Newbie question - 403 Forbidden


#1

Hello, I’m installing and setting up Nagios 2.0rc2

I’ve gone through all the steps -when trying to access the web interface, I get the error below. The servername is tpx15 (tpx15//nagios/).

withe the configure scriot - i set the htmurl to /nagios/. And, I’ve followed all the steps for adding the CGI and HTML aliases in /etc/httpd/httpd.conf. I’m using SLES 9 as my OS.

In browser, when entering tpx15/nagios/ - I’m randonly being prompted for username and password. I’ve run the htpasswd command and created the .htaccess files.

thanks very much!


Forbidden
You don’t have permission to access /nagios/ on this server.

Apache/1.3.29 Server at tpx15.trigence.com Port 80


#2

In your cgi file, you need to specify what users are allowed to view/do what things via the web interface. You have to give the users in your .htaccess file permissions to see and do things. Just having the .htaccess files and using the htpasswd command are not enough.


#3

thanks SOT. here’s a snippet of my httpd error_log:

[Wed Jan 25 13:50:55 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:51:09 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:51:11 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:52:31 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:52:34 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:52:51 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:52:57 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:53:01 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:53:08 2006] [error] [client 10.0.100.92] File does not exist: /srv/www/htdocs/nagios
[Wed Jan 25 13:53:13 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 13:56:46 2006] [error] [client 10.0.100.92] attempt to invoke directory as script: /usr/local/nagios/sbin
[Wed Jan 25 13:57:04 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 14:06:05 2006] [error] [client 10.0.100.92] attempt to invoke directory as script: /usr/local/nagios/sbin
[Wed Jan 25 14:06:23 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/

here’s the contents of .htaccess. How should I change this file?

AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
require valid-user


#4

not sure if this helps, but here’s a listing of the /usr./local/nagios/etc

tpx15:/usr/local/nagios/etc # ls -l
total 236
drwxrwxr-x 2 nagios nagcmd 4096 Jan 25 13:50 .
drwxr-xr-x 8 nagios root 4096 Jan 24 16:24 …
-rw-r–r-- 1 root root 30051 Jan 25 13:49 bigger.cfg
-rw-rw-r-- 1 nagios nagcmd 30051 Jan 24 16:11 bigger.cfg-sample
-rw-r–r-- 1 root root 9581 Jan 25 13:47 cfg.cgi
-rw-rw-r-- 1 nagios nagcmd 9581 Jan 24 16:11 cgi.cfg-sample
-rw-r–r-- 1 root root 4826 Jan 25 13:49 checkcommands.cfg
-rw-rw-r-- 1 nagios nagcmd 4826 Jan 24 16:11 checkcommands.cfg-sample
-rw-r–r-- 1 root root 26 Jan 25 11:02 htpasswd.users
-rw-r–r-- 1 root root 13757 Jan 25 13:50 minimal.cfg
-rw-rw-r-- 1 nagios nagcmd 13757 Jan 24 16:11 minimal.cfg-sample
-rw-r–r-- 1 root root 4305 Jan 25 13:50 misccommands.cfg
-rw-rw-r-- 1 nagios nagcmd 4305 Jan 24 16:11 misccommands.cfg-sample
-rw-r–r-- 1 root root 30780 Jan 25 13:47 nagios.cfg
-rw-rw-r-- 1 nagios nagcmd 30780 Jan 24 16:11 nagios.cfg-sample
-rw-r----- 1 root root 1335 Jan 25 13:48 resource.cfg
-rw-rw---- 1 nagios nagcmd 1335 Jan 24 16:11 resource.cfg-sample


The directions never indicated this - but I did a

cp nagios.cfg-sample nagios.cfg

For all of the .cfg files in this folder. I was logged on as root. when I did this. I also tried changing permissions to 777 fot htpasswd.users

thanks


#5

As a first install and Nagios newbie, do yourself a favor and only use minimal.cfg. That basically combines all the other .cfg files in one basic, simple setup and is set to check certain local services on your Nagios box only. This will allow you to get a better understanding of how Nagios works. Later on, when you start adding more services to to other hosts, you’ll probably want to ditch minimal.cfg and start writing hosts.cfg and services.cfg for organizational purposes.

