p1=0, p2=0, p3=2, p4=0, p5=7, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/).
Server: Apache/2.2.22 (Debian) PHP/5.4.36-0+deb7u1 mod_ssl/2.2.27 OpenSSL/1.0.1h

--ba0f4035-Z--

Doing some more search, as I found out the log's error in this article. https://www.atomicorp.com/wiki/index.php/Mod_evasive

so, mod evasive is the reason, because the default params of it are too sensitive, mainly in /etc/apache2/mods-available/mod-evasive.conf file by default I had these options

<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

as we learn from the above link

MODEV_DOSPageCount - This is the threshhold for the number of requests for the same page (or URI) per page interval. Once the threshhold for that interval has been exceeded, the IP address of the client will be added to the blocking list.

and

MODEV_DOSPageInterval - The interval for the page count threshhold; defaults to 1 second intervals.

So, according to default options if I would do 2 requests for the same url during 1 second it would show 403 error, and it was smth that happened to me: ASA I increased the number to 20, I was unable already replicate the error message.

on other hand

MODEV_DOSBlockingPeriod The blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list. During this time, all subsequent requests from the client will result in a 403 (Forbidden) and the timer being reset (e.g. another 10 seconds). Since the timer is reset for every subsequent request, it is not necessary to have a long blocking period; in the event of a DoS attack, this timer will keep getting reset

so, as we can see, after DOSBlockingPeriod time has passed the ip will be deleted from blacklist; as I am guessing this is the reason, that there are no banned IPs in logs, also that, when clicking F5 after a few seconds it works fine, as the blocked period has passed.

I also tested this with long blocking period and small page count values, mainly setting 1000 and 1 respectively. and After a 2-3 ajax requests it started showing 403 and did not go away after a few seconds.

Hope this will help someone.

Best Answer

Related Solutions

Apache 403 forbidden error when adding an alias, windows

Linux – Random 403 Forbidden error (Apache 2.4)

Related Topic