Re: My fault or a bug in Apache ? (mod_dir and Require method rule)

[Frank Gingras <thumbs@xxxxxxxxxx>]

Actually, that configuration looks fine at a glance.

However, from your logs, mod_dir is hijacking the request in the early phase. You might have to resort to mod_rewrite for this, as much as I hate to suggest it.

I'll have to think about the solution, hopefully someone else can chime in in the meantime.

On Sun, 17 Apr 2022 at 14:59, Christophe Merlet <redfox@xxxxxxxxxxxxxxxx> wrote:

Hello,


On Debian 11 with Apache 2.4.53, I try to setup access rules to the
fusioninventory-agent plugin of GLPI application.
https://www.glpi-project.org/
https://fusioninventory.org/

Access to GLPI application and fusioninventory GUI is only allowed to
local network
But computers can *POST* inventory from all over the Internet with their
fusioninventory Agent to the URL /plugins/fusioninventory/.


Beginning of my virtualhost configuration :

<VirtualHost *:443>
        ServerName      glpi.redfoxcenter.org
        ServerAdmin     webmaster@xxxxxxxxxxxxxxxx

        DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs
        <Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs>
                Options None
                AllowOverride AuthConfig
                Require ip 192.168.10.0/24
                Require local
        </Directory>
        <Directory
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory>
                LogLevel trace8
                LogMessage "Before Require: Access from IP:%{REMOTE_ADDR} to
URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and
Method:%{REQUEST_METHOD}"
                <RequireAny>
                        Require ip 192.168.10.0/24
                        Require local
                        <RequireAll>
                                Require method POST
                                Require expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ ||
%{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/"
                        </RequireAll>
                </RequireAny>
        </Directory>

        DirectoryIndex  index.php index.html


When I send inventory with full URL (end with index.php) it works

# fusioninventory-agent
--server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] target server0: server
https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] sending prolog request to server0
[info] running task Inventory
[info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME)

But when I sent inventory with short URL (without index.php) it fails

# fusioninventory-agent
--server=https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] target server0: server
https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] sending prolog request to server0
[error] [http client] communication error: 403 Forbidden
[error] No answer from server at
https://glpi.redfoxcenter.org/plugins/fusioninventory/

In the debug log, we can see than the "Require method POST" is
internally denied after mod_dir add index.php or index.html to the short
URL.


[Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: granted
[Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid
140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072]
Evaluation of _expression_ from
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1
[Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~
/^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/":
granted
[Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: granted
[Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: granted
[Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(360): [client 192.168.20.1:56072] request
authorized without authentication by access_checker_ex hook:
/plugins/fusioninventory/
[Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: denied
[Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: denied
[Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: denied
[Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
server configuration:
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php
[Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
'check access' gave status 403: /plugins/fusioninventory/index.php
[Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: denied
[Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: denied
[Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: denied
[Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
server configuration:
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html
[Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
'check access' gave status 403: /plugins/fusioninventory/index.html
[Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook
gave 403: /plugins/fusioninventory/
[Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid
140262107780864] http_filters.c(1129): [client 192.168.20.1:56072]
Response sent with status 403, headers:
[Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid
140262107780864] http_filters.c(1138): [client 192.168.20.1:56072]
Date: Sun, 17 Apr 2022 18:38:21 GMT
[Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid
140262107780864] http_filters.c(1141): [client 192.168.20.1:56072]
Server: Apache/2.4.53 (Debian)
[Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
[Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Content-Length: 287
[Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Keep-Alive: timeout=5, max=100
[Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Connection: Keep-Alive
[Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Content-Type: text/html; charset=iso-8859-1
[Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid
140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072]
Evaluation of string _expression_ from
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before
Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/
with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
[Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] Before Require: Access from
IP:192.168.20.1 to URL:/plugins/fusioninventory/ with
UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
(log_transaction hook,
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28)


Any suggestions ?

Best Regards,
--
Christophe Merlet (RedFox)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx