Actually, that configuration looks fine at a glance. However, from your logs, mod_dir is hijacking the request in the early phase. You might have to resort to mod_rewrite for this, as much as I hate to suggest it.
I'll have to think about the solution, hopefully someone else can chime in in the meantime. On Sun, 17 Apr 2022 at 14:59, Christophe Merlet <red...@redfoxcenter.org> wrote: > Hello, > > > On Debian 11 with Apache 2.4.53, I try to setup access rules to the > fusioninventory-agent plugin of GLPI application. > https://www.glpi-project.org/ > https://fusioninventory.org/ > > Access to GLPI application and fusioninventory GUI is only allowed to > local network > But computers can *POST* inventory from all over the Internet with their > fusioninventory Agent to the URL /plugins/fusioninventory/. > > > Beginning of my virtualhost configuration : > > <VirtualHost *:443> > ServerName glpi.redfoxcenter.org > ServerAdmin webmas...@redfoxcenter.org > > DocumentRoot /srv/web/redfoxcenter.org/vhosts/glpi/htdocs > <Directory /srv/web/redfoxcenter.org/vhosts/glpi/htdocs> > Options None > AllowOverride AuthConfig > Require ip 192.168.10.0/24 > Require local > </Directory> > <Directory > /srv/web/redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory> > LogLevel trace8 > LogMessage "Before Require: Access from IP:%{REMOTE_ADDR} > to > URL:%{REQUEST_URI} with UserAgent:%{HTTP_USER_AGENT} and > Method:%{REQUEST_METHOD}" > <RequireAny> > Require ip 192.168.10.0/24 > Require local > <RequireAll> > Require method POST > Require expr "%{HTTP_USER_AGENT} =~ > /^FusionInventory-Agent_v/ || > %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/" > </RequireAll> > </RequireAny> > </Directory> > > DirectoryIndex index.php index.html > > > When I send inventory with full URL (end with index.php) it works > > # fusioninventory-agent > --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php > [info] target server0: server > https://glpi.redfoxcenter.org/plugins/fusioninventory/index.php > [info] sending prolog request to server0 > [info] running task Inventory > [info] New inventory from dragon-2022-03-04-21-57-48 for server0 (tag=HOME) > > But when I sent inventory with short URL (without index.php) it fails > > # fusioninventory-agent > --server=https://glpi.redfoxcenter.org/plugins/fusioninventory/ > [info] target server0: server > https://glpi.redfoxcenter.org/plugins/fusioninventory/ > [info] sending prolog request to server0 > [error] [http client] communication error: 403 Forbidden > [error] No answer from server at > https://glpi.redfoxcenter.org/plugins/fusioninventory/ > > In the debug log, we can see than the "Require method POST" is > internally denied after mod_dir add index.php or index.html to the short > URL. > > > [Sun Apr 17 18:38:21.217827 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require ip 192.168.10.0/24: denied > [Sun Apr 17 18:38:21.217857 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require local : denied > [Sun Apr 17 18:38:21.217863 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require method POST: granted > [Sun Apr 17 18:38:21.217872 2022] [authz_core:trace4] [pid 9233:tid > 140262107780864] util_expr_eval.c(863): [client 192.168.20.1:56072] > Evaluation of expression from > /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:34 gave: 1 > [Sun Apr 17 18:38:21.217879 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require expr "%{HTTP_USER_AGENT} =~ > /^FusionInventory-Agent_v/ || %{HTTP_USER_AGENT} =~ /^GLPI-Agent_v/": > granted > [Sun Apr 17 18:38:21.217884 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAll>: granted > [Sun Apr 17 18:38:21.217888 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAny>: granted > [Sun Apr 17 18:38:21.217892 2022] [core:trace3] [pid 9233:tid > 140262107780864] request.c(360): [client 192.168.20.1:56072] request > authorized without authentication by access_checker_ex hook: > /plugins/fusioninventory/ > [Sun Apr 17 18:38:21.217970 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require ip 192.168.10.0/24: denied > [Sun Apr 17 18:38:21.217982 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require