[Xymon] Separating alternate pageset
John Thurston
john.thurston at alaska.gov
Wed Jun 29 19:54:01 CEST 2016
On 6/29/2016 9:37 AM, Becker Christian wrote:
- snip -
> Now we are in the situation that we need to present some special devices
> to an external company. I did this by setting up an alternate pageset,
> following the Tips and Tricks section from the Xymon website.
>
> Everything is working as expected, but the external company is able to
> „break out“ of this special pageset. - snip -
Even if you succeed in stripping the menus from all of the alternate
pages, the URLs and cgis are still going to work. It isn't going to be
hard to look at the address bar:
> https://xymon.bar.com/xymon-cgi/svcstatus.sh?HOST=foo.bar.com&SERVICE=info
and figure out that any host can be displayed just by changing the
"HOST=" value. Alternate page sets (on the same web server) are not
going to really "jail" those users.
See if you can publish your alternate page set on an apache vhost. You
could then prevent the external users from reaching your primary vhost.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska
More information about the Xymon
mailing list