The Nagios Viewport solution 

Purpose: provide a means of showing the Nagios-monitoring status to customers, without them being able to use cmd.cgi and without them connecting directly to the Nagios-host.

Information:
nagview is the server on which this solution resides.
naghost is ther server on which Nagios is running.
customer.cfg is a configuration file with the following information:
	customer-ID : used as loginname for Apache-authentication
	cust-passwd : password for the loginname
	OS-flavour  : string that indicates type of OS (TASTE-variable in scripts)

sqlget.sh
This script is run from the cron every 5 minutes. It retrieves host-comments and host-downtime information from an MySQL-database on the Nagios server. The retrieved data is stored in temporary-files.

index.cgi
This script is the first to run. It also functions as an entry point to the web-interface. It shows two frames: the top frame contains a menu, the lower contains tables with host-comments and host-downtime.
In order to do this, it formats the raw-data retrieved by the cron-script sqlget.sh into html-tables. 
IMPORTANT: This is based on how we have setup our network. We use network connections to our customers, where we follow the following naming convention:
	hostname.vdlCID.local, 
where hostname is the hostname as specified by the customer. vdl is a fixed code (stands for Vanderlet, the company I work for), CID is the Customer-ID (in customers.cfg we find a customer 'jan', so CID=jan in that case), and local is also fixed. Since the Customer's ID is in the full hostname (which is the hostname that is registered in MySQL) we can use grep to filter out messages belonging to a specific customer. That way we can make sure that the generic comments-data is customer-specific before showing it.

When this is done, it shows these tables in the lower frame. The upper frame, containing the menu, is created in menu.cgi

menu.cgi
This script checks which customer is logged on to the server, and depending on the information in customers.cfg it retrieves the 'status overview' and the 'status details' for the different OS-flavours. In order to function properly the configuration on the Nagios-host has to be in sync with these 'TASTE'-values.
i.e. we have hostgroups called 'jan_unix_servers', 'company_windows_servers' etc. The first term (jan/company) is equal to the customer-ID, the second is equal to the different OS-flavours.
Furthermore, this script changes the retrieved pages. It changes the original links to pages on naghost to the current page on the nagview-server. This avoids nasty error-messages when customer click on a link that they are not allowed too.

SECURITY:
We restricted access for our customers. They are allowed to connect to the nagview-server, but not to the naghost.
We use basic Apache authentication for nagview. In the main directory there is a .htaccess and htpasswd.users which contains all nagview-users. The login/passwd combinations are identical with those on the naghost. This allows restricted views of the customers systems only.
In each customer-subdir (where all data resides) is a specific htpasswd.users file that only contains the customer-information too which the directory belongs.
(changing an url like http://nagview/view/jan/statusoverview.html into http://nagview/view/company/statusoverview.html will result in the browser asking for new authentication).

In this way customers can only view their own information, access to other directories is prohibited.

The customers.cfg is placed in the parent-directory of the main-directory. That way we can restrict access to this file, since it contains cleartext passwords and all relevant authentication information. The browser cannot access this file.

The sqlget.sh script that contains cleartext account information for MySQL is also placed in a directory that is not accessible by the web browser.


INDEX.CGI

#!/bin/bash

# Create HTML-page (Header with Refresh-function)
echo "Content-type: text/html"
echo ""
echo "<html>"
echo "<head>"
echo "<META HTTP-EQUIV=REFRESH CONTENT=60>"
echo "<title>Nagios Viewport</title>"
echo "</head>"

# CUST wil contain authenticated username from Apache
CUST=${REMOTE_USER}


# Format retrieved data; create a html-table
grep vdl${CUST} Hcomments.sql-data | awk 'BEGIN { FS="\t" ; \
SEP="</td>\n<td>"; print "<html>\n<head><title>Host Comments</title> \
</head>\n<body>\n<h3><center>Host Comments</center></h3> \
\n<table border="1">\n<th>Hostname</th>\n<th>Entry Time</th> \
\n<th>Comment</th>\n<th>Author</th>\n<th>Persistent?</th>" } \
{ print "<tr>\n<td>"$2 SEP $3 SEP $6 SEP $5 SEP $4"</td>\n</tr>" } END \
{ print "</table>" }' >${CUST}/comments.html

grep vdl${CUST} Hdowntime.sql-data | awk 'BEGIN { FS="\t" ; \
SEP="</td>\n<td>"; print "<h3><center>Host Downtime</center></h3> \
<table border="1">\n<th>Hostname</th>\n<th>Entry Time</th>\n \
<th>Duration</th>\n<th>Comment</th>\n<th>Start Time</th> \
\n<th>End Time</th>\n<th>Author</th>" } { print "<tr>\n<td>"$2 SEP $3 \
SEP $7 SEP $9 SEP $4 SEP $5 SEP $8"</td>\n</tr>" } END \
{ print "</table>\n</body>\n</html>" }' >>${CUST}/comments.html

