How to secure the Nagios Core web interface with HTTPS

The Nagios Core web interface exposes monitoring state, host details, service details, and command CGI actions that should not travel over plain HTTP. Serving the console through HTTPS encrypts browser traffic and lets administrators verify the certificate before entering credentials or submitting commands.

On Debian and Ubuntu package installs, the Nagios web aliases live in /etc/nagios4/apache2.conf, while Apache virtual hosts decide which ports and certificates serve the site. The HTTPS setup keeps Nagios at https://monitor.example.net/nagios4/, uses Apache for TLS, and adds SSLRequireSSL inside the Nagios directory rule so the console cannot be served over plaintext.

Use a certificate from a public ACME certificate authority, an internal certificate authority, or another trusted issuer before exposing the monitoring console to users. A successful change leaves Apache syntax clean, the apache2 service active, the HTTPS Nagios URL returning a page or authentication challenge, and the HTTP URL redirecting to HTTPS.

Steps to secure Nagios Core web interface with HTTPS:

Confirm which Apache virtual host currently serves the Nagios hostname.
```
$ sudo apache2ctl -S
VirtualHost configuration:
*:80                   monitor.example.net (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
##### snipped #####
```
The nagios4-cgi package configuration usually stays enabled as a shared Apache config, while the virtual host supplies the hostname, port, certificate, and redirect behavior.

Enable the Apache SSL module.

$ sudo a2enmod ssl
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

Obtain a certificate for the monitoring hostname.

$ sudo certbot certonly --apache -d monitor.example.net
Requesting a certificate for monitor.example.net
##### snipped #####
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/monitor.example.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/monitor.example.net/privkey.pem

Use an internal CA certificate instead when the Nagios host is private and cannot satisfy public ACME validation.
Related: How to configure Let's Encrypt SSL in Apache

Configure the HTTPS virtual host in default-ssl.conf under the Apache sites-available directory.

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName monitor.example.net
    DocumentRoot /var/www/html
 
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/monitor.example.net/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/monitor.example.net/privkey.pem
</VirtualHost>
</IfModule>

The packaged /etc/nagios4/apache2.conf aliases apply to the HTTPS virtual host when the nagios4-cgi Apache config remains enabled.

Enable the HTTPS virtual host.

$ sudo a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload

Redirect the HTTP virtual host in 000-default.conf under sites-available to HTTPS on a dedicated Nagios server.
```
<VirtualHost *:80>
    ServerName monitor.example.net
    DocumentRoot /var/www/html
    Redirect permanent / https://monitor.example.net/
</VirtualHost>
```
On a shared Apache host, redirect only the Nagios path or use the existing site-specific redirect rule instead of redirecting every path on port 80.

Require SSL inside the packaged Nagios Apache directory rule in /etc/nagios4/apache2.conf.

<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
    Options FollowSymLinks
    DirectoryIndex index.php index.html
    AllowOverride AuthConfig
    SSLRequireSSL
    ##### snipped #####
</DirectoryMatch>

SSLRequireSSL comes from mod_ssl and blocks direct plaintext access to the matching Nagios directories if the HTTP redirect is removed or bypassed.

Test the Apache configuration syntax.
```
$ sudo apache2ctl configtest
Syntax OK
```
If Apache reports Invalid command 'SSLRequireSSL', enable mod_ssl before re-running the syntax test.

Related: How to test Apache configuration
Reload Apache after the syntax test passes.
```
$ sudo systemctl reload apache2
```
Related: How to manage the Apache web server service
Confirm that Apache stayed active after the reload.
```
$ sudo systemctl is-active apache2
active
```
Check the Apache error log or journal before retrying if the service is not active after the reload.
Related: How to manage the Apache web server service
Verify that the HTTPS Nagios URL answers on the trusted certificate path.
```
$ curl -I -sS https://monitor.example.net/nagios4/
HTTP/1.1 200 OK
Server: Apache/2.4.66 (Ubuntu)
Content-Type: text/html; charset=UTF-8
```
An authenticated deployment may return HTTP 401 before login, which still proves the HTTPS virtual host and authentication gate are reachable without using plaintext.
Verify that HTTP no longer serves the Nagios interface directly.
```
$ curl -I -sS http://monitor.example.net/nagios4/
HTTP/1.1 301 Moved Permanently
Location: https://monitor.example.net/nagios4/
Content-Type: text/html; charset=iso-8859-1
```
If this request returns the Nagios page over HTTP 200, the redirect or SSLRequireSSL change is not protecting the plaintext path.

Tool: HTTP Redirect Checker

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.