Bug 1101214

Summary: http to https redirectiion (SSL) is NOT happening for Nagios and pnp4nagios portal
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Prasanth <pprakash>
Component: nagios-server-addonsAssignee: Shubhendu Tripathi <shtripat>
Status: CLOSED ERRATA QA Contact: Prasanth <pprakash>
Severity: high Docs Contact:
Priority: medium    
Version: rhgs-3.0CC: asrivast, dpati, kmayilsa, nsathyan, rhs-bugs, rhsc-qe-bugs, shtripat
Target Milestone: ---   
Target Release: RHGS 3.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nagios-server-addons-0.1.1-2.el6rhs.x86_64.rpm Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-22 19:10:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Security details of Nagios link
none
Security details of ovirt-engine link none

Description Prasanth 2014-05-26 12:07:32 UTC 
Description of problem:

When the user installs RHSC, along with that Nagios server gets installed. The Nagios server should be auto configured automatically to stop the HTTP access to it's service and only allow HTTPS based communication. For e.g. if the RHSC is installed on the server "server-1" and the user points his/her browser to http://server-1/nagios, it should automatically go to https://server-1/nagios and prompt for user-name and password.

Ref: https://trello.com/c/H6sXbesq/21-ssl-nagios


Version-Release number of selected component (if applicable):
rhsc-3.0.0-0.5.master.el6_5.noarch
nagios-3.5.1-2.el6ost.x86_64
pnp4nagios-0.6.20-1.el6rhs.x86_64
nagios-server-addons-0.1.0-82.git77df8ca.el6rhs.x86_64

How reproducible: 100%


Steps to Reproduce:
1. Install and setup RHSC with Monitoring enabled as per: http://rhsm.pad.engineering.redhat.com/rhsc-nagios-release-denali-4
2. Take http://<IP/Hostname>/nagios in the browser
3. Take http://<IP/Hostname>/pnp4nagios in the browser

Actual results: Redirection to https is NOT happening automatically.

Expected results: In both the cases, it should redirect to https to allow ONLY HTTPS based communication


Additional info:
Comment 1 Kanagaraj 2014-05-30 02:49:26 UTC 
merged the patch in 3.0 branch
Comment 3 Prasanth 2014-06-05 06:20:52 UTC 
1. Installed and ran rhsc-setup with Monitoring enabled as per: http://rhsm.pad.engineering.redhat.com/rhsc-nagios-release-denali-5

2. Taken http://<IP/Hostname>/nagios in the browser

3. Taken http://<IP/Hostname>/pnp4nagios in the browser

Both the above links throws 403 Forbidden error and following is what Apache error log says:

----------
[Thu Jun 05 11:31:41 2014] [error] [client 10.70.1.130] access to /usr/share/nagios/html failed, reason: SSL connection required
[Thu Jun 05 11:31:52 2014] [error] [client 10.70.1.130] access to /usr/share/nagios/html failed, reason: SSL connection required
[Thu Jun 05 11:32:24 2014] [error] [client 10.70.1.130] access to /usr/share/nagios/html/pnp4nagios failed, reason: SSL connection required
[Thu Jun 05 11:32:59 2014] [error] [client 10.70.1.130] access to /usr/share/nagios/html/pnp4nagios failed, reason: SSL connection required
----------

Is this a new bug or got introduced as a result of fixing this bug?
Comment 4 Prasanth 2014-06-05 06:29:54 UTC 
On further debugging, I could see that the package "nagios-server-addons" didn't get updated as part of the rhsc installation of the latest build and hence the issue. 

Moving back the bug to ON_QA based on the above.


However, in that case, I would like to know what is the expectation from the user here? Is the package supposed to get updated automatically during rhsc-setup when there is an update available in the channel (as monitoring is enabled by the user) or they have to manually update the package using yum??
Comment 5 Kanagaraj 2014-06-05 06:34:04 UTC 
rhsc should pull the latest nagios-server-addons package. Please open an another bug to track it.
Comment 6 Prasanth 2014-06-05 06:49:20 UTC 
(In reply to Kanagaraj from comment #5)
> rhsc should pull the latest nagios-server-addons package. Please open an
> another bug to track it.

Based on the above confirmation, opened the following BZ:

Bug 1104966 - rhsc-setup is not pulling the available updates for "nagios-server-addons"
Comment 7 Prasanth 2014-06-12 07:27:28 UTC 
https redirection seems to be working correctly now. However, I have noticed that the Security details of https://<IP>/nagios shows as "Connection Partially Encrypted" whereas Security details of https://<IP>/ovirt-engine clearly shows as "Connection Encrypted". I've attached both the screenshots.

This one is a problem. It means you have mixed content on your page, which is bad practice because you can't be sure what can and cannot be trusted as coming from the server (as guaranteed by SSL/TLS otherwise). It's probably loading images, scripts, iframes or making XHR requests via plain HTTP. In some cases, it can leak sensitive data this way.

So we will have to fix this as well to claim that the connection to Nagios URL is Fully Encrypted. Do you agree with me??

Moving back the bug to fix the above issue.
Comment 8 Prasanth 2014-06-12 07:28:33 UTC 
Created attachment 907969 [details]
Security details of Nagios link
Comment 9 Prasanth 2014-06-12 07:29:09 UTC 
Created attachment 907970 [details]
Security details of ovirt-engine link
Comment 10 Kanagaraj 2014-06-12 08:17:55 UTC 
This is the problem

http://assets.nagios.com/images/events/nagios-world-conference-2014-sidebar_promo.png
Comment 11 Kanagaraj 2014-06-12 11:40:30 UTC 
Please open a separate a bug for this issue
Comment 12 Prasanth 2014-06-12 12:39:00 UTC 
(In reply to Kanagaraj from comment #11)
> Please open a separate a bug for this issue

Done!

Bug 1108688 - Some of the elements in the Nagios page are not transferred via SSL and the Security details shows as "Connection Partially Encrypted"
Comment 13 Prasanth 2014-06-12 12:40:58 UTC 
Since the https redirection appers to be working correctly now, I'm marking this bug as verified.

Verified in nagios-server-addons-0.1.1-2.el6rhs.x86_64.rpm
Comment 15 errata-xmlrpc 2014-09-22 19:10:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1277.html