Mailing List Archive

My fault or a bug in Apache ? (mod_dir and Require method rule)
Hello,


On Debian 11 with Apache 2.4.53, I try to setup access rules to the
fusioninventory-agent plugin of GLPI application.
https://www.glpi-project.org/
https://fusioninventory.org/

Access to GLPI application and fusioninventory GUI is only allowed to
local network
But computers can *POST* inventory from all over the Internet with their
fusioninventory Agent to the URL /plugins/fusioninventory/.


Beginning of my virtualhost configuration :

<VirtualHost *:443>
ServerName glpi.redfoxcenter.org
ServerAdmin webmaster@redfoxcenter.org

DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs
<Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs>
Options None
AllowOverride AuthConfig
Require ip 192.168.10.0/24
Require local
</Directory>
<Directory
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory>
LogLevel trace8
LogMessage "Before Require: Access from IP:%{REMOTE_ADDR} to
URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and
Method:%{REQUEST_METHOD}"
<RequireAny>
Require ip 192.168.10.0/24
Require local
<RequireAll>
Require method POST
Require expr "%{HTTP_USER_AGENT} =~ /^FusionInventory-Agent_v/ ||
%{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/"
</RequireAll>
</RequireAny>
</Directory>

DirectoryIndex index.php index.html


When I send inventory with full URL (end with index.php) it works

# fusioninventory-agent
--server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] target server0: server
https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
[info] sending prolog request to server0
[info] running task Inventory
[info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME)

But when I sent inventory with short URL (without index.php) it fails

# fusioninventory-agent
--server=https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] target server0: server
https://glpi.redfoxcenter.org/plugins/fusioninventory/
[info] sending prolog request to server0
[error] [http client] communication error: 403 Forbidden
[error] No answer from server at
https://glpi.redfoxcenter.org/plugins/fusioninventory/

In the debug log, we can see than the "Require method POST" is
internally denied after mod_dir add index.php or index.html to the short
URL.


[Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: granted
[Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid
140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072]
Evaluation of expression from
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1
[Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~
/^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/":
granted
[Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: granted
[Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: granted
[Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(360): [client 192.168.20.1:56072] request
authorized without authentication by access_checker_ex hook:
/plugins/fusioninventory/
[Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: denied
[Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: denied
[Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: denied
[Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
server configuration:
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php
[Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
'check access' gave status 403: /plugins/fusioninventory/index.php
[Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require ip 192.168.10.0/24: denied
[Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require local : denied
[Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of Require method POST: denied
[Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAll>: denied
[Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid
140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
AH01626: authorization result of <RequireAny>: denied
[Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
server configuration:
/srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html
[Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
'check access' gave status 403: /plugins/fusioninventory/index.html
[Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid
140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook
gave 403: /plugins/fusioninventory/
[Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid
140262107780864] http_filters.c(1129): [client 192.168.20.1:56072]
Response sent with status 403, headers:
[Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid
140262107780864] http_filters.c(1138): [client 192.168.20.1:56072]
Date: Sun, 17 Apr 2022 18:38:21 GMT
[Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid
140262107780864] http_filters.c(1141): [client 192.168.20.1:56072]
Server: Apache/2.4.53 (Debian)
[Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
[Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Content-Length: 287
[Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Keep-Alive: timeout=5, max=100
[Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Connection: Keep-Alive
[Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid
140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
Content-Type: text/html; charset=iso-8859-1
[Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid
140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072]
Evaluation of string expression from
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before
Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/
with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
[Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid
140262107780864] [client 192.168.20.1:56072] Before Require: Access from
IP:192.168.20.1 to URL:/plugins/fusioninventory/ with
UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
(log_transaction hook,
/etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28)


Any suggestions ?

Best Regards,
--
Christophe Merlet (RedFox)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: My fault or a bug in Apache ? (mod_dir and Require method rule) [ In reply to ]
Actually, that configuration looks fine at a glance.

However, from your logs, mod_dir is hijacking the request in the early
phase. You might have to resort to mod_rewrite for this, as much as I hate
to suggest it.

I'll have to think about the solution, hopefully someone else can chime in
in the meantime.

On Sun, 17 Apr 2022 at 14:59, Christophe Merlet <redfox@redfoxcenter.org>
wrote:

> Hello,
>
>
> On Debian 11 with Apache 2.4.53, I try to setup access rules to the
> fusioninventory-agent plugin of GLPI application.
> https://www.glpi-project.org/
> https://fusioninventory.org/
>
> Access to GLPI application and fusioninventory GUI is only allowed to
> local network
> But computers can *POST* inventory from all over the Internet with their
> fusioninventory Agent to the URL /plugins/fusioninventory/.
>
>
> Beginning of my virtualhost configuration :
>
> <VirtualHost *:443>
> ServerName glpi.redfoxcenter.org
> ServerAdmin webmaster@redfoxcenter.org
>
> DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs
> <Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs>
> Options None
> AllowOverride AuthConfig
> Require ip 192.168.10.0/24
> Require local
> </Directory>
> <Directory
> /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory>
> LogLevel trace8
> LogMessage "Before Require: Access from IP:%{REMOTE_ADDR}
> to
> URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and
> Method:%{REQUEST_METHOD}"
> <RequireAny>
> Require ip 192.168.10.0/24
> Require local
> <RequireAll>
> Require method POST
> Require expr "%{HTTP_USER_AGENT} =~
> /^FusionInventory-Agent_v/ ||
> %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/"
> </RequireAll>
> </RequireAny>
> </Directory>
>
> DirectoryIndex index.php index.html
>
>
> When I send inventory with full URL (end with index.php) it works
>
> # fusioninventory-agent
> --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
> [info] target server0: server
> https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php
> [info] sending prolog request to server0
> [info] running task Inventory
> [info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME)
>
> But when I sent inventory with short URL (without index.php) it fails
>
> # fusioninventory-agent
> --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/
> [info] target server0: server
> https://glpi.redfoxcenter.org/plugins/fusioninventory/
> [info] sending prolog request to server0
> [error] [http client] communication error: 403 Forbidden
> [error] No answer from server at
> https://glpi.redfoxcenter.org/plugins/fusioninventory/
>
> In the debug log, we can see than the "Require method POST" is
> internally denied after mod_dir add index.php or index.html to the short
> URL.
>
>
> [Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require ip 192.168.10.0/24: denied
> [Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require local : denied
> [Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require method POST: granted
> [Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid
> 140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072]
> Evaluation of expression from
> /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1
> [Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~
> /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/":
> granted
> [Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAll>: granted
> [Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAny>: granted
> [Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid
> 140262107780864] request.c(360): [client 192.168.20.1:56072] request
> authorized without authentication by access_checker_ex hook:
> /plugins/fusioninventory/
> [Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require ip 192.168.10.0/24: denied
> [Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require local : denied
> [Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require method POST: denied
> [Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAll>: denied
> [Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAny>: denied
> [Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid
> 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
> server configuration:
> /srv/web/
> redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php
> [Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid
> 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
> 'check access' gave status 403: /plugins/fusioninventory/index.php
> [Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require ip 192.168.10.0/24: denied
> [Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require local : denied
> [Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of Require method POST: denied
> [Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAll>: denied
> [Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid
> 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072]
> AH01626: authorization result of <RequireAny>: denied
> [Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid
> 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by
> server configuration:
> /srv/web/
> redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html
> [Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid
> 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase
> 'check access' gave status 403: /plugins/fusioninventory/index.html
> [Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid
> 140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook
> gave 403: /plugins/fusioninventory/
> [Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid
> 140262107780864] http_filters.c(1129): [client 192.168.20.1:56072]
> Response sent with status 403, headers:
> [Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid
> 140262107780864] http_filters.c(1138): [client 192.168.20.1:56072]
> Date: Sun, 17 Apr 2022 18:38:21 GMT
> [Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid
> 140262107780864] http_filters.c(1141): [client 192.168.20.1:56072]
> Server: Apache/2.4.53 (Debian)
> [Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid
> 140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
> Strict-Transport-Security: max-age=31536000 ; includeSubDomains
> [Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid
> 140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
> Content-Length: 287
> [Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid
> 140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
> Keep-Alive: timeout=5, max=100
> [Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid
> 140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
> Connection: Keep-Alive
> [Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid
> 140262107780864] http_filters.c(959): [client 192.168.20.1:56072]
> Content-Type: text/html; charset=iso-8859-1
> [Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid
> 140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072]
> Evaluation of string expression from
> /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before
> Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/
> with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
> [Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid
> 140262107780864] [client 192.168.20.1:56072] Before Require: Access from
> IP:192.168.20.1 to URL:/plugins/fusioninventory/ with
> UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST
> (log_transaction hook,
> /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28)
>
>
> Any suggestions ?
>
> Best Regards,
> --
> Christophe Merlet (RedFox)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>