# Create frames to show the menu and comments/downtime
echo "<frameset rows="25%,75%">"
echo "<frame src="menu.cgi">"
echo "<frame src="${CUST}/comments.html">"
echo "</frameset>"
echo "</html>"

-------------------------------------------------------------------------------
MENU.CGI

#!/bin/bash

# Create HTML-header including Meta-tag for 60 seconds refresh
# Refresh is necessary to retrieve up-to-date status info with wget
echo "Content-type: text/html"
echo ""
echo "<html><head><META HTTP-EQUIV=REFRESH CONTENT=60>"
echo "<title>Nagios Viewport Server Menu</title></head>"
echo "<body><h1>Choose the desired view:</h1>"

# Who is logged in on the webserver?
export CUST=${REMOTE_USER}
export PASSWD=`grep ^${CUST} ../customer.cfg|cut -d: -f2`

# Retrieve status-overview with wget
/usr/bin/wget -E -H -K -N -k -p -o wget.out -P${CUST} -nH -nd --http-user=${CUST} --http-passwd=${PASSWD} "http://naghost/nagios/cgi-bin/status.cgi?hostgroup=all" 
/bin/mv ${CUST}/status.cgi\?hostgroup\=all.html ${CUST}/overview.raw

/bin/sed -e s/"^<head>"/"<head><META HTTP-EQUIV=REFRESH CONTENT=60>"/ -e \
s/"[Hh][Rr][Ee][Ff]='http:\/\/naghost[^']*'"/"href='http:\/\/nagview\/view\/$CUST\/overview.html'"/g -e \
s/"[Hh][Rr][Ee][Ff]='status.cgi[^']*'"/"href=''"/g ${CUST}/overview.raw \
>${CUST}/overview.html

        echo "<br>"
        echo "<a target="_blank" href="http://nagview/view/${CUST}/overview.html">Status Overview</a>"

for TASTE in `grep ^${CUST} ../customer.cfg|cut -d: -f3`
do
        # Retrieve status-pages with wget
        /usr/bin/wget -E -H -K -N -k -p -o wget.out -P${CUST} -nH -nd --http-user=${CUST} \
        --http-passwd=${PASSWD} "http://naghost/nagios/cgi-bin/status.cgi?hostgroup=${CUST}%5F${TASTE}%5Fservers&style=detail"
        /bin/mv ${CUST}/status.cgi\?hostgroup\=${CUST}_${TASTE}_servers\&style\=detail.html \
        ${CUST}/${TASTE}servers.raw

        /bin/sed -e s/"^<head>"/"<head><META HTTP-EQUIV=REFRESH CONTENT=60>"/ -e \
        s/"[Hh][Rr][Ee][Ff]='http:\/\/naghost[^']*'"/"href='http:\/\/nagview\/view\/$CUST\/${TASTE}servers.html'"/g -e \
        s/"[Hh][Rr][Ee][Ff]='status.cgi[^']*'"/"href=''"/g ${CUST}/${TASTE}servers.raw \
        >${CUST}/${TASTE}servers.html

        # Create options-menu
        echo "<br>"
        echo "<a target="_blank" href="http://nagview/view/${CUST}/${TASTE}servers.html">Detailed View: ${TASTE} Servers</a>"
done

echo "</body></html>"

-------------------------------------------------------------------------------
SQLGET.SH

#! /bin/bash

DATADIR=/usr/local/nagios-kijk
USER=nagview
PASS=XXXXXXXXXX

/usr/local/bin/mysql --user=$USER --password=$PASS --host=naghost -s nagios <<EOT > $DATADIR/Hdowntime.sql-data
select * from hostdowntime;
quit
EOT

/usr/local/bin/mysql --user=$USER --password=$PASS --host=naghost -s nagios <<EOT |grep -v flapping > $DATADIR/Hcomments.sql-data
select * from hostcomments;
quit
EOT

-------------------------------------------------------------------------------
CUSTOMERS.CFG

jan:pwdjan:unix
jan:pwdjan:mpe
jan:pwdjan:windows
company:pwdcomp:unix
company:pwdcomp:novell