I'm struggling to configure the nginx front end for a Nagios core server on a local test VM I'm hoping to trial it for.
I think I was having PHP-FPM issues for a while which are resolved, at least in part as I can now see the "Nagios Core" homepage when I load the site.
However I can't navigate to any subpages, I'm always given a 403 forbidden.
What other config ideas can I try?
Packages installed on my ubuntu 22.04 host:
nagios-images/jammy,now 0.9.4 all [installed,automatic]
nagios4-cgi/jammy,now 4.4.6-4 amd64 [installed,automatic]
nagios4-common/jammy,now 4.4.6-4 all [installed,automatic]
nagios4-core/jammy,now 4.4.6-4 amd64 [installed,automatic]
nagios4/jammy,now 4.4.6-4 amd64 [installed]
php-common/jammy,now 2:92ubuntu1 all [installed,automatic]
php8.1-cli/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-common/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-fpm/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed]
php8.1-opcache/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1-readline/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 amd64 [installed,automatic]
php8.1/jammy-updates,jammy-security,now 8.1.2-1ubuntu2.11 all [installed]
Here's my primary nagios.conf file which is loaded in the /etc/nginx/conf.d/ directory (which is itself specified in the /etc/nginx/nginx.conf file):
upstream php {
server unix:/var/run/php/php8.1-fpm.sock;
}
upstream fcgiwrap {
server unix:/var/run/fcgiwrap.socket;
}
server {
listen 80;
server_name $HOSTNAME;
return 302 https://$HOSTNAME;
}
server {
listen 443 ssl;
server_name $HOSTNAME;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
access_log /var/log/nginx/nagios.access.log;
error_log /var/log/nginx/nagios.error.log info;
expires 5m;
root /usr/share/nagios4/htdocs;
index index.php index.html;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nagios4/htpasswd.users;
location /stylesheets {
alias /etc/nagios4/stylesheets;
}
location ~ /nagios4/ {
location ~ /(\w*\.cgi)$ {
include /etc/nginx/fastcgi_params;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios4/$1;
fastcgi_pass fcgiwrap;
}
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass php;
include /etc/nginx/snippets/fastcgi-php.conf;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/nagios4/htdocs$fastcgi_script_name;
}
# nagiosgraph
location ~ /nagiosgraph/ {
alias /usr/local/nagiosgraph/share/;
location ~ /(\w*\.cgi)$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/local/nagiosgraph/cgi/$1;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param AUTH_USER $remote_user;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
}
}
Here's the fastcgi snippet it calls:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
~
Here's my primary nginx.conf file:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
client_max_body_size 0;
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
keepalive_timeout 65;
gzip on;
server_tokens off;
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers DEFAULT:!RC4:!DH:!DES:!3DES;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8;
include /etc/nginx/conf.d/*.conf;
}
I've been toying with various configs but have failed at every turn so far.
I have created a populated the basic authentication file, and am prompted for the username and password to match via:
htpasswd -b -c /etc/nagios4/htpasswd.users nagiosadmin $SOMEPASSWORD
I've followed nagios core generating error 403 forbidden and tried relocating that htpass.users file to /usr/local/nagios/ and seeting ownership of root:nagios but that didn't make any difference in this case.
I've stripped all of the configs out and followed https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/ just to ensure php-fpm is working and it appears to be (the response from the homepage matches that of the guide).
The problem with this configuration was that the php-fpm module's default config (/etc/php/8.1/fpm/pool.d/www.conf) is configured for the www-data user.
This nginx.conf specifies a user named 'nginx' as the running user context.
Altering /etc/php/8.1/fpm/pool.d/www.conf to reference 'nginx' in place of 'www-data' and restarting the php8.1-fpm service (systemctl restart) solved this issue.