Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1062202 - monitorix-apache.conf doesn't check Apache version to use proper authorization parameters
Summary: monitorix-apache.conf doesn't check Apache version to use proper authorizatio...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: monitorix
Version: 20
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Christopher Meng
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-06 12:55 UTC by frollic nilsson
Modified: 2014-05-19 09:07 UTC (History)
2 users (show)

Fixed In Version: monitorix-3.5.1-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-19 09:07:05 UTC


Attachments (Terms of Use)

Description frollic nilsson 2014-02-06 12:55:06 UTC
Description of problem:
When using Apache as web server for monitorix, the file monitorix-apache.conf have to be modified/fixed if Apache 2.4 is used. The conf file contains old Apache <= 2.2 syntax grants and denies, instead of the new Require.


Version-Release number of selected component (if applicable):
monitorix-3.4.0-1.fc19.noarch
httpd-2.4.6-2.fc19.x86_64

How reproducible:
Install httpd 2.4 or above, and monitorix, 
Disable use of monitorix internal web server in monitorix.conf
copy /usr/share/doc/monitorix-3.4.0/monitorix-apache.conf to /etc/httpd/conf.d
(restart both)
Attempt to access x.x.x.x/monitorix on server hosting the application.

Actual results:

Forbidden
You don't have permission to access /monitorix on this server.

log:
[Thu Feb 06 13:49:15.383285 2014] [authz_core:error] [pid 799] [client 1.1.1.1:1222] AH01630: client denied by server configuration: /usr/share/monitorix

Expected results:
access to monitorix

Additional info:
should look something like this:

    <IfModule mod_authz_core.c>
       # Apache 2.4
       Require all 127.0.0.1
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order deny,allow
        Allow from 127.0.01
    </IfModule>

http://httpd.apache.org/docs/2.4/upgrading.html

Comment 1 frollic nilsson 2014-02-17 08:35:09 UTC
Conf looks the same in monitorix-3.4.0-1.fc20.noarch

Comment 2 Jordi Sanfeliu 2014-04-03 07:35:28 UTC
(In reply to frollic nilsson from comment #0)

Hi Frollic,

I wasn't aware of that bug. I just discovered it yesterday when I was browsing the page <https://apps.fedoraproject.org/packages/monitorix/>.

The new 3.5.0 version is already out but, if you agree, I could introduce the following modifications to the file 'monitorix-apache.conf' to include support for Apache 2.2 and 2.4 access control:


# Monitorix is a lightweight system monitoring tool
#

Alias /monitorix /var/lib/monitorix/www
ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi

<Directory /var/lib/monitorix/www/cgi/>
        DirectoryIndex monitorix.cgi
        Options ExecCGI
        <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all denied
                Require host 127.0.0.1
        </IfModule>
        <IfModule !mod_authz_core.c>
                # Apache 2.2
                Order deny,allow
                Deny from all
                Allow from 127.0.01
        </IfModule>
</Directory>
[...]

Please, let me know.
Thanks.

Comment 3 Jordi Sanfeliu 2014-04-03 07:37:44 UTC
(In reply to Jordi Sanfeliu from comment #2)

fix typo:

          Allow from 127.0.0.1

Comment 4 frollic nilsson 2014-04-04 13:22:11 UTC
sure!

Comment 5 Jordi Sanfeliu 2014-04-07 10:50:39 UTC
It's done.

https://github.com/mikaku/Monitorix/commit/878dcf1fe41639ac41f79a147b06bcc8f4cbf1d3

Regards.


Note You need to log in before you can comment on or make changes to this bug.