ansible/roles/nagios_server/templates/httpd/nagios.conf.j2

# Set up the script aliases
ScriptAlias /nagios/cgi-bin/ /usr/lib64/nagios/cgi-bin/
ScriptAlias /tac.cgi         /usr/lib64/nagios/cgi-bin/tac.cgi

Alias /robots.txt /var/www/robots.txt

# Set up the authorization

<Location /nagios>
  AuthName "Nagios GSSAPI Login"
{% if vars['nagios_location'] == 'iad2_internal' %}
  GssapiCredStore keytab:/etc/krb5.HTTP_nagios{{env_suffix}}.fedoraproject.org.keytab
  # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
  GssapiSSLonly Off
{% else %}
  GssapiCredStore keytab:/etc/krb5.HTTP_nagios-external{{env_suffix}}.fedoraproject.org.keytab
  GssapiSSLonly On
{% endif %}
  GssapiLocalName on
  AuthType GSSAPI
  <Limit GET HEAD>
    Require all granted
  </Limit>
  <LimitExcept GET HEAD>
    Require valid-user
  </LimitExcept>
</Location>

<Location ~ "/nagios/cgi-bin/">
  Options ExecCGI
</Location>

<Location /nagios/cgi-bin/cmd.cgi>
  Require valid-user
</Location>
<Location /nagios/cgi-bin/config.cgi>
  Require valid-user
</Location>

<Location /apache-status>
    SetHandler server-status
{% if vars['nagios_location'] == 'external' %}
    Require ip 2600:2701:4000:5211:dead:beef:00fe:fed9
{% else %}
    Require ip 10.3.163.10
{% endif %}
    Require ip 127.0.0.1
    Require ip ::1
</Location>

RewriteEngine on
RewriteRule ^/$ /nagios/ [R]


Alias /nagios /usr/share/nagios/html/
<Directory "/usr/share/nagios/html">
  Options None
</Directory>