[Pkg-nagios-devel] Bug#708303: nagios3-cgi: Don't Miss and Latest News result in insecure page warning from some browsers

David North david-dpkgs at dnorth.net
Tue May 14 22:07:47 UTC 2013 

Package: nagios3-cgi
Version: 3.4.1-3
Severity: normal
Tags: upstream

(1) Install nagios3-cgi
(2) Tweak apache config to mount the web interface on an https URL, that is, with SSL
(3) Visit the web interface at https://yourserver

At this point, the browser warns that some elements of the page are not encrypted.

This warning can take the form of a modal dialog in some browsers and is annoying
and confusing.

Looking at the 'net' panel in firebug reveals this URL being fetched:

http://assets.nagios.com/images/corepromos/2012-01-26-trainingsplash.jpg

The 'Latest News' RSS feed appears to be including images over plain HTTP

I've commented out lines 19-24 of /usr/share/nagios3/htdocs/main.php to work around this.

Can we persuade upstream to serve this stuff over HTTPS? Or have an option to disable
these feeds?

Happy to work on a patch for upstream or Debian depending on what you think best.

-- System Information:
Debian Release: 7.0
Architecture: armhf (armv6l)

Kernel: Linux 3.6.11+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nagios3-cgi depends on:
ii  adduser                3.113+nmu3
ii  apache2-utils          2.2.22-13
ii  coreutils              8.13-3.5
ii  debconf [debconf-2.0]  1.5.49
ii  libapache2-mod-php5    5.4.4-14
ii  libc6                  2.13-38+rpi2
ii  libgd2-noxpm           2.0.36~rc1~dfsg-6.1
ii  libjpeg8               8d-1
ii  libpng12-0             1.2.49-1
ii  nagios3-common         3.4.1-3
ii  ucf                    3.0025+nmu3
ii  zlib1g                 1:1.2.7.dfsg-13

Versions of packages nagios3-cgi recommends:
ii  apache2                      2.2.22-13
ii  apache2-mpm-prefork [httpd]  2.2.22-13
ii  nagios-images                0.7

nagios3-cgi suggests no packages.

-- Configuration Files:
/etc/nagios3/cgi.cfg changed [not included]

-- debconf information:
  nagios3/nagios1-in-apacheconf: false
  nagios3/adminpassword-mismatch:
  nagios3/httpd: apache2

More information about the Pkg-nagios-devel mailing list