Tom,

Thank you for your input. This has been a bit of a learning experience for me.

After researching and playing around with Apache, I was able to enable basic authentication using htpasswd.

When I attempt to access Observium, I'm prompted for credentials as expected.

Once I login with the creds I’ve configured, I land at the Observium form based authentication page. I'm trying to pass the username and password provided to htpasswd, and send them to Observium on the backend. As you noted earlier, It seems like I should be able to do this with the remote user variable. However, I can’t seem to get it to work.

I’ve listed my current virtual host config below.

I enabled a2enmod headers and restarted Apache with no luck. I’m curious if you know if there’s something I’m missing.

I’ll keep digging and working away at this, but I thought I’d provide an update to the mailing list. Other users may find it helpful if we sort it out.

Many thanks,

DocumentRoot /opt/observium/html/

CustomLog /opt/observium/logs/access_log combined

ErrorLog /opt/observium/logs/error_log

AuthType Basic

AuthName "Restricted Content"

AuthUserFile /etc/apache2/.htpasswd

Require valid-user

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

RewriteEngine on

RewriteCond %{ENV:REMOTE_USER} (.+)

RequestHeader set X-Forwarded-User %{ENV:REMOTE_USER}e

</Directory>

</VirtualHost>

- NM

-----Original Message-----
From: observium [mailto:observium-bounces@observium.org] On Behalf Of observium-request@observium.org
Sent: Saturday, January 16, 2016 6:11 PM
To: observium@observium.org
Subject: observium Digest, Vol 66, Issue 96

Send observium mailing list submissions to

observium@observium.org

To subscribe or unsubscribe via the World Wide Web, visit

http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

or, via email, send a message with subject or body 'help' to

observium-request@observium.org

You can reach the person managing the list at

observium-owner@observium.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of observium digest..."

Today's Topics:

1. Re: Observium: Pre-auth and security questions (Tom Laermans)

----------------------------------------------------------------------

Message: 1

Date: Sun, 17 Jan 2016 01:10:43 +0100

From: Tom Laermans <tom.laermans@powersource.cx>

To: Observium Network Observation System <observium@observium.org>

Subject: Re: [Observium] Observium: Pre-auth and security questions

Message-ID: <569ADC03.1000002@powersource.cx>

Content-Type: text/plain; charset="windows-1252"; Format="flowed"

Hi Nate,

We support trusting Apache with the auth (ie mod_auth_kerb, mod_auth_ldap, htpasswd, etc) by using its supplied REMOTE_USER variable

- this works with at least the LDAP and MySQL backends; if your SSO setup could fill in these fields, you should be good. This bypasses our login forms of course. I use SSO with Kerberos (AD) tickets, handled by mod_auth_kerb.

We also have an http-auth backend, but I don't think that will do what you want it to.

There's also a CAS backend, fairly new, I have no idea how to use it but I don't think it could work with your netscaler setup.

Tom

On 16/01/2016 23:52, Nate Mellendorf wrote:

> Good evening everyone,

> I?ve been trying to configure Observium with a forms based SSO solution.

> My reasoning for this, is that I?d like to minimize the attack surface

> for Observium when published to the Internet.

> As Observium supports groups, I thought it would be extremely

> beneficial for clients to view their throughput at anytime from anywhere.

> I was curious if anyone in the community is using pre-authentication,

> or if you?re publishing Observium directly to the Internet.

> I?m not as familiar with Apache and PHP, so hardening the service

> through pre-auth seemed like a good first step.

> Unfortunately, I can?t quite get pre-auth to work. Observium uses

> forms based authentication, which is hard to capture on the platform

> I?m using.

> Here?s a link, if you?re curious on how I?m trying to capture it:

> http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb.

> html

> If I could get Observium to use basic authentication, I think I could

> get it to work. Do we know if this is possible? A better question, is

> pre-auth even necessary here?

> Aside from HTTPS, iptables, firewalling, and locking down SSH/root,

> what other steps do you take to secure your Observium server? Do you

> think that allowing Internet access is unwise at this time?

> Thank you for any input on insight into this. This is a concern of

> mine that I?m trying to address.

> Your suggestions and opinions are very much appreciated.

> Regards,

> - NM

> _______________________________________________

> observium mailing list

> observium@observium.org

> http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

-------------- next part --------------

An HTML attachment was scrubbed...

URL: <http://postman.memetic.org/pipermail/observium/attachments/20160117/106919fd/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________

observium mailing list

observium@observium.org

http://postman.memetic.org/cgi-bin/mailman/listinfo/observium

------------------------------

End of observium Digest, Vol 66, Issue 96

*****************************************