Bug 1823626

Summary: Incorrect awstats.conf leading to inaccessible resources
Product: [Fedora] Fedora EPEL Reporter: Max <mnikulin>
Component: awstatsAssignee: Tim Jackson <rpm>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel8CC: aurelien, plautrba, rpm
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: awstats-7.8-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-25 01:19:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix incorrect paths in awstats.conf none

Description Max 2020-04-14 05:30:02 UTC 
Description of problem:
/etc/httpd/conf.d/awstats.conf file in the awstats package
1. has incorrect paths /usr/local instead of /usr/share
2. does not provide configuration for mod_authz_core module
   while mod_access_compat directives are ignored
So HTTP requests to awstats resources, e.g. icons, fail with errors

Version-Release number of selected component (if applicable):
CentOS-8.1 and RHEL-8.1
awstats-7.7-5.el8.noarch

How reproducible:
Can be easily reproduced.

Steps to Reproduce:
1. Install httpd
2. Install awstats (currently it requires --enablerepo epel-testing
   due to the Bug #1819456 related to required perl packages)
3. Try to get some icon
   curl -I 127.0.0.1/awstatsicons/cpu/ibm.png

Actual results:
HTTP/1.1 403 Forbidden
in the case of simple curl request

Statistics page has lack of icons.

If fail2ban is installed on the server and statistics page
is accessed from a browser then the client IP is banned.

Expected results:
HTTP/1.1 200 OK
in the case of the curl request

Working statisitcs pages.


Additional info:

Expected configuration shipped in the package

--- /etc/httpd/conf.d/awstats.conf.orig 2020-04-14 04:53:51.327456372 +0000
+++ /etc/httpd/conf.d/awstats.conf      2020-04-14 05:16:14.134450340 +0000
@@ -12,18 +12,17 @@
 # Directives to add to your Apache conf file to allow use of AWStats as a CGI.
 # Note that path "/usr/local/awstats/" must reflect your AWStats install path.
 #
-Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
-Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
-Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
-ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
+Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/"
+Alias /awstatscss "/usr/share/awstats/wwwroot/css/"
+Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/"
+ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"
 
 
 #
 # This is to permit URL access to scripts/files in AWStats directory.
 #
-<Directory "/usr/local/awstats/wwwroot">
+<Directory "/usr/share/awstats/wwwroot">
     Options None
     AllowOverride None
-    Order allow,deny
-    Allow from all
+    Require all granted
 </Directory>

Notice in /etc/httpd/conf/httpd.conf
<Directory />
    AllowOverride none
    Require all denied
</Directory>

https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
> The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged.

/var/log/httpd/error_log
[Tue Apr 14 12:14:06.391873 2020] [authz_core:debug] [pid 5410:tid 140559473682176] mod_authz_core.c(820): [client 127.0.0.1:53888] AH01626: authorization result of Require all denied: denied
[Tue Apr 14 12:14:06.391909 2020] [authz_core:debug] [pid 5410:tid 140559473682176] mod_authz_core.c(820): [client 127.0.0.1:53888] AH01626: authorization result of <RequireAny>: denied
[Tue Apr 14 12:14:06.391914 2020] [authz_core:error] [pid 5410:tid 140559473682176] [client 127.0.0.1:53888] AH01630: client denied by server configuration: /usr/local/awstats
Comment 1 Tim Jackson 2020-08-05 07:18:24 UTC 
Created attachment 1710477 [details]
Fix incorrect paths in awstats.conf

Trivial patch to fix this
Comment 2 Tim Jackson 2020-08-05 07:19:53 UTC 
I've attached a patch and shared this with the maintainer; however, even after applying this patch I've noted some other path-related issues (references to /usr/local/awstats in various files)
Comment 3 Fedora Update System 2020-08-07 02:59:41 UTC 
FEDORA-EPEL-2020-3e15414000 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3e15414000
Comment 4 Fedora Update System 2020-08-08 01:33:55 UTC 
FEDORA-EPEL-2020-3e15414000 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3e15414000

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-08-10 01:08:06 UTC 
FEDORA-EPEL-2020-539ebf7d91 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-539ebf7d91

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-08-25 01:19:41 UTC 
FEDORA-EPEL-2020-539ebf7d91 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.