Skip to content

Commit

Permalink
add new UnsafeAllow3F handling
Browse files Browse the repository at this point in the history
  • Loading branch information
@datamuc
datamuc committed Sep 11, 2024
1 parent f6931c5 commit ec8fd13
Show file tree
Hide file tree
Showing 7 changed files with 45 additions and 12 deletions.
2 changes: 2 additions & 0 deletions packages/apache-omd/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ install: $(APACHE_MODULES_INSTALL)
else \
install -m 644 apache.conf $(DESTDIR)$(OMD_ROOT)/share/omd/apache.conf; \
fi
install -m 644 test-unsafeallow.conf $(DESTDIR)$(OMD_ROOT)/share/omd/apache-test-unsafeallow.conf
sed -i -e 's|###APACHE_MODULE_DIR###|$(APACHE_MODULE_DIR)|g' $(DESTDIR)$(OMD_ROOT)/share/omd/apache-test-unsafeallow.conf

skel:
# install a custom apache configuration for apache 2.4 or later
Expand Down
3 changes: 1 addition & 2 deletions packages/apache-omd/skel/etc/apache/apache.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,5 +219,4 @@ SocketPath "###ROOT###/tmp/apache/fcgid_sock"

# Load config files from the include dir. You can put your own
# configuration there. Also addons put default files there.
Include ###ROOT###/etc/apache/conf.d/*.conf

Include ###ROOT###/tmp/apache/conf.d/*.conf
2 changes: 1 addition & 1 deletion packages/apache-omd/skel/etc/apache/apache24.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,5 +224,5 @@ SocketPath "###ROOT###/tmp/apache/fcgid_sock"

# Load config files from the include dir. You can put your own
# configuration there. Also addons put default files there.
Include ###ROOT###/etc/apache/conf.d/*.conf
Include ###ROOT###/tmp/apache/conf.d/*.conf

26 changes: 25 additions & 1 deletion packages/apache-omd/skel/etc/init.d/apache
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,19 @@ OPTS="-f $OMD_ROOT/etc/apache/apache.conf"
STOP_TIMEOUT=15
STOP_CALLBACK="kill_stale_php_cgis"
CHECK_CALLBACK=verify_config
HAS_UNSAFE_ALLOW=""

if "$DAEMON" -t -f "$OMD_ROOT/share/omd/apache-test-unsafeallow.conf" >/dev/null 2>&1 ; then
HAS_UNSAFE_ALLOW=1
fi

has_unsafe_allow() {
[ -n "$HAS_UNSAFE_ALLOW" ]
}

mkdir -p $OMD_ROOT/var/log/apache


case "$1" in start|restart|reload)
# (nearly) reproducible problems with apache at boot-time. (alloc_listener: failed to set up sockaddr for 127.0.0.1)
# With this ping the problem disappears.
Expand Down Expand Up @@ -93,5 +103,19 @@ verify_config() {
fi
}

__generic_init "$*"
copy_and_fix_config() {
mkdir -p "$OMD_ROOT/tmp/apache/conf.d"
T="$OMD_ROOT/tmp/apache/conf.d/."
rsync -acL --delete-after "$OMD_ROOT/etc/apache/conf.d/." "$T"
if has_unsafe_allow ; then
find "$T" -type f -print0 | xargs -0 sed -i -e 's/,@@@UNSAFEALLOW3F@@@/,UnsafeAllow3F/g'
else
find "$T" -type f -print0 | xargs -0 sed -i -e 's/,@@@UNSAFEALLOW3F@@@//g'
fi
}

case "$1" in start|restart|reload|checkconfig|check)
copy_and_fix_config
esac

__generic_init "$*"
8 changes: 8 additions & 0 deletions packages/apache-omd/test-unsafeallow.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
LoadModule mpm_prefork_module ###APACHE_MODULE_DIR###/mod_mpm_prefork.so
LoadModule rewrite_module ###APACHE_MODULE_DIR###/mod_rewrite.so

DocumentRoot /
ServerRoot /
ErrorLog /dev/null

RewriteRule / / [UnsafeAllow3F]
8 changes: 4 additions & 4 deletions packages/thruk/skel/etc/thruk/apache_cookie_auth.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ RewriteCond %{REQUEST_URI} !^/server-status
RewriteCond %{REQUEST_URI} !^/${OMD_SITE}/api/
RewriteCond %{HTTP_COOKIE} (thruk_auth=[^;]+|$) [NC]
RewriteRule ^/(.*)$ /auth:%1/%{REMOTE_ADDR}~~%{HTTP:Authorization}~~%{HTTP:X-Thruk-Auth-Key}~~%{HTTP:X-Thruk-Auth-User}/____/$1/____/%{QUERY_STRING} [C,NS]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,UnsafeAllow3F]
RewriteRule ^/pass/(.*)$ /$1 [NS,PT,L,E=!REMOTE_USER,UnsafeAllow3F]
RewriteRule ^/redirect/(.*)$ %{ENV:OMD_PROTO}://%{ENV:OMD_SERVER_NAME}:%{ENV:OMD_PORT}/$1 [NS,L,R=302,UnsafeAllow3F]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,PT,L,E=REMOTE_USER:$1,UnsafeAllow3F]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/pass/(.*)$ /$1 [NS,PT,L,E=!REMOTE_USER,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/redirect/(.*)$ %{ENV:OMD_PROTO}://%{ENV:OMD_SERVER_NAME}:%{ENV:OMD_PORT}/$1 [NS,L,R=302,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,PT,L,E=REMOTE_USER:$1,@@@UNSAFEALLOW3F@@@]

<LocationMatch ^/${OMD_SITE}/(?!(thruk/cgi-bin/restricted.cgi))>
Order allow,deny
Expand Down
8 changes: 4 additions & 4 deletions packages/thruk/skel/etc/thruk/apache_cookie_auth_sso-support.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ RewriteCond %{REQUEST_URI} !^/server-status
RewriteCond %{REQUEST_URI} !^/${OMD_SITE}/api/
RewriteCond %{HTTP_COOKIE} (thruk_auth=[^;]+|$) [NC]
RewriteRule ^/(.*)$ /auth:%1/%{REMOTE_ADDR}~~%{HTTP:Authorization}~~%{HTTP:X-Thruk-Auth-Key}~~%{HTTP:X-Thruk-Auth-User}/____/$1/____/%{QUERY_STRING} [C,NS]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,UnsafeAllow3F]
RewriteRule ^/pass/(.*)$ /$1 [NS,PT,L,E=!REMOTE_USER,UnsafeAllow3F]
RewriteRule ^/redirect/(.*)$ %{ENV:OMD_PROTO}://%{ENV:OMD_SERVER_NAME}:%{ENV:OMD_PORT}/$1 [NS,L,R=302,UnsafeAllow3F]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,PT,L,E=REMOTE_USER:$1,UnsafeAllow3F]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/pass/(.*)$ /$1 [NS,PT,L,E=!REMOTE_USER,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/redirect/(.*)$ %{ENV:OMD_PROTO}://%{ENV:OMD_SERVER_NAME}:%{ENV:OMD_PORT}/$1 [NS,L,R=302,@@@UNSAFEALLOW3F@@@]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,PT,L,E=REMOTE_USER:$1,@@@UNSAFEALLOW3F@@@]

# only required if thruk needs to rewrite for ex.: kerberos user name
# and no cookie present in 3rd party urls
Expand Down

0 comments on commit ec8fd13

Please sign in to comment.