Now, what I meant by allowing users in your .htaccess files to see and do things on the web-int: you need to add them to a list of users. In minimal.cfg there should be settings in there for things like this:

authorized_for_system_information=admin

You need to change so that the users you created with htpasswd are in this list. So let’s say you created user1 and user2. The entry should now read:

authorized_for_system_information=admin,user1,user2

Take note: there are MULTIPLE settings like this one, and you’ll need to put those users in for every one of the settings you want them to have access to. Depending on your situation, you might want to have certain users be only able to see system information, but not execute commands, while your admin user would be able to do pretty much anything through the web-int. Look into the docs to see what all of these authorized_for_* values mean.

Anywhos, I believe minimal.cfg contains all that you’ll need to get started. So go into nagios.cfg and make sure to comment out EVERY cfg file except minimal.cfg. Leave everything else in nagios.cfg to the defaults. Best not to mess with that for now.

You’ve a bit of work ahead of you. When you post back, tell me everything you did and post the relevant snippets of your configs.

Edited Wed Jan 25 2006, 03:11AM ]


#6

ok, i deleted all the files in /usr/local/nagios/etc - except for minimal.cfg (and of course the opriginal samples)

tpx15:/usr/local/nagios/etc # ls -l
total 140
drwxrwxrwx 2 nagios nagcmd 4096 Jan 25 15:26 .
drwxrwxrwx 8 nagios root 4096 Jan 24 16:24 …
-rwxrwxrwx 1 nagios nagcmd 30051 Jan 24 16:11 bigger.cfg-sample
-rwxrwxrwx 1 nagios nagcmd 9581 Jan 24 16:11 cgi.cfg-sample
-rwxrwxrwx 1 nagios nagcmd 4826 Jan 24 16:11 checkcommands.cfg-sample
-rwxrwxrwx 1 root root 26 Jan 25 11:02 htpasswd.users
-rwxrwxrwx 1 root root 13757 Jan 25 13:50 minimal.cfg
-rwxrwxrwx 1 nagios nagcmd 13757 Jan 24 16:11 minimal.cfg-sample
-rwxrwxrwx 1 nagios nagcmd 4305 Jan 24 16:11 misccommands.cfg-sample
-rwxrwxrwx 1 nagios nagcmd 30780 Jan 24 16:11 nagios.cfg-sample
-rwxrwxrwx 1 nagios nagcmd 1335 Jan 24 16:11 resource.cfg-sample


I checked the minimal.cfg file and there’s no

authorized_for_system_information=admin

The only user I created was nagiosadmin - that’s all I need for know

thanks


#7

I ran find command to search for the “authorized_for_system_information” string - and the only file containing that was cfg.cgi-sample

heres the snippet from that file:

SYSTEM/PROCESS INFORMATION ACCESS

This option is a comma-delimited list of all usernames that

have access to viewing the Nagios process information as

provided by the Extended Information CGI (extinfo.cgi). By

default, no one has access to this unless you choose to

not use authorization. You may use an asterisk (*) to

authorize any user who has authenticated to the web server.

#authorized_for_system_information=nagiosadmin,theboss,jdoe


#8

Okay, my mistake…minimal.cfg does not contain info found in cgi.cfg. Anywhos, go through and uncomment those **authorized_for_**lines (remove the # from in front of them) so that Nagios will actually read them. With the lines commented as they are (as you show in your post), Nagios skips over those lines when reading the .cfg files. Make sure that the nagiosadmin user is in all of the authorized_for_ entries.

Then restart Nagios and see what you get.

Edited Wed Jan 25 2006, 03:41AM ]


#9

ok, i had actually tried that. but i didn’t restart nagios. how do I restart nagios? And why do I not have a cgi.cfg file?