local : denied > [Sun Apr 17 18:38:21.217987 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require method POST: denied > [Sun Apr 17 18:38:21.217991 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAll>: denied > [Sun Apr 17 18:38:21.217995 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAny>: denied > [Sun Apr 17 18:38:21.217999 2022] [authz_core:error] [pid 9233:tid > 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by > server configuration: > /srv/web/ > redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.php > [Sun Apr 17 18:38:21.218003 2022] [core:trace3] [pid 9233:tid > 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase > 'check access' gave status 403: /plugins/fusioninventory/index.php > [Sun Apr 17 18:38:21.218060 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require ip 192.168.10.0/24: denied > [Sun Apr 17 18:38:21.218069 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require local : denied > [Sun Apr 17 18:38:21.218074 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of Require method POST: denied > [Sun Apr 17 18:38:21.218078 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAll>: denied > [Sun Apr 17 18:38:21.218082 2022] [authz_core:debug] [pid 9233:tid > 140262107780864] mod_authz_core.c(815): [client 192.168.20.1:56072] > AH01626: authorization result of <RequireAny>: denied > [Sun Apr 17 18:38:21.218085 2022] [authz_core:error] [pid 9233:tid > 140262107780864] [client 192.168.20.1:56072] AH01630: client denied by > server configuration: > /srv/web/ > redfoxcenter.org/vhosts/glpi/htdocs/plugins/fusioninventory/index.html > [Sun Apr 17 18:38:21.218089 2022] [core:trace3] [pid 9233:tid > 140262107780864] request.c(120): [client 192.168.20.1:56072] auth phase > 'check access' gave status 403: /plugins/fusioninventory/index.html > [Sun Apr 17 18:38:21.218094 2022] [core:trace3] [pid 9233:tid > 140262107780864] request.c(417): [client 192.168.20.1:56072] fixups hook > gave 403: /plugins/fusioninventory/ > [Sun Apr 17 18:38:21.218153 2022] [http:trace3] [pid 9233:tid > 140262107780864] http_filters.c(1129): [client 192.168.20.1:56072] > Response sent with status 403, headers: > [Sun Apr 17 18:38:21.218162 2022] [http:trace5] [pid 9233:tid > 140262107780864] http_filters.c(1138): [client 192.168.20.1:56072] > Date: Sun, 17 Apr 2022 18:38:21 GMT > [Sun Apr 17 18:38:21.218167 2022] [http:trace5] [pid 9233:tid > 140262107780864] http_filters.c(1141): [client 192.168.20.1:56072] > Server: Apache/2.4.53 (Debian) > [Sun Apr 17 18:38:21.218171 2022] [http:trace4] [pid 9233:tid > 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] > Strict-Transport-Security: max-age=31536000 ; includeSubDomains > [Sun Apr 17 18:38:21.218176 2022] [http:trace4] [pid 9233:tid > 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] > Content-Length: 287 > [Sun Apr 17 18:38:21.218180 2022] [http:trace4] [pid 9233:tid > 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] > Keep-Alive: timeout=5, max=100 > [Sun Apr 17 18:38:21.218184 2022] [http:trace4] [pid 9233:tid > 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] > Connection: Keep-Alive > [Sun Apr 17 18:38:21.218187 2022] [http:trace4] [pid 9233:tid > 140262107780864] http_filters.c(959): [client 192.168.20.1:56072] > Content-Type: text/html; charset=iso-8859-1 > [Sun Apr 17 18:38:21.218292 2022] [log_debug:trace4] [pid 9233:tid > 140262107780864] util_expr_eval.c(847): [client 192.168.20.1:56072] > Evaluation of string expression from > /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28 gave: Before > Require: Access from IP:192.168.20.1 to URL:/plugins/fusioninventory/ > with UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST > [Sun Apr 17 18:38:21.218304 2022] [log_debug:info] [pid 9233:tid > 140262107780864] [client 192.168.20.1:56072] Before Require: Access from > IP:192.168.20.1 to URL:/plugins/fusioninventory/ with > UserAgent:FusionInventory-Agent_v2.5.2-1 and Method:POST > (log_transaction hook, > /etc/apache2/sites-enabled/glpi.redfoxcenter.org.conf:28) > > > Any suggestions ? > > Best Regards, > -- > Christophe Merlet (RedFox) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
