Secure Web interface with HTTP Basic Authentication
Q: By default, IPHost Network Monitor Web interface is open to everyone, can I restrict access to it?
A: Yes, you can use HTTP Authentication to require user name and password pair to access Web interface. The detailed instructions follow.
Restricting access with HTTP Basic Authentication
Important: the below instructions assume you are using the latest IPHost version.
IPHost Network Monitor installation provides means to use HTTP Basic Authentication or HTTP Digest Authentication for its bundled Web server. In the below instructions, we explain how to use HTTP Basic Authentication.
In the below instructions it is assumed that you are using 64-bit Windows to run IPHost, and IPHost installation directory is C:\Program Files (x86)\IPHost Network Monitor, referred from now on as “IPHost installation directory”.
Similarly, C:\ProgramData\IPHost Network Monitor will be referred as “IPHost data directory”.
Backup your current Web interface configuration
This step is important. Every time you need to alter IPHost components configuration, make sure you make a backup copy of existing configuration files. Otherwise, you might end up with broken IPHost installation.
Please make a backup copy of entire conf\ directory under IPHost installation directory before you proceed.
Make sure the below line in conf\httpd.conf is present and is not started with has sign (‘#’):
LoadModule auth_basic_module web_interface_modules/mod_auth_basic.so
(by default). If the line is absent, among other “LoadModule” directives, or is commented out (starts with a hash sign), add it in any simple text editor such as Notepad, save the file and restart IPHost monitoring service (from IPHost GUI client “Tools” menu).
Create a password file
Authentication data (user name and password) should be stored in a file. In this example, we will create users.dat in IPHost data directory. For the sake of example, we assume we are creating access credentials for user name “operator”.
Open elevated cmd.exe (right-click, “Run as Administrator”) and type the below command in one line (when prompted, enter the same password twice):
"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -c -B "C:\ProgramData\IPHost Network Monitor\users.dat" operator
Typical program output:
New password: ******** Re-type new password: ******** Adding password for user operator
When prompted, enter the same password twice. Make sure you can remember the password; otherwise, remove the mentioned “users.dat” file and re-create it as mentioned above.
Allow authentication override in httpd.conf
Start elevated Notepad (right-click, “Run as Administrator”) or other plain text editor, open conf\httpd.conf file under IPHost installation directory, and below the Directory container starting with
<Directory "C:/Program Files (x86)/IPHost Network Monitor/htdocs">
replace
AllowOverride None
with
AllowOverride AuthConfig
and save the changes.
Create .htaccess file forcing authentication
In
C:/Program Files (x86)/IPHost Network Monitor/htdocs
directory, create file named
.htaccess
with the below contents:
AuthName "Access to Web interface is restricted" AuthType Basic AuthBasicProvider file AuthUserFile "C:/ProgramData/IPHost Network Monitor/users.dat" Require valid-user
Save the file. In the elevated cmd.exe window, run the below two commands:
cd "C:\Program Files (x86)\IPHost Network Monitor" NMSWebServr.exe -t
The program should output:
Syntax OK
If anything else is reported, check the above steps to make sure you followed the instructions. In the worst case, restore backup copy of conf\ directory and edit the file anew.
Test Web interface access restriction
Stop and start IPHost monitoring service (from “Tools” menu). Open Web interface; it should request name and password. Try the “operator” user (without quotes) and the password you entered.
If name and password pair isn’t accepted, proceed to the “Troubleshooting” section below.
Provide access credentials for Web interface monitor
In case you were running IPHost Web interface HTTP(S) monitor, you will notice it will fail. Open the corresponding monitor’s “Main parameters” tab, scroll and open “Credentials” section and click plus icon to add new credentials:
Save them and start/poll the monitor.
Provide access credentials for Apache Web Server counters monitors
If you are using “Apache Web Server” application template with your IPHost installation, first proceed to “Settings > User Credentials > Windows”, click “New” to add new Windows credentials with the below parameters:
Domain: .
User: operator
Password: <user operator’s password>
For “Total traffic” and “Total Accesses” monitors, replace, in “Arguments” field, the string
http://$HostIP:8084/nms/is_alive
with
http://$WindowsUser:$WindowsPassword@$HostIP:8084/nms/is_alive
(if different schema, i.e. https:// and/or port are used, leave them as they are, insert the above bold text only) – leave the rest of the “Arguments” intact.
Save the changes and restart corresponding monitor(s).
Adding more users to access Web interface
It might be a good idea add several users to the credentials file. That way, you can revoke access for certain users without re-building the entire credentials file and informing the personnel still allowed to access. To add another user named “patrick”, run command like this:
"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -B "C:\ProgramData\IPHost Network Monitor\users.dat" patrick
Note the absence of “-c” parameter (the latter is only required to create the credentials file for the first time). Every time you run the command like above, you either create a new user, or change its password.
To remove a user access altogether, run command like
"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -D "C:\ProgramData\IPHost Network Monitor\users.dat" patrick
Make sure you restart IPHost monitoring service every time you change the credentials file.
Troubleshooting
If access credentials do not work, please make sure you are entering them correctly. If that doesn’t help, try changing the access credentials password as explained above.
Make sure you have created backup copies of everything under conf\ in IPHost installation directory. In case you would need to revert the change, just copy the configuration files back and restart IPHost monitoring service.
In case you need to disable everyone’s access quickly, remove the credentials file, re-create it for any user with password only you may know, and restart IPHost monitoring service.
In case Windows Edge browser doesn’t accept name/password pair, try removing “-B” parameter from credentials creating command line. Note that the resulting hashed password will be easier to crack. You might wish to use a browser different from Edge, in such a case.
If everything else fails, please send us all the details of your setup, all the files you created, copy of httpd.conf file and screenshots of problems you encountered.
Security note
Please make sure no one has access to credentials file. On a multi-user system, you might wish to place the credentials file (“users.dat”) in a different directory, with only access allowed for you and the account IPHost monitoring service runs as (by default, SYSTEM account).
