Good evening everyone,
I've been trying to configure Observium with a forms based SSO solution.
My reasoning for this, is that I'd like to minimize the attack surface for Observium when published to the Internet. As Observium supports groups, I thought it would be extremely beneficial for clients to view their throughput at anytime from anywhere.
I was curious if anyone in the community is using pre-authentication, or if you're publishing Observium directly to the Internet.
I'm not as familiar with Apache and PHP, so hardening the service through pre-auth seemed like a good first step. Unfortunately, I can't quite get pre-auth to work. Observium uses forms based authentication, which is hard to capture on the platform I'm using. Here's a link, if you're curious on how I'm trying to capture it: http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb.html
If I could get Observium to use basic authentication, I think I could get it to work. Do we know if this is possible? A better question, is pre-auth even necessary here? Aside from HTTPS, iptables, firewalling, and locking down SSH/root, what other steps do you take to secure your Observium server? Do you think that allowing Internet access is unwise at this time?
Thank you for any input on insight into this. This is a concern of mine that I'm trying to address. Your suggestions and opinions are very much appreciated.
Regards, - NM
Hi Nate,
We support trusting Apache with the auth (ie mod_auth_kerb, mod_auth_ldap, htpasswd, etc) by using its supplied REMOTE_USER variable - this works with at least the LDAP and MySQL backends; if your SSO setup could fill in these fields, you should be good. This bypasses our login forms of course. I use SSO with Kerberos (AD) tickets, handled by mod_auth_kerb.
We also have an http-auth backend, but I don't think that will do what you want it to.
There's also a CAS backend, fairly new, I have no idea how to use it but I don't think it could work with your netscaler setup.
Tom
On 16/01/2016 23:52, Nate Mellendorf wrote:
Good evening everyone,
I’ve been trying to configure Observium with a forms based SSO solution.
My reasoning for this, is that I’d like to minimize the attack surface for Observium when published to the Internet.
As Observium supports groups, I thought it would be extremely beneficial for clients to view their throughput at anytime from anywhere.
I was curious if anyone in the community is using pre-authentication, or if you’re publishing Observium directly to the Internet.
I’m not as familiar with Apache and PHP, so hardening the service through pre-auth seemed like a good first step.
Unfortunately, I can’t quite get pre-auth to work. Observium uses forms based authentication, which is hard to capture on the platform I’m using.
Here’s a link, if you’re curious on how I’m trying to capture it:
http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb.html
If I could get Observium to use basic authentication, I think I could get it to work. Do we know if this is possible? A better question, is pre-auth even necessary here?
Aside from HTTPS, iptables, firewalling, and locking down SSH/root, what other steps do you take to secure your Observium server? Do you think that allowing Internet access is unwise at this time?
Thank you for any input on insight into this. This is a concern of mine that I’m trying to address.
Your suggestions and opinions are very much appreciated.
Regards,
- NM
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (2)
-
Nate Mellendorf -
Tom Laermans