You are not logged in.
After upgrading from 10.0.6 to 10.0.7 I got a message at the front page after login , which reads:
Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.
So I looked at the documentation and followed the instructions and moved config and files directory out of the webroot. But the message does not disappear. Now what?
Offline
All right, I found the corresponding change in github. According to this, one has to change the vhost config in apache as follows:
<VirtualHost *:80>
ServerName glpi.localhost
DocumentRoot /var/www/glpi/public
<Directory /var/www/glpi/public>
Require all granted
RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
</VirtualHost>
However, there are some problems with this:
Issue 14485 says something about Agent not connecting with the new config. You have to insert following line:
AliasMatch "^/(plugins/glpiinventory/(index\.php)?)$" "/var/www/glpi/$1"
I have GLPI installed in a subdirectory with the webroot at /var/www and the URL is like www dot example dot com slash glpi. So I can't point the webroot to glpi/public and changing it is not an option. How to proceed?
Last edited by henryzwh (2023-04-05 19:21:55)
Offline
I have the same issue and I use nginx. Any idea what I have to change there or how I simply can dismiss the message? I can live with that
Offline
I have the same issue and I use nginx. Any idea what I have to change there or how I simply can dismiss the message? I can live with that
I cannot post links, but according to the development(!) docs (the "latest" docs are still about GLPI 9.5) you have to change the nginx configuration to something like this:
server {
listen 80;
listen [::]:80;
server_name glpi.localhost;
root /var/www/glpi/public;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php$ {
# the following line needs to be adapted, as it changes depending on OS distributions and PHP versions
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Last edited by henryzwh (2023-04-06 10:01:04)
Offline
According to a message at Github one can use an "Alias" directive if you have installed glpi in a subdirectory
Alias "/glpi/" "/path/to/your/glpi/"
I tried several variants of this, but it wasn't working for me. I got empty pages, directory index listings instead of the login page and Internal Server errors ("Request exceeded the limit of 10 internal redirects"). I ended up setting DocumentRoot to /var/www/glpi/public with a RewriteRule which rewrites /glpi/ to the root directory:
RewriteRule ^/glpi/(.*)$ /$1 [R=301,NC,L]
It is advisable to change the URL in glpi-agent config accordingly
Last edited by henryzwh (2023-04-06 09:59:15)
Offline
Thanks, I'll play with it.
But I think we should raise a bug-report in github as this is a recommended setting and not a required one. In my opinion it should be possible to disable the message...
Offline
Thanks, I'll play with it.
But I think we should raise a bug-report in github as this is a recommended setting and not a required one. In my opinion it should be possible to disable the message...
I've read in the comments on this change, that this will be a mandatory setting beginning with GLPI 10.1. Im my opinion this is a major requirement change and shouldn't be established before GLPI 11.
Anyway, it is possible to disable the message completely by editing glpi/src/System/Requirement/SafeDocumentRoot.php and adding a "return;" statement right after "protected function check()":
[...]
protected function check()
{
return; // <- Add this here
if (isCommandLine()) {
$this->out_of_context = true;
[...]
Offline
I know this was put in the developer documentation, but this was discussed among the GLPI developers a few months ago and the majority opinion was to treat major and minor versions similarly to match the customer's point of view.
https://github.com/glpi-project/docdev/pull/129
For bug-fix versions like 10.0.6 and 10.0.7, expect fixes, some smaller features/changes that don't break code compatibility for plugins, but no removed features.
Such new features from the 10.0 versions included:
- Global lock management for inventory
- Allow using rules to add computers as VMs
- More options to handle stale agents
- New dictionary rules for OS
- SMTP OAuth support
Since the security requirement is added now but not mandatory until 10.1, the fact that 10.0 will be supported for a time after 10.1 is released, and this is just a one-time change that needs made by the web server administrators, there isn't any change from the end-user point of view.
All previously saved URLs would still function.
10.1 would include bigger features or ones that could wait and may benefit from a beta period.
11.0 could conceivably be released at a time when there are major changes to GLPI from the end-user perspective like there was with the UI rework in 10.0.
GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.
Offline
Thanks for the explanation.
In general I understand that this should improve security and that it's a one-time change.
But I don't know where to do what
I run glpi on a Synology NAS, so it's located unter the /web/glpi folder which is a subfolder (and I have other webservices running there as well). Now, there seems to be a solution using an Alias. But to be honest, I have no clue where to put it. In the Synology Web Station UI there is limited configuration possibility...
