monit, http access with four different credentials types, one using PAM

monit 5.25.2 These are our credential settings: set httpd port 2812 allow localhost allow guest:guest read-only allow @wheel allow cleartext /opt/monit/htpasswd Rationale: - *localhost* to enable *monit status* - *guest:guest* to enable web access, read-only, for everyone as *guest* - *@wheel* to enable web access, full, for the local users, group *wheel* - *cleartext* to enable web access, full, for a pair of users not on the host I read the docs and I try to 'shuffle' the settings (sigh) but I cannot understand how to fix the usual problem: only one of this two usages is working: - from commandline, monit status - web access from a client pc (ip address isn't the host itself) **UPDATE** I stumbled upon two issues: - allow localhost Without it, all the clients pc can access, but *monit status* doesn't work. Using 'allow localhost', it blocks the clients, so we have to specify also: > allow 10.0.0.0/8 IMHO this isn't clear from the docs. - tests from the clients pc... beware of credentials Trying the accesses to monit from the pc, the browser caches the credentials... so these tests can be misleading. **UPDATE** I found the problem: strace -s 512 -e connect,write /opt/monit/bin/monit status 2>&1 |more connect(4, {sa_family=AF_INET, sin_port=htons(2812), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress) write(4, "POST /_status HTTP/1.0\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: securitytoken=88521284dfbc7acea0521e16e11356d1\r\nContent-Length: 58\r\n\ r\nformat=text&securitytoken=88521284dfbc7acea0521e16e11356d1", 209) = 209 write(2, "You are not authorized to access monit..." Why does it send the Cookie: securitytoken= ? In the configuration we have defined > allow guest:guest read-only If I make the HTTP request with the *guest* credentials, it works: "GET /_status?format=text HTTP/1.0\r\nAuthorization:Basic Z3Vlc3Q6Z3Vlc3Q=\r\n\r\n"