脚本头过早结束:CGI、Nagios、LDAP
我为 LDAPS 身份验证设置了 Nagvis 和 Nagios.我在 Nagvis 中有一个监控点(链接),它将我带到 Nagios Core 中的服务信息.当我单击 Nagvis 中的链接以访问 Nagios 时,我收到以下错误:/var/log/httpd24/error_log:
[cgi:error] [pid 25523] [client 155.157.39.194:23160] 脚本头过早结束:status.cgi,引用者:https://[EM Server FQDN]/nagios/cgi-bin/status.cgi?host=all
当我进入下一页时,我遇到了一个内部服务器错误页面,它只是告诉我查阅错误日志.点击浏览器上的 F5 或后退导航按钮可解决此问题.当我将 LDAPS 身份验证替换为基本身份验证时,不会出现任何问题.
我的 CGI 文件具有适当的权限.在 LDAP 身份验证过程中一定有什么东西丢失了?
感谢任何帮助!附上我的nagios.conf...
ScriptAlias/nagios/cgi-bin "/usr/local/nagios/sbin"<目录/usr/local/nagios/sbin">SSL要求SSL选项 ExecCGIAllowOverride AuthConfig订单拒绝,允许拒绝一切# 限制 HTTP 方法<LimitExcept GET POST OPTIONS>要求全部拒绝</限制例外>允许来自<允许主机的 IP 子网>开会SessionCookieName httpd_nagsess 路径=/会话最大年龄 1800SessionCryptoPassphrase <模糊>错误文档 401/auth/login.htmlAuthFormProvider ldapAuthType 表单AuthLDAPGroupAttributeIsDN 开启AuthName通过 Active Directory (LDAPS) 登录 Nagios"AuthLDAPURL "ldaps://<域控制器#1 FQDN>:3269 <域控制器#2 FQDN>:3269/DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>?sAMAccountName?sub?(objectClass=*)"没有任何AuthLDAPBindDN "CN=AD-Binder,OU=服务帐户,OU=用户和组,OU=<模糊>,DC=<模糊>,DC=<模糊>,DC=<模糊>,DC=<遮蔽>,DC=<遮蔽>"AuthLDAPBindPassword <模糊>要求 ldap-group CN=em_admin,OU=Groups,OU=Users and Groups,OU=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<遮蔽>,DC=<遮蔽></目录>
解决方案 问题出在我的登录表单上.根据关于Inline Login with Body Preservation"的 apache 文档;(
最后这里是我的 nagios.conf(我不包括相同的 nagios/share 目录):
仅供参考,在 login.php 的登录表单部分之外执行此操作,以确定此信息的保存位置:
I have both Nagvis and Nagios set up for LDAPS authentication. I have a monitor point (link) in Nagvis which brings me to the Service information in Nagios Core. When I click the link in Nagvis to get to Nagios I get the following error: /var/log/httpd24/error_log:
[cgi:error] [pid 25523] [client 155.157.39.194:23160] Premature end of script headers: status.cgi, referer: https://[EM Server FQDN]/nagios/cgi-bin/status.cgi?host=all
When I land at the next page I am met with an Internal Server Error page which just tells me to consult the error logs. Hitting F5 or the Back Navigation button on the browser resolves the issue. When I instead replace LDAPS authentication with Basic Authentication, no problems occur.
My CGI files have proper permissions. Something must be getting lost in the process of the LDAP authentication?
Any help is appreciated! Attached my nagios.conf...
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
SSLRequireSSL
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
Deny from all
# Limit HTTP methods
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
Allow from <IP subnet of allowed hosts>
Session on
SessionCookieName httpd_nagsess path=/
SessionMaxAge 1800
SessionCryptoPassphrase <obscured>
ErrorDocument 401 /auth/login.html
AuthFormProvider ldap
AuthType form
AuthLDAPGroupAttributeIsDN on
AuthName "Nagios Login via Active Directory (LDAPS)"
AuthLDAPURL "ldaps://<domain controller #1 FQDN>:3269 <domain controller #2 FQDN>:3269/DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=AD-Binder,OU=Service Accounts,OU=Users and Groups,OU=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>"
AuthLDAPBindPassword <obscured>
require ldap-group CN=em_admin,OU=Groups,OU=Users and Groups,OU=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>
</Directory>
解决方案
The problem was with my login form. According to the apache documentation on "Inline Login with Body Preservation" (https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html) I needed the following three lines in my form:
<input type="hidden" name="httpd_method" value="POST" />
<input type="hidden" name="httpd_mimetype" value="application/x-www-form-urlencoded" />
<input type="hidden" name="httpd_body" value="<?php echo $_SERVER['REDIRECT_QUERY_STRING'];?>" />
The PHP stuff given to the httpd_body was what I needed to actually preserve the original request. I found a few mentions out there of Inline Form Login not working out of the box but no solid solution for it. My solution works for me. Note login.html had to become login.php. See my login form below:
Finally here is my nagios.conf (Im not including identical nagios/share Directory):
FYI, did this outside the login form part of login.php to figure out where this info was held:
<?php
$info = phpinfo();
echo "<html><h2>$info</h2>";
?>
相关文章