Bug 1062202

Summary: monitorix-apache.conf doesn't check Apache version to use proper authorization parameters
Product: [Fedora] Fedora Reporter: frollic nilsson <frollic>
Component: monitorixAssignee: Christopher Meng <i>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 20CC: i, jordi
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: monitorix-3.5.1-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-19 09:07:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description frollic nilsson 2014-02-06 12:55:06 UTC 
Description of problem:
When using Apache as web server for monitorix, the file monitorix-apache.conf have to be modified/fixed if Apache 2.4 is used. The conf file contains old Apache <= 2.2 syntax grants and denies, instead of the new Require.


Version-Release number of selected component (if applicable):
monitorix-3.4.0-1.fc19.noarch
httpd-2.4.6-2.fc19.x86_64

How reproducible:
Install httpd 2.4 or above, and monitorix, 
Disable use of monitorix internal web server in monitorix.conf
copy /usr/share/doc/monitorix-3.4.0/monitorix-apache.conf to /etc/httpd/conf.d
(restart both)
Attempt to access x.x.x.x/monitorix on server hosting the application.

Actual results:

Forbidden
You don't have permission to access /monitorix on this server.

log:
[Thu Feb 06 13:49:15.383285 2014] [authz_core:error] [pid 799] [client 1.1.1.1:1222] AH01630: client denied by server configuration: /usr/share/monitorix

Expected results:
access to monitorix

Additional info:
should look something like this:

    <IfModule mod_authz_core.c>
       # Apache 2.4
       Require all 127.0.0.1
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order deny,allow
        Allow from 127.0.01
    </IfModule>

http://httpd.apache.org/docs/2.4/upgrading.html
Comment 1 frollic nilsson 2014-02-17 08:35:09 UTC 
Conf looks the same in monitorix-3.4.0-1.fc20.noarch
Comment 2 Jordi Sanfeliu 2014-04-03 07:35:28 UTC 
(In reply to frollic nilsson from comment #0)

Hi Frollic,

I wasn't aware of that bug. I just discovered it yesterday when I was browsing the page <https://apps.fedoraproject.org/packages/monitorix/>.

The new 3.5.0 version is already out but, if you agree, I could introduce the following modifications to the file 'monitorix-apache.conf' to include support for Apache 2.2 and 2.4 access control:


# Monitorix is a lightweight system monitoring tool
#

Alias /monitorix /var/lib/monitorix/www
ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi

<Directory /var/lib/monitorix/www/cgi/>
        DirectoryIndex monitorix.cgi
        Options ExecCGI
        <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all denied
                Require host 127.0.0.1
        </IfModule>
        <IfModule !mod_authz_core.c>
                # Apache 2.2
                Order deny,allow
                Deny from all
                Allow from 127.0.01
        </IfModule>
</Directory>
[...]

Please, let me know.
Thanks.
Comment 3 Jordi Sanfeliu 2014-04-03 07:37:44 UTC 
(In reply to Jordi Sanfeliu from comment #2)

fix typo:

          Allow from 127.0.0.1
Comment 4 frollic nilsson 2014-04-04 13:22:11 UTC 
sure!
Comment 5 Jordi Sanfeliu 2014-04-07 10:50:39 UTC 
It's done.

https://github.com/mikaku/Monitorix/commit/878dcf1fe41639ac41f79a147b06bcc8f4cbf1d3

Regards.