search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.3k stars 1.29k forks source link

glpi 10.0.7 - Agent can't connect with new apache conf #14485

Closed Chico0008 closed 1 year ago

Chico0008 commented 1 year ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.7

Bug description

Since updating to 10.0.7, i had a warning saying Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.

after several search, i found that now in apache conf you must expose glpi/public instead of /glpi fine

but : in my original config file i had a directory for glpi/ with sso, and a 2nd directory poiting to glpi/plugins/glpiinventory, without SSO so my agent could connect and bring back their inventory

with the new conf i had a document root to glpu/public directory to glpu/public with sso, works fine, no warning kept my directory to glpi/plugins/glpiinventory, but my agent can't connect anymore

[Wed Apr  5 16:13:33 2023][info] sending contact request to server0
[Wed Apr  5 16:13:33 2023][error] [http client] authentication required, no credentials available
[Wed Apr  5 16:13:33 2023][error] [http client] unexpected content, starting with: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
[Wed Apr  5 16:13:33 2023][error] No supported answer from server at http://glpi.mydom.lan/plugins/glpiinventory/

what is the correct apache configuration to have my agent connect, bring back their inventory now ? whithout having to re-deploy/re-conf all the agent

here's my current apache conf

<VirtualHost *:80>
        ServerName glpi.mydom.lan
        DocumentRoot /var/www/glpi/public
        ErrorLog ${APACHE_LOG_DIR}/glpi/error.log
        CustomLog ${APACHE_LOG_DIR}/glpi/access.log combined
        <Directory /var/www/glpi/plugins/glpiinventory>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
        <Directory /var/www/glpi/public>
                Options FollowSymlinks
                AllowOverride All
                RewriteEngine On

                # Redirect all requests to GLPI router, unless file exists.
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]

                AuthType GSSAPI
                AuthName "glpi.mydom.lan"
                GssapiCredStore keytab:/etc/user_sso.krb.keytab
                GssapiUseSessions On
                GssapiLocalName On
                Require valid-user
        </Directory>
</VirtualHost>

Relevant log output

No response

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

Informations sur le système, l'installation et la configuration
GLPI 10.0.7 ( => /var/www/glpi)
Installation mode: TARBALL
Current language:fr_FR
Server
 
Operating system: Linux s-web 5.15.0-69-generic #76-Ubuntu SMP Fri Mar 17 17:19:29 UTC 2023 x86_64
PHP 8.1.2-1ubuntu2.11 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2,
    calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring,
    mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem,
    sysvshm, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"
    upload_max_filesize="2M" 
Software: Apache/2.4.52 (Ubuntu) (Apache/2.4.52 (Ubuntu) Server at glpi.viry.net Port 80
)
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Server Software: Ubuntu 22.04
    Server Version: 10.6.12-MariaDB-0ubuntu0.22.04.1
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: dbglpi@localhost/glpi
    Host info: Localhost via UNIX socket

PHP version (8.1.2-1ubuntu2.11) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.6.12) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/glpi/files/_cache has been validated.
Write access to /var/www/glpi/config has been validated.
Write access to /var/www/glpi/files/_cron has been validated.
Write access to /var/www/glpi/files has been validated.
Write access to /var/www/glpi/files/_dumps has been validated.
Write access to /var/www/glpi/files/_graphs has been validated.
Write access to /var/www/glpi/files/_lock has been validated.
Write access to /var/www/glpi/files/_pictures has been validated.
Write access to /var/www/glpi/files/_plugins has been validated.
Write access to /var/www/glpi/files/_rss has been validated.
Write access to /var/www/glpi/files/_sessions has been validated.
Write access to /var/www/glpi/files/_tmp has been validated.
Write access to /var/www/glpi/files/_uploads has been validated.

Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.
The following directories should be placed outside "/var/www/glpi":
‣ "/var/www/glpi/files" ("GLPI_VAR_DIR")
‣ "/var/www/glpi/config" ("GLPI_CONFIG_DIR")
You can ignore this suggestion if your web server root directory is "/var/www/glpi/public".
Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi/marketplace has been validated.
Timezones seems loaded in database.
GLPI constants
 
GLPI_ROOT: "/var/www/glpi"
GLPI_CONFIG_DIR: "/var/www/glpi/config"
GLPI_VAR_DIR: "/var/www/glpi/files"
GLPI_MARKETPLACE_DIR: "/var/www/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/www/glpi/files"
GLPI_CACHE_DIR: "/var/www/glpi/files/_cache"
GLPI_CRON_DIR: "/var/www/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/www/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/www/glpi/files/_lock"
GLPI_LOG_DIR: "/var/www/glpi/files/_log"
GLPI_PICTURE_DIR: "/var/www/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/www/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/www/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/www/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/"
GLPI_I18N_DIR: "/var/www/glpi/locales"
GLPI_VERSION: "10.0.7"
GLPI_SCHEMA_VERSION: "10.0.7"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2023"
Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/var/www/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi/vendor/psr/cache/src)
league/csv in (/var/www/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi/plugins/oauthimap/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi/plugins/oauthimap/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi/plugins/oauthimap/vendor/thenetworg/oauth2-azure/src/Provider)
LDAP directories
 
Server: 's-dc-hdv.viry.net', Port: '389', BaseDN: 'DC=viry,DC=net', Connection filter:
        '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN: 'CN=glpi,OU=droits
        eleves,OU=Comptes de services,DC=viry,DC=net', Use TLS: none
SQL replicas
 
Not active
Notifications
 
Way of sending emails: SMTP (anonymous@smtp.viry.net)
Plugins list
 
    datainjection        Name: Data Injection                 Version: 2.12.1     State: Enabled                                 
        Install Method: Manual
    formcreator          Name: Form Creator                   Version: 2.13.4     State: Enabled                                 
        Install Method: Manual
    glpiinventory        Name: GLPI Inventory                 Version: 1.1.0      State: Enabled                                 
        Install Method: Manual
    oauthimap            Name: Oauth IMAP                     Version: 1.4.1      State: Enabled                                 
        Install Method: Manual

Anything else?

No response

cedric-anne commented 1 year ago

Hi,

Maybe something like:

AliasMatch "^/(plugins/glpiinventory/(index\.php)?)$" "var/www/glpi/$1"
Chico0008 commented 1 year ago

Tried putting the AliasMatch you suggest before the first Directory setting

my agent got this error now [Wed Apr 5 16:41:39 2023][error] [http client] communication error: 403 Forbidden

cedric-anne commented 1 year ago

What was your previous GLPI version?

Chico0008 commented 1 year ago

First i got 10.0.6, but changed to 10.0.7-dev because a bug in 10.0.6 prevented my agent to bring their inventory (but they could connect) i had the same warning but didn't changes apache conf before bringing official 10.0.7

previous apache conf (but with the warning)

<VirtualHost *:80>
        ServerName glpi.mydom.lan
        DocumentRoot /var/www/glpi
        ErrorLog ${APACHE_LOG_DIR}/glpi/error.log
        CustomLog ${APACHE_LOG_DIR}/glpi/access.log combined

        <Directory /var/www/glpi/plugins/glpiinventory>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
        <Directory /var/www/glpi>
                Options FollowSymlinks
                AllowOverride All
                AuthType GSSAPI
                AuthName "glpi.mydom.lan"
                GssapiCredStore keytab:/etc/user_sso.krb.keytab
                GssapiUseSessions On
                GssapiLocalName On
                Require valid-user

        </Directory>
</VirtualHost>
Chico0008 commented 1 year ago

It's ok, the first / was missing in the path of the Aliasmatch

AliasMatch "^/(plugins/glpiinventory/(index\.php)?)$" "/var/www/glpi/$1"

thanks for your help

FredVRA commented 1 year ago

I have a similar configuration, my site is in HTTPS, the agents no longer communicate with the server since the GLPI 10.0.7 update from GLPI 10.0.6. the agent log shows this error:

[error] [http client] authentication required, no credentials available

and the log apache: "POST /plugins/glpiinventory HTTP/1.1" 401 4039 "-" "GLPI-Agent_v1.4"

I have the same error with: AliasMatch "^/(plugins/glpiinventory/(index\.php)?)$" "/var/www/glpi/$1"

Fore more details, I created a post here: https://forum.glpi-project.org/viewtopic.php?pid=501085#p501085

Thanks for your help