I can do a
#mv cfg.cgi-sample cfg.cgi

to create the file - but nowhere in the doc does it say i have to do this.

reading thru the doc, it says running “make install-config” will create those *.cfg file in /usr/local/nagios/etc folder, but when i run it I get:

tpx15:/usr/local/nagios/etc # ls
. bigger.cfg-sample checkcommands.cfg-sample minimal.cfg misccommands.cfg-sample resource.cfg-sample
… cgi.cfg-sample htpasswd.users minimal.cfg-sample nagios.cfg-sample
tpx15:/usr/local/nagios/etc # make install-config
make: *** No rule to make target `install-config’. Stop.
tpx15:/usr/local/nagios/etc #


#10

You need to understand that those *.cfg-sample files are just that: sample configuration files. It is expected that eventually you will modify these files. Sometimes you write your own right from scratch if you’re a Nagios guru. Those files are a convenience for some people that need them, and the extensions are different so that they don’t get in the way. However, they should be generally workable on your system.

Yes, feel free to use that mv command. It will change the extension on your file and will then be accessed when you restart nagios.

If you followed the installation docs exactly, there should be a startup script that was created. I’m pretty sure that the location for the startup scripts is generally universal, though I know there are some exceptions. Try this:

/etc/init.d/nagios restart

Before you do that, though, cd to your /usr/local/nagios/bin directory and run this:

./nagios …/etc/nagios.cfg-sample

Note any warnings/errors that this second command reflects. If it gives you any, post them here before restarting Nagios. If not, and “everything looks OK”, then go ahead and run the command to restart Nagios.
Edited Wed Jan 25 2006, 05:50AM ]


#11

thanks - heres what I get with ./nagios …/etc/nagios.cfg-sample :

tpx15:/usr/local/nagios/bin # ./nagios …/etc/nagios.cfg-sample

Nagios 2.0rc2
Copyright © 1999-2006 Ethan Galstad (nagios.org)
Last Modified: 01-10-2006
License: GPL

Nagios 2.0rc2 starting… (PID=22484)
Error: Command ‘check-host-alive’ has already been defined
Error: Could not register command (config file ‘/usr/local/nagios/etc/minimal.cfg’, starting on line 76)
Bailing out due to one or more errors encountered in the configuration files. Run Nagios from the command line with the -v option to verify your config before restarting. (PID=22484)
tpx15:/usr/local/nagios/bin #


#12

got past error above by following meulie.net/forum_viewtopic.php?21.895

Now verify is good:
Total Warnings: 0
Total Errors: 0
Things look okay - No serious problems were detected during the pre-flight check


So now, I go to start Nagios:

tpx15:/etc/init.d # /usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg

Nagios 2.0rc2
Copyright © 1999-2006 Ethan Galstad (nagios.org)
Last Modified: 01-10-2006
License: GPL

Nagios 2.0rc2 starting… (PID=23744)
/usr/local/nagios/libexec/check_procs: option requires an argument – s
/usr/local/nagios/libexec/check_procs: option requires an argument – s
/usr/local/nagios/libexec/check_procs: option requires an argument – s
/usr/local/nagios/libexec/check_procs: option requires an argument – s
postdrop: warning: mail_queue_enter: create file maildrop/244146.23824: Permission denied
postdrop: warning: mail_queue_enter: create file maildrop/244146.23824: Permission denied
postdrop: warning: mail_queue_enter: create file maildrop/244146.23824: Permission denied
postdrop: warning: mail_queue_enter: create file maildrop/244146.23824: Permission denied


#13

Stop the Nagios process and use the startup script to start it back up. You executed the above command from the default location of the startup script, but you executed a command that was actually in another folder.

So, kill all your Nagios processes, and run this command:

/etc/init.d/nagios restart

Let me know if it works.

Looks like you’re going to have trouble with your check_procs commands. Did you in any way alter the default check commands specified in minimal.cfg?
Edited Wed Jan 25 2006, 11:18PM ]


#14

thx S.O.T.

as you sggested, I killed all the nagios processes. when I go to do the restart - I get errors below. Incidentally, in my reasearch I found many referrring to nagios script being in either /etc/init.d/ or in /etc/rc.d/init.d. The only nagios script I have is in /usr/local/nagios/bin/nagios. So I copied the script into /etc/init.d. Not sure if this is correct, and nowhere did it say I had to do it but. Strange that I foolowed all the directions and the nagios script wasnt there. anyhoo…heres the error on restart:

Error: Cannot open main configuration file ‘/usr/local/nagios/bin/restart’ for reading!
Warning: Could not get group entry for 'nagios’
Nagios 2.0rc2 starting… (PID=24376)
Bailing out due to one or more errors encountered in the configuration files. Run Nagios from the command line with the -v option to verify your config before restarting. (PID=24376)


thanks for all your help S.O.T.


