Public bug reported:
The Icinga package provides an Apache config snippet,
/etc/icinga/apache2.conf, intended to be included in a vhost.
In the most recent release (icinga-1.14.2+ds) this snippet has incorrect
authentication headers that results in the web UI being unusable,
because no HTTP Basic authentication pop-up appears asking for
credentials. The problem is in /etc/icinga/apache2:
<DirectoryMatch
"^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/">
Options FollowSymLinks
DirectoryIndex index.html
AllowOverride AuthConfig
Require all granted
AuthName "Icinga Access"
AuthType Basic
AuthUserFile /etc/icinga/htpasswd.users
Require valid-user
</DirectoryMatch>
Note there are two 'Require' clauses which, as stackoverflow explains
(https://serverfault.com/a/844649), are ORed together. Since 'Require all
granted' always succeeds, 'Require valid-user' is never evaluated.
This is a regression. In the previous release (icinga_1.13.4-2.debian),
apache2.conf used the older allow/deny access-control directives:
<DirectoryMatch
"^(?:/usr/share/icinga/htdocs|/usr/lib/cgi-bin/icinga|/etc/icinga/stylesheets)/">
Options FollowSymLinks
DirectoryIndex index.html
AllowOverride AuthConfig
Order Allow,Deny
Allow From All
AuthName "Icinga Access"
AuthType Basic
AuthUserFile /etc/icinga/htpasswd.users
Require valid-user
</DirectoryMatch>
Evidently someone tried to modernize the authentication headers for Apache 2.4.
Per the Apache 2.4 migration guide
(https://httpd.apache.org/docs/2.4/upgrading.html), this could be fixed
by explicitly specifying that both requirements must be met:
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
but it seems a bit pointless, so I suggest just omitting the 'Require all
granted' altogether.
(note: this bug affects Debian's package too)
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: icinga (not installed)
ProcVersionSignature: Ubuntu 4.18.0-15.16-generic 4.18.20
Uname: Linux 4.18.0-15-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.10-0ubuntu13.2
Architecture: amd64
CurrentDesktop: MATE
Date: Wed Feb 27 10:00:23 2019
InstallationDate: Installed on 2018-11-28 (90 days ago)
InstallationMedia: Ubuntu-MATE 18.10 "Cosmic Cuttlefish" - Release amd64
(20181017.2)
SourcePackage: icinga
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: icinga (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug cosmic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817807
Title:
Provided apache snippet does not authenticate users
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/icinga/+bug/1817807/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
