[Xymon] Xymon and apache 2.4.35 security problem
Marco Avvisano
marco.avvisano at regione.toscana.it
Fri Oct 4 11:30:47 CEST 2019
Hi,
i also recently upgraded to Apache/2.4.41 and xymon 4.30 and i had the
same problem.
I had to change from "Require all granted" to "Require all denied" to
block access to /xymon-seccgi, but login not work for me
Here the section from ssl.conf :
ScriptAlias /xymon-seccgi/ "/usr/local/xymon/cgi-secure/"
<Directory "/usr/local/xymon/cgi-secure">
AllowOverride None
Options ExecCGI Includes FollowSymLinks
<IfModule mod_authz_core.c>
# Apache 2.4+
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Allow from all
</IfModule>
# Password file where users with access to these scripts are kept.
# Create it with "htpasswd -c
/usr/local/xymon/server/etc/xymonpasswd USERNAME"
# Add more users / change passwords with "htpasswd
/usr/local/xymon/server/etc/xymonpasswd USERNAME"
#
# You can also use a group file to restrict admin access to members
of a
# group, instead of anyone who is logged in. In that case you must
setup
# the "xymongroups" file, and change the "Require" settings to require
# a specific group membership. See the Apache docs for more details.
AuthUserFile /usr/local/xymon/server/etc/xymonpasswd
AuthGroupFile /usr/loca/xymon/server/etc/xymongroups
AuthType Basic
AuthName "Xymon Administration"
# "valid-user" restricts access to anyone who is logged in.
Require valid-user
# "group admins" restricts access to users who have logged in, AND
# are members of the "admins" group in xymongroups.
# Require group admins
</Directory>
Any Ideas ?
Best Regards,
Marco
Il 18/10/2018 22.11, LOZOVSKY, DANIEL L ha scritto:
>
> I recently upgraded to apache 2.4.35 and was having some issues with
> password file to secure xymon-seccgi. I got not get apache to read
> the password file. To get it to work I had to change from Require all
> granted to Require all denied. Now, it works. I get prompted to
> enter username and password.
>
> Here is the section from my httpd.conf file for your reference if you
> will run into similar problems.
>
> ScriptAlias /xymon-seccgi/ "/opt/app/workload/bbapp/bb/cgi-secure/"
>
> <Directory "/opt/app/workload/bbapp/bb/cgi-secure">
>
> AllowOverride None
>
> Options ExecCGI Includes
>
> <IfModule mod_authz_core.c>
>
> # Apache 2.4+
>
> *Require all denied*
>
> </IfModule>
>
> <IfModule !mod_authz_core.c>
>
> Order deny,allow
>
> Allow from all
>
> </IfModule>
>
> # Password file where users with access to these scripts are kept.
>
> # Although expected in $XYMONHOME/etc/ by the useradm and chpasswd
>
> # scripts, files here can be read with the "config" message type,
>
> # which allows status-privileged clients to read arbitrary regular
> files
>
> # from the directory.
>
> #
>
> # This file should be owned and readable only by the apache server
> user,
>
> # and ideally merely a symlink to a location outside of
> $XYMONHOME/etc/
>
> #
>
> # Create it with:
>
> # htpasswd -c
> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME
>
> # chown apache:apache
> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>
> # chmod 640 /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>
> # Add more users / change passwords with: "htpasswd
> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME"
>
> #
>
> # You can also use a group file to restrict admin access to
> members of a
>
> # group, instead of anyone who is logged in. In that case you must
> setup
>
> # the "xymongroups" file, and change the "Require" settings to require
>
> # a specific group membership. See the Apache docs for more details.
>
> AuthUserFile /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>
> AuthGroupFile /opt/app/workload/bbapp/bb/server/etc/xymongroups
>
> AuthType Basic
>
> AuthName "Xymon Administration"
>
> # "valid-user" restricts access to anyone who is logged in.
>
> Require valid-user
>
> # "group admins" restricts access to users who have logged in, AND
>
> # are members of the "admins" group in xymongroups.
>
> # Require group admins
>
> </Directory>
>
> I also enabled the following modules.
>
> LoadModule authn_file_module modules/mod_authn_file.so
>
> LoadModule authn_dbm_module modules/mod_authn_dbm.so
>
> LoadModule authn_anon_module modules/mod_authn_anon.so
>
> LoadModule authn_core_module modules/mod_authn_core.so
>
> LoadModule authz_host_module modules/mod_authz_host.so
>
> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
>
> LoadModule authz_user_module modules/mod_authz_user.so
>
> LoadModule authz_core_module modules/mod_authz_core.so
>
> LoadModule access_compat_module modules/mod_access_compat.so
>
> LoadModule auth_basic_module modules/mod_auth_basic.so
>
> LoadModule reqtimeout_module modules/mod_reqtimeout.so
>
> LoadModule filter_module modules/mod_filter.so
>
> LoadModule mime_module modules/mod_mime.so
>
> LoadModule log_config_module modules/mod_log_config.so
>
> LoadModule env_module modules/mod_env.so
>
> LoadModule headers_module modules/mod_headers.so
>
> LoadModule setenvif_module modules/mod_setenvif.so
>
> LoadModule version_module modules/mod_version.so
>
> LoadModule unixd_module modules/mod_unixd.so
>
> LoadModule status_module modules/mod_status.so
>
> LoadModule autoindex_module modules/mod_autoindex.so
>
> LoadModule cgid_module modules/mod_cgid.so
>
> LoadModule dir_module modules/mod_dir.so
>
> LoadModule alias_module modules/mod_alias.so
>
> LoadModule rewrite_module modules/mod_rewrite.so
>
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20191004/12fb5079/attachment.htm>
More information about the Xymon
mailing list