2

I am developing a dashboard for Nagios and I would like to use the JSON Query generator Nagios provides to get the data.

Here is my JavaScript : 

    window.onload = function(){
    var Httpreq = new XMLHttpRequest(); // a new request
    Httpreq.open("GET","http://localhost/nagios/cgi-bin/statusjson.cgi?query=host&hostname=belge",true);
    Httpreq.setRequestHeader("Authorization", "Basic " + btoa("nagiosadmin:nagiosadmin"));
    Httpreq.send(null);
    var object = Httpreq.responseText;
    console.log(object); 
    button.textContent = "Yay";
    console.log("Success"); 
};

I am getting this error with Chrome debug console :

index.html:1 XMLHttpRequest cannot load http://localhost/nagios/cgi-bin/statusjson.cgi?query=host&hostname=belge. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.

I know it's related to Access Control Origin policy, so I add this header to my Apache server :

Header set Access-Control-Allow-Origin "*"

I use Postman to check my request is working, and it is, even if Postman has no Access Control Origin policy, I can check that the following header is present on the response :

Access-Control-Allow-Origin → *

I tried a lot of things, but I can't get rid of this error.

Thanks for your time

Loko
  • 71
  • 9
  • did you check this?https://stackoverflow.com/questions/35553500/xmlhttprequest-cannot-load-https-www-website-com – Kislay Kishore Aug 24 '17 at 09:58
  • Solution: configure the `http://localhost` server to not require authentication for OPTIONS requests. Why: Your browser is doing a CORS preflight, which means that the browser is on its own automatically sending an OPTIONS request to `http://localhost/nagios/cgi-bin/statusjson.cgi` before sending your GET request. And the server is apparently requiring authentication for OPTIONS requests, as it does for GET requests; the server is expecting to see an Authorization header in that OPTIONS request. But the server shouldn’t be, because the browser doesn’t send that header when it does the OPTIONS – sideshowbarker Aug 24 '17 at 10:00
  • @sideshowbarker I tried to disable server authentication for OPTIONS by adding the following header in my apache2.conf file : `Header set Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS" Header set Access-controler-Allow-Headers "accept,content-type"` but I still have the same error . What have I done wrong ? I am currently trying to do it with a php script and it seems to work. – Loko Aug 24 '17 at 12:05

1 Answers1

4

To configure the CORS policy on my Apache 2 server using Nagios, here are the lines I had to add:

  • In /etc/apache2/apache2.conf:

    Header always set Access-Control-Allow-Origin "\*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200]

  • In /etc/apache2/sites-enabled/nagios.conf: I replaced the line Require valid-user with:

    <LimitExcept OPTIONS>
  Require valid-user
</LimitExcept>
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Loko
  • 71
  • 9