Offline
Here you can find my solution with redirecting plugins/fusioninventory to plugins/glpiinventory and redirecting /public-Folder.
<VirtualHost *:80>
ServerName glpi.fa.local
DocumentRoot "C:/xampp/htdocs/glpi/public"
# Redirect all plugins/fusioninventory requests to plugins/glpiinventory
RewriteEngine On
RewriteRule plugins/fusioninventory/(.*)$ /plugins/glpiinventory/ [R=307]
<Directory "C:/xampp/htdocs/glpi/public">
Require all granted
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
</VirtualHost>
Last edited by AndiFo (2023-04-06 22:20:58)
Offline
All right, I found the corresponding change in github. According to this, one has to change the vhost config in apache as follows:
Hi. I found it too but... still don't udnerstand it I changed the configuration to not use https://glpi.domain.com/glpi but https://glpi.domain.com So my current DocumentRoot setting is /var/www/glpi
I thought - nothing simpler, I'll add /var/www/glpi/public
But
-- The unit apache2.service has entered the 'failed' state with result 'exit-code'.
Apr 07 12:25:23 glpi systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: A start job for unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit apache2.service has finished with a failure.
--
-- The job identifier is 1337 and the job result is failed.
Apr 07 12:25:23 glpi sudo[3047]: pam_unix(sudo:session): session closed for user root
Apr 07 12:26:01 glpi CRON[3083]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 07 12:26:01 glpi CRON[3084]: (root) CMD (/usr/bin/php7.4 /var/www/html/glpi/front/cron.php &>/dev/null)
After deletion:
<Directory /var/www/glpi/public>
Require all granted
RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
Apache starts, but the page doesn't open.
Last edited by WebGreg (2023-04-07 12:41:19)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
Yeah I think this change will generate a lot of unnecessary headache among the GLPI community... It was really simple to install it, just like WordPress. But now you have to reconfigure the whole webserver.
Offline
I did the test...
/etc/apache2/sites-available/000-default.conf
DocumentRoot /var/www/html
I'm launching the website http://glpi.domain.com/glpi > works
/etc/apache2/sites-available/default-ssl.conf
DocumentRoot /var/www/html/glpi
I'm launching the website https://glpi.domain.com/ > works
Why doesn't it work with DocumentRoot /var/www/html/glpi/public even with:
<Directory /var/www/glpi/public>
Require all granted
RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
Edit... missed html... checking... No. I changed
<Directory /var/www/glpi/public>
to
<Directory /var/www/html/glpi/public>
Apr 07 14:11:29 glpi apachectl[4451]: AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/000-default.conf:
Apr 07 14:11:29 glpi apachectl[4451]: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
sudo a2enmod rewrite
sudo service apache2 start
Apache starts now but the page is still not loading
https://glpi.domain.com/ > works but it is still set to DocumentRoot /var/www/html/glpi
http://glpi.comain.com/glpi > HTTP ERROR 500
http://glpi.comain.com/glpi/public > HTTP ERROR 500
Last edited by WebGreg (2023-04-07 14:30:26)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
Yeah I think this change will generate a lot of unnecessary headache among the GLPI community... It was really simple to install it, just like WordPress. But now you have to reconfigure the whole webserver.
Just because you could just install WordPress without setting up a vhost, doesn't mean you should. Same with GLPI.
If you spend enough time on the forums, you will see plenty of people just giving 777 rights on the GLPI folder (everyone can read, write and execute) leaving it very vulnerable.
Enforcing it so GLPI installations can only expose the "public" folder to the web helps ensure security even if someone messed up permissions on purpose or accidentally.
Adding a new vhost isn't complicated in general and there are multiple examples in the installation documentation now including how to make these changes in the ".htaccess" file rather than a vhost in cases where you may not be able to do so like on a hosted server.
https://glpi-install.readthedocs.io/en/ … sites.html
A headache? For some, yes. Unnecessary? I disagree.
GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.
Offline
WebGreg,
Can you post the full content of the vhost files when configured with the DocumentRoot and Directory set to the public folder, and then just the errors from the Apache error log from when trying to access https://glpi.domain.com/?
You may also want to try restoring the vhost files to the way they were and making the rewrite rule in the ".htaccess" file in the /var/www/html/glpi folder instead.
RewriteBase /
RewriteEngine On
RewriteRule ^(.*)$ public/index.php [QSA,L]
GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.
Offline
Hi cconard96
My /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot /var/www/html/glpi/public
<Directory /var/www/html/glpi/public>
Require all granted
RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl.pem
SSLCertificateKeyFile /etc/ssl/private/ssl.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
Alias /download /var/lib/ocsinventory-reports/download
<Directory /var/lib/ocsinventory-reports/download>
<IfModule mod_authz_core.c>
# Apache 2.4
#Require all denied
Require host localhost
Require ip 127.0.0.1
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
#Deny from all
Deny from all
Allow from localhost
Allow from 127.0.0.1 ::1
</IfModule>
</Directory>
</VirtualHost>
</IfModule>
Apache start:
[Sat Apr 08 14:35:08.342292 2023] [mpm_prefork:notice] [pid 11743] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f mod_perl/2.0.11 Perl/v5.30.0 configured -- resuming normal operations
[Sat Apr 08 14:35:08.342426 2023] [core:notice] [pid 11743] AH00094: Command line: '/usr/sbin/apache2'
Trying to open the page
https://glpi.domain.com/
[Sat Apr 08 14:35:49.131764 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning: include(/var/www/html/glpi/public/inc/based_config.php): failed to open stream: No such file or directory in /var/www/html/glpi/public/index.php on line 51
[Sat Apr 08 14:35:49.131813 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning: include(): Failed opening '/var/www/html/glpi/public/inc/based_config.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/glpi/public/index.php on line 51
[Sat Apr 08 14:35:49.131825 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning: Use of undefined constant GLPI_CONFIG_DIR - assumed 'GLPI_CONFIG_DIR' (this will throw an Error in a future version of PHP) in /var/www/html/glpi/public/index.php on line 54
[Sat Apr 08 14:35:49.131860 2023] [php7:error] [pid 11745] [client ip:54333] PHP Fatal error: Uncaught Error: Class 'Session' not found in /var/www/html/glpi/public/index.php:59\nStack trace:\n#0 {main}\n thrown in /var/www/html/glpi/public/index.php on line 59
Last edited by WebGreg (2023-04-08 15:37:44)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
Nothing seems wrong with this config to me.
For me, I have a separate config file just for my development GLPI instance with vhosts for HTTP and HTTPS in it:
<VirtualHost *:80>
ServerName glpi.localhost
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/glpi/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/glpi/public>
Require all granted
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName glpi.localhost
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/glpi/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/glpi.crt
SSLCertificateKeyFile /etc/ssl/private/glpi.key
<Directory "/var/www/html/glpi/public">
Require all granted
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
</VirtualHost>
For debugging:
1. Is /var/www/html/glpi/.htaccess empty/all commented out or was something added?
2. Are there other enabled vhosts? "sudo apachectl -S" can be used to show all enabled vhosts
GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.
Offline
Ad 2.
VirtualHost configuration:
*:80 glpi.domain.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 glpi.domain.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
User: name="www-data" id=33
Group: name="www-data" id=33
Ad 1. all commented
I tried with your config and the same warrnings and errors:
PHP Warning: include(/var/www/html/glpi/public/inc/based_config.php): failed to open stream: No such file or directory in /var/www/html/glpi/public/index.php on line 51
PHP Warning: include(): Failed opening '/var/www/html/glpi/public/inc/based_config.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/glpi/public/index.php on line 51
PHP Warning: Use of undefined constant GLPI_CONFIG_DIR - assumed 'GLPI_CONFIG_DIR' (this will throw an Error in a future version of PHP) in /var/www/html/glpi/public/index.php on line 54
PHP Fatal error: Uncaught Error: Class 'Session' not found in /var/www/html/glpi/public/index.php:59\nStack trace:\n#0 {main}\n thrown in /var/www/html/glpi/public/index.php on line 59
I copied the bin directory from glpi to glpi/public. Another attempt to open https://glpi.directory.com and...
Application dependencies are not up to date.
Run "php bin/console dependencies install" in the glpi tree to fix this.
But I can't:
sh: 1: composer: not found
I wonder why it is looking for the inc directory in public, since it is normally not there.
Failed opening '/var/www/html/glpi/public/inc/based_config.php
Maybe that's the problem.
Last edited by WebGreg (2023-04-08 22:10:59)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
@WebGreg
As far as I understand, you moved the `/var/www/html/glpi/index.php` file to `/var/www/html/glpi/public/index.php`, and you also copied the `bin` directory to another location. GLPI source files should not be moved.
You should reinstall your GLPI files and keep them where they are. It will probably sole many of your problems.
Offline
Hi @cedric-anne
First I had a problem. After that, I started copying.
But I listened to you and... amazingly it works (I must have made some other mistake earlier, which I corrected later, but during the tests I already generated others).
So if anyone has settings as above then I would recommend actually deleting the entire glpi directory and starting over
Thank You.
Last edited by WebGreg (2023-04-09 13:40:21)
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
Hi @WebGreg
I see you are also using OCS Inventory on the same server as GLPI.
I updated GLPI to version 10.0.7 according to the instructions (removed the entire glpi directory, uploaded the new version, restored the folders: config, files, marketplace and plugins from the backup and finally updated the database).
Apache2 configuration identical as above - GLPI works flawlessly, but OCS clients stopped connecting to the server.
When in the apache2 configuration I comment out the following lines:
#RewriteEngine On
# Redirect all requests to GLPI router, unless file exists.
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteRule ^(.*)$ index.php [QSA,L]
then communication to clients to OCS starts working, but of course GLPI doesn't work anymore.
Any hint how to run it now so that both OCS and GLPI systems run in parallel, as before the update GLPI?
update:
This is a "Virtual" directory for handling OCS Inventory NG agents communications. In apache2 conf it looks like this:
<Location /ocsinventory>
order deny,allow
allow from all
SetHandler perl-script
PerlHandler Apache::Ocsinventory
</Location>
update2:
OK, I'll answer myself. In apache configuration add:
AliasMatch "/ocsinventory" "/var/www/glpi/ocsinventory"
Last edited by ajavor (2023-05-12 18:31:35)
Offline
Hi @WebGreg
update2:
OK, I'll answer myself. In apache configuration add:AliasMatch "/ocsinventory" "/var/www/glpi/ocsinventory"
After doing this both glpi and ocsinventory work but when I try to open OCS Inventory NG plugin in glpi I get an error
Not Found
The requested URL was not found on this server.
The URL is /plugins/ocsinventoryng/front/ocsng.php
Update:
After adding line AliasMatch "/plugins/ocsinventoryng/front/ocsng.php" "var/www/glpi/plugins/ocsinventoryng"
the error changed to 403. Forbidden. You don't have permission to access this resource.
I tried doing a fix from github (I can't post url) that says to change <Location /plugins> in file z-ocsinventory-server.conf but I don't have that line in the file.
Last edited by Predatir (2023-05-17 13:58:51)
Offline
Hi @WebGreg
I see you are also using OCS Inventory on the same server as GLPI.
Hi. Sorry but no. I tested OCS during the implementation, but gave up on it at the very beginning. I have some old lines of OCS configuration text left over. Now only GLPI + native inventory.
--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS
Offline
Good morning,
My URL is https:// helpdesk.domain.com / glpi
I have moved the files and config directory to the recommend locations, this is working fine.
NGINX, however, is not working.
I have tried the alias mentioned. I just cannot get it to work. Does anyone have a working example of an NGINX config please?
This is my attempt.
server {
listen 443;
server_name helpdesk.domain.com;
root /var/www/html/glpi/public;
index index.php;
access_log /var/log/nginx/helpdesk.domain.com.access.log;
error_log /var/log/nginx/helpdesk.domain.com.com.error.log;
ssl_certificate /etc/ssl/certs/star.domain.com.crt;
ssl_certificate_key /etc/ssl/private/star.domain.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
add_header Expect-CT "enforce, max-age=300, report-uri='https://helpdesk.domain.com/'";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
client_max_body_size 100M;
autoindex off;
location / {
try_files $uri $uri/ =404;
autoindex on;
}
location /glpi {
alias /var/www/html/glpi/public;
}
location /api {
rewrite ^/api/(.*)$ /apirest.php/$1 last;
}
location ~ [^/]\.php(/|$) {
#alias /var/www/html/glpi/public;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# # see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# allow directory index
fastcgi_index index.php;
}
}
Last edited by SDLTom (2023-06-02 10:25:52)
Offline
Hi. I have GLPI 10.0.7, apache. Where can I see the list of actions to remove the message "Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details." ?
I understand that i need to change the apache configuration by following the link: https://glpi-install.readthedocs.io/en/ … sites.html But is that the only thing to do?
As I understand it, i need to create a "public" folder inside the "glpi" folder, and i also need to transfer some folders and files from "glpi/" to "glpi/public". The question is what? Where can I read it?
Offline