Hello,On Debian 11 with Apache 2.4.53, I try to setup access rules to the fusioninventory-agent plugin of GLPI application.
https://www.glpi-project.org/ https://fusioninventory.org/Access to GLPI application and fusioninventory GUI is only allowed to local network But computers can *POST* inventory from all over the Internet with their fusioninventory Agent to the URL /plugins/fusioninventory/.
Beginning of my virtualhost configuration : <VirtualHost *:443> ServerName glpi.redfoxcenter.org ServerAdmin webmaster@xxxxxxxxxxxxxxxx DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs <Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs> Options None AllowOverride AuthConfig Require ip 192.168.10.0/24 Require local </Directory><Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory>
LogLevel trace8LogMessage "Before Require: Access from IP:%{REMOTE_ADDR} to URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and Method:%{REQUEST_METHOD}"
<RequireAny> Require ip 192.168.10.0/24 Require local <RequireAll> Require method POSTRequire expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/"
</RequireAll> </RequireAny> </Directory> DirectoryIndex index.php index.html When I send inventory with full URL (end with index.php) it works# fusioninventory-agent --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php [info] target server0: server https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] sending prolog request to server0 [info] running task Inventory [info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME) But when I sent inventory with short URL (without index.php) it fails# fusioninventory-agent --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/ [info] target server0: server https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] sending prolog request to server0 [error] [http client] communication error: 403 Forbidden[error] No answer from server at https://glpi.redfoxcenter.org/plugins/fusioninventory/
In the debug log, we can see than the "Require method POST" is internally denied after mod_dir add index.php or index.html to the short URL.
[Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: granted [Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid 140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072] Evaluation of expression from /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1 [Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/": granted [Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: granted [Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: granted [Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(360): [client 192.168.20.1:56072] request authorized without authentication by access_checker_ex hook: /plugins/fusioninventory/ [Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: denied [Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: denied [Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: denied [Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by server configuration: /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php [Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase 'check access' gave status 403: /plugins/fusioninventory/index.php [Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: denied [Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: denied [Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: denied [Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by server configuration: /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html [Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase 'check access' gave status 403: /plugins/fusioninventory/index.html [Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook gave 403: /plugins/fusioninventory/ [Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid 140262107780864] http_filters.c(1129): [client 192.168.20.1:56072] Response sent with status 403, headers: [Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid 140262107780864] http_filters.c(1138): [client 192.168.20.1:56072] Date: Sun, 17 Apr 2022 18:38:21 GMT [Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid 140262107780864] http_filters.c(1141): [client 192.168.20.1:56072] Server: Apache/2.4.53 (Debian) [Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Strict-Transport-Security: max-age=31536000 ; includeSubDomains [Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Content-Length: 287 [Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Keep-Alive: timeout=5, max=100 [Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Connection: Keep-Alive [Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Content-Type: text/html; charset=iso-8859-1 [Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid 140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072] Evaluation of string expression from /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/ with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST [Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] Before Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/ with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST (log_transaction hook, /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28)
Any suggestions ? Best Regards, -- Christophe Merlet (RedFox) --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx