Closed themr0c closed 8 years ago
You didn't by any change try to open it in a new tab or something instead of just clicking it, did you?
Another reason could be disabled JS.
No, regular clicking on it. Apache is in front of arachni. BTW, all href links in the page are http://arachni.tld links. Not if the issue is at apache level or at arachni level. Investigating.
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/arachni.cer
SSLCertificateKeyFile /etc/ssl/arachni.key
SSLCACertificateFile /etc/ssl/arachni.ca
SSLProtocol all -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
ServerName arachni.tld
ServerAdmin webmaster@localhost
DocumentRoot /srv/arachni/arachni/system/arachni-ui-web/public/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/arachni_error.log
CustomLog ${APACHE_LOG_DIR}/arachni_access.log combined
ProxyPassMatch "/assets" !
ProxyPass "/" "http://localhost:9292/"
ProxyPassReverse "/" "http://localhost:9292/"
<Directory /srv/arachni/arachni/system/arachni-ui-web/public/>
Options FollowSymLinks
AllowOverride All
DirectoryIndex index.html
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName arachni.tld
Redirect / https://arachni.tld/
</VirtualHost>
That link should issue a PATCH
, not GET
-- happens via JS hackery, not sure about the internals.
I'm closing this since I couldn't reproduce it when Arachni is deployed in the way that it was intended, but feel free to ask for any info you need to debug this.
Fine.
On the same page, links are handled differently.
Some of them are relative links, and they are OK, like:
<a href="/scans/3/issues/89">
Some other are using absolute URL, and they are broken:
<a class="btn btn-inverse" rel="nofollow" data-method="patch" href="http://arachni.tld/notifications/mark_read">
Sure, adding the apache layer has triggerd the issue, but I need a proxy in front to have some LDAP authentication on top of the application at some point.
I don't think it's the relative vs absolute that's causing the issue but the PATCH
method.
Check what request is sent when just using Arachni and what happens when you do the same with the proxy in front.
It probably has to do with the way PATCH is emulated/performed, something is not reaching the origin sever or it is reaching it incorrectly.
Was not limited to the patch / data-refresh-url links. I had it also on:
<a href="http://arachni.emakina.com/scans/new">
I managed to fix it by using apache mod_proxy_html.
https://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html#proxyhtmlurlmap http://www.apachetutor.org/admin/reverseproxies http://apache.webthing.com/svn/apache/filters/proxy_html/proxy_html.conf
Virtualhost modifications:
ProxyRequests off
ProxyPassMatch "/assets" !
ProxyPass "/" "http://localhost:9292/"
ProxyHTMLEnable On
# fix links issue as referenced on https://github.com/Arachni/arachni-ui-web/issues/96
ProxyHTMLURLMap http://arachni.tld/ /
# standard reverse proxy
ProxyHTMLURLMap http://localhost:9292/ /
# links must be defined
ProxyHTMLLinks div data-refresh-url
ProxyHTMLLinks a href
ProxyHTMLLinks area href
ProxyHTMLLinks link href
ProxyHTMLLinks img src longdesc usemap
ProxyHTMLLinks object classid codebase data usemap
ProxyHTMLLinks q cite
ProxyHTMLLinks blockquote cite
ProxyHTMLLinks ins cite
ProxyHTMLLinks del cite
ProxyHTMLLinks form action
ProxyHTMLLinks input src usemap
ProxyHTMLLinks head profile
ProxyHTMLLinks base href
ProxyHTMLLinks script src for
So basically it works behind an apache 2.4 ;)
That's really good to know man, glad you got it working.
Hmm, now something new, but maybe related.
I have created a scan with User1. I have shared the scan with User2. Now I login with User2. From the menu, i can access to the scan in the list: that's fine. But i can't see the list of shared scans from the /scans page. The navigation to "Shared" doesn't work.
The application log is happy, though:
127.0.0.1 - - [18/Nov/2015:16:15:39 +0100] "GET /scans.js?action=index&controller=scans&filter_active=yours&filter_finished=yours&filter_suspended=yours HTTP/1.1" 200 - 0.0787
In the HTML, the link is following:
<a onclick="loading();" data-remote="true" href="https://arachni.tld/scans?action=index&controller=scans&filter_active=yours&filter_finished=shared&filter_suspended=yours">
Does is sound like a logical behaviour to you ?
The AJAX behind the tabs must be broken, I remember it happening to another place after a dependency upgrade. Should be easy enough to sort out, if I understood the issue correctly.
Hm, works for me, must be a proxy thing again. Can you retry without the proxy and see what happens?
Btw, if it helps, I'm pretty sure I could just switch to using paths in the trouble areas instead of URLs.
i guess paths everywhere should be fine, and would add more consistency in the whole app.
Nightlies are up, I switched all URLs in the views to absolute paths, I hope it helps. Try them out and let me know if you spot any bugs.
Cheers
Hi, just tested the nightly, with apache proxy:
Hm, does that happen without the proxy?
Just checked again, both behind apache and standalone. I believe that the problem is that i di'dn't understand correctly what i should expect to see in the Scans summary page, without selecting a group. I'll try to be as clear as possible.
So it means the behaviour is different for shared and unshared scans when you didn't select a group on the /scans summary page. A message like the one displayed when a group is selected could be a good thing to make clear which scans the user should expect to see on the page.
On the home page, when clicking on the "Mark all read" button, I get a 404 error the notifications/mark_read page.