#15

Please don’t copy /usr/local/nagios/bin/nagios to /etc/rc.d/init.d.
In other words, take that out and do it right.
Read the docs, run the ./configure script again. Run make and make install again.
Notice what make install states after it runs. It says something like, “run make install-init-scripts to install the startup scripts” or something like that.

Then fix that minimal.cfg file, so you don’t get that error about “was already defined once”. I can’t believe they still haven’t fixed that. For that reason alone, I will not install nagios over 1.x until they fix that. Just too dang buggy for me to trust.
Edited Thu Jan 26 2006, 02:41AM ]


#16

Looks like you skipped a step in your install, my friend. After your ./configure and **make all commands, you’re supposed to have run make install-init. This would have installed the startup script into /etc/rc.d/init.d.

Go ahead and do as jakkedup suggests: run the configure script and then run the following commands:

make all
make install
make install-init

You should then have your startup script.
Edited Thu Jan 26 2006, 04:04AM ]**


#17

Actaully, now that you know the exact syntax of the command, I’d do as SOT stated.
Just run make install-init and you should be good to go.
Then, all you have to do is configure all the hosts/services/etc and spend another 2 weeks of gathering all the info you need.

I’d like you to know, installing nagios is the easy part. It’s getting everything configured that will be an ongoing effort that most likely will never end. It shouldn’t end really, since every day as a tech, I’m finding something new that I can add to nagios. Another check, another host, etc…


#18

[quote=“jakkedup”]=I’d like you to know, installing nagios is the easy part. /quote]

Hah…ain’t that the truth. The past few weeks I’ve been working on my own Nagios install here at work. Now I’m tackling the process of upgrading the configs of the pre-existing Nagios server. That’ll be a bit involved; I’ll have to edit all of the NRPE daemons to accept the IP of that server. There’s always something more to do with Nagios.

Take, for example, my next self-assigned goal: getting my status map to look exactly like the physically-wired network in the office. Right now it looks like a bike wheel with way too many spokes on it. You can hardly read anything, and that’s only with 22 hosts! :cry:[/quote]


#19

The nagios server is on the top left. I used nagiosmap to move stuff around. When viewing the status map, it’s much quicker to draw, if you have “user supplied coordinates”.

http://www.cybaclan.com/nuke/modules/coppermine/albums/userpics/10002/image003.jpg


#20

ok, getting there, re-ran the configre script:

./configure --prefix=/usr/local/nagios --with-cgiurl=/nagios/cgi-bin --with-htmurl=/nagios/ --with-nagios-user=nagios --with-nagios-group=nagcmd --with-command-group=nagcmd

then ran:
make all
make install
make install-init

all ran successfully. Incidentally, the documentation states : "If you wish, you can install the sample init script to /etc/rc.d/init.d/nagios with the following command:
make install -init

(To me - this indicates that its an optional step. Since I’m trying to set up a very basic install to monitor 1 server I didn’t want to get too complicated - theu should remove the word ‘wish’!).

I ran the verify again and pre-flight check is good.

Anyhoo, after this I tried to access the web interface and still get 403 forbidden error. Here’s snippet from web server error_log:

[Wed Jan 25 15:52:06 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Wed Jan 25 16:41:09 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Thu Jan 26 11:04:57 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Thu Jan 26 11:05:04 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Thu Jan 26 11:05:12 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Thu Jan 26 11:05:18 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Fri Jan 27 10:14:02 2006] [notice] caught SIGTERM, shutting down
[Fri Jan 27 10:14:05 2006] [notice] Apache/1.3.29 (Linux/SUSE) configured – resuming normal operations
[Fri Jan 27 10:14:05 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Fri Jan 27 10:15:45 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share/
[Fri Jan 27 10:16:04 2006] [error] [client 10.0.100.92] File does not exist: /srv/www/htdocs/nagios
[Fri Jan 27 10:16:07 2006] [error] [client 10.0.100.92] Directory index forbidden by rule: /usr/local/nagios/share


thanks!

Edited Thu Jan 26 2006, 10:20PM ]