My fault or a bug in Apache ? (mod_dir and Require method rule)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,


On Debian 11 with Apache 2.4.53, I try to setup access rules to the fusioninventory-agent plugin of GLPI application.
https://www.glpi-project.org/
https://fusioninventory.org/

Access to GLPI application and fusioninventory GUI is only allowed to local network But computers can *POST* inventory from all over the Internet with their fusioninventory Agent to the URL /plugins/fusioninventory/.


Beginning of my virtualhost configuration :

<VirtualHost *:443>
	ServerName	glpi.redfoxcenter.org
	ServerAdmin	webmaster@xxxxxxxxxxxxxxxx

	DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs
	<Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs>
		Options None
		AllowOverride AuthConfig
		Require ip 192.168.10.0/24
		Require local
	</Directory>
<Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory>
		LogLevel trace8
LogMessage "Before Require: Access from IP:%{REMOTE_ADDR} to URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and Method:%{REQUEST_METHOD}"
		<RequireAny>
			Require ip 192.168.10.0/24
			Require local
			<RequireAll>
				Require method POST
Require expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/"
			</RequireAll>
		</RequireAny>
	</Directory>

	DirectoryIndex	index.php index.html


When I send inventory with full URL (end with index.php) it works

# fusioninventory-agent --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php [info] target server0: server https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] sending prolog request to server0
[info] running task Inventory
[info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME)

But when I sent inventory with short URL (without index.php) it fails

# fusioninventory-agent --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/ [info] target server0: server https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] sending prolog request to server0
[error] [http client] communication error: 403 Forbidden
[error] No answer from server at https://glpi.redfoxcenter.org/plugins/fusioninventory/

In the debug log, we can see than the "Require method POST" is internally denied after mod_dir add index.php or index.html to the short URL.


[Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: granted [Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid 140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072] Evaluation of expression from /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1 [Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/": granted [Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: granted [Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: granted [Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(360): [client 192.168.20.1:56072] request authorized without authentication by access_checker_ex hook: /plugins/fusioninventory/ [Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: denied [Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: denied [Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: denied [Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by server configuration: /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php [Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase 'check access' gave status 403: /plugins/fusioninventory/index.php [Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require ip 192.168.10.0/24: denied [Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require local : denied [Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of Require method POST: denied [Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAll>: denied [Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] AH01626: authorization result of <RequireAny>: denied [Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by server configuration: /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html [Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase 'check access' gave status 403: /plugins/fusioninventory/index.html [Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid 140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook gave 403: /plugins/fusioninventory/ [Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid 140262107780864] http_filters.c(1129): [client 192.168.20.1:56072] Response sent with status 403, headers: [Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid 140262107780864] http_filters.c(1138): [client 192.168.20.1:56072] Date: Sun, 17 Apr 2022 18:38:21 GMT [Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid 140262107780864] http_filters.c(1141): [client 192.168.20.1:56072] Server: Apache/2.4.53 (Debian) [Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Strict-Transport-Security: max-age=31536000 ; includeSubDomains [Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Content-Length: 287 [Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Keep-Alive: timeout=5, max=100 [Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Connection: Keep-Alive [Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] Content-Type: text/html; charset=iso-8859-1 [Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid 140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072] Evaluation of string expression from /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/ with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST [Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid 140262107780864] [client 192.168.20.1:56072] Before Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/ with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST (log_transaction hook, /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28)


Any suggestions ?

Best Regards,
--
Christophe Merlet (RedFox)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux