You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2023-04-05 18:13:23

henryzwh
Member
Registered: 2023-02-01
Posts: 8

Web server root directory configuration is not safe

After upgrading from 10.0.6 to 10.0.7 I got a message at the front page after login , which reads:

Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.

So I looked at the documentation and followed the instructions and moved config and files directory out of the webroot. But the message does not disappear. Now what?

Offline

#2 2023-04-05 19:06:23

henryzwh
Member
Registered: 2023-02-01
Posts: 8

Re: Web server root directory configuration is not safe

All right, I found the corresponding change in github.  According to this, one has to change the vhost config in apache as follows:

<VirtualHost *:80>
    ServerName glpi.localhost

    DocumentRoot /var/www/glpi/public

    <Directory /var/www/glpi/public>
        Require all granted

        RewriteEngine On

        # Redirect all requests to GLPI router, unless file exists.
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
    </Directory>
</VirtualHost>

However, there are some problems with this:

  • Issue 14485 says something about Agent not connecting with the new config. You have to insert following line:

    AliasMatch "^/(plugins/glpiinventory/(index\.php)?)$" "/var/www/glpi/$1"
  • I have GLPI installed in a subdirectory with the webroot at /var/www and the URL is like www dot example dot com slash glpi.  So I can't  point the webroot to glpi/public and changing it is not an option. How to proceed?

Last edited by henryzwh (2023-04-05 19:21:55)

Offline

#3 2023-04-06 09:29:47

viktor_sc
Member
Registered: 2018-06-26
Posts: 24

Re: Web server root directory configuration is not safe

I have the same issue and I use nginx. Any idea what I have to change there or how I simply can dismiss the message? I can live with that big_smile

Offline

#4 2023-04-06 09:44:13

henryzwh
Member
Registered: 2023-02-01
Posts: 8

Re: Web server root directory configuration is not safe

viktor_sc wrote:

I have the same issue and I use nginx. Any idea what I have to change there or how I simply can dismiss the message? I can live with that big_smile

I cannot post links, but according to the development(!) docs  (the "latest" docs are still about GLPI 9.5) you have to change the nginx configuration to something like this:

server {
    listen 80;
    listen [::]:80;

    server_name glpi.localhost;

    root /var/www/glpi/public;

    location / {
        try_files $uri /index.php$is_args$args;
    }

    location ~ ^/index\.php$ {
        # the following line needs to be adapted, as it changes depending on OS distributions and PHP versions
        fastcgi_pass unix:/run/php/php-fpm.sock;

        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Last edited by henryzwh (2023-04-06 10:01:04)

Offline

#5 2023-04-06 09:58:25

henryzwh
Member
Registered: 2023-02-01
Posts: 8

Re: Web server root directory configuration is not safe

According to a message at Github one can use an "Alias" directive if you have installed glpi in a subdirectory

Alias "/glpi/" "/path/to/your/glpi/"

I tried several variants of this, but it wasn't working for me. I got empty pages, directory index listings instead of the login page and  Internal Server errors ("Request exceeded the limit of 10 internal redirects"). I ended up setting DocumentRoot to /var/www/glpi/public with a RewriteRule which rewrites /glpi/ to the root directory:

RewriteRule ^/glpi/(.*)$ /$1 [R=301,NC,L]

It is advisable to change the URL in glpi-agent config accordingly

Last edited by henryzwh (2023-04-06 09:59:15)

Offline

#6 2023-04-06 10:00:57

viktor_sc
Member
Registered: 2018-06-26
Posts: 24

Re: Web server root directory configuration is not safe

Thanks, I'll play with it.
But I think we should raise a bug-report in github as this is a recommended setting and not a required one. In my opinion it should be possible to disable the message...

Offline

#7 2023-04-06 10:12:14

henryzwh
Member
Registered: 2023-02-01
Posts: 8

Re: Web server root directory configuration is not safe

viktor_sc wrote:

Thanks, I'll play with it.
But I think we should raise a bug-report in github as this is a recommended setting and not a required one. In my opinion it should be possible to disable the message...

I've read in the comments on this change, that this will be a mandatory setting beginning with GLPI 10.1.  Im my opinion this is a major requirement change and shouldn't be established before GLPI 11.

Anyway, it is possible to disable the message completely by editing glpi/src/System/Requirement/SafeDocumentRoot.php and adding a "return;" statement right after "protected function check()":

  [...]
    protected function check()                                                                                                                                                                 
    {                                                                                                                                                                                         
      return; // <- Add this here
        if (isCommandLine()) {                                                                                                                                                                 
            $this->out_of_context = true;                                                                                                                                                      
  [...]

Offline

#8 2023-04-06 12:26:18

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,814
Website

Re: Web server root directory configuration is not safe

I know this was put in the developer documentation, but this was discussed among the GLPI developers a few months ago and the majority opinion was to treat major and minor versions similarly to match the customer's point of view.

https://github.com/glpi-project/docdev/pull/129

For bug-fix versions like 10.0.6 and 10.0.7, expect fixes, some smaller features/changes that don't break code compatibility for plugins, but no removed features.
Such new features from the 10.0 versions included:
- Global lock management for inventory
- Allow using rules to add computers as VMs
- More options to handle stale agents
- New dictionary rules for OS
- SMTP OAuth support

Since the security requirement is added now but not mandatory until 10.1, the fact that 10.0 will be supported for a time after 10.1 is released, and this is just a one-time change that needs made by the web server administrators, there isn't any change from the end-user point of view.
All previously saved URLs would still function.

10.1 would include bigger features or ones that could wait and may benefit from a beta period.
11.0 could conceivably be released at a time when there are major changes to GLPI from the end-user perspective like there was with the UI rework in 10.0.


GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#9 2023-04-06 13:05:05

viktor_sc
Member
Registered: 2018-06-26
Posts: 24

Re: Web server root directory configuration is not safe

Thanks for the explanation.
In general I understand that this should improve security and that it's a one-time change.
But I don't know where to do what big_smile
I run glpi on a Synology NAS, so it's located unter the /web/glpi folder which is a subfolder (and I have other webservices running there as well). Now, there seems to be a solution using an Alias. But to be honest, I have no clue where to put it. In the Synology Web Station UI there is limited configuration possibility...

Offline

#10 2023-04-06 22:19:26

AndiFo
Member
Registered: 2020-02-11
Posts: 4

Re: Web server root directory configuration is not safe

Here you can find my solution with redirecting plugins/fusioninventory to plugins/glpiinventory and redirecting /public-Folder.

<VirtualHost *:80>
	ServerName glpi.fa.local
	DocumentRoot "C:/xampp/htdocs/glpi/public"

	# Redirect all plugins/fusioninventory requests to plugins/glpiinventory
	RewriteEngine On
	RewriteRule plugins/fusioninventory/(.*)$ /plugins/glpiinventory/ [R=307]

	<Directory "C:/xampp/htdocs/glpi/public">
		Require all granted
		# Redirect all requests to GLPI router, unless file exists.
		RewriteCond %{REQUEST_FILENAME} !-f
		RewriteRule ^(.*)$ index.php [QSA,L]
	</Directory>
</VirtualHost>

Last edited by AndiFo (2023-04-06 22:20:58)

Offline

#11 2023-04-07 12:30:33

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

henryzwh wrote:

All right, I found the corresponding change in github.  According to this, one has to change the vhost config in apache as follows:

Hi. I found it too but... still don't udnerstand it wink I changed the configuration to not use https://glpi.domain.com/glpi but https://glpi.domain.com So my current DocumentRoot setting is /var/www/glpi 
I thought - nothing simpler, I'll add /var/www/glpi/public
But

-- The unit apache2.service has entered the 'failed' state with result 'exit-code'.
Apr 07 12:25:23 glpi systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: A start job for unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit apache2.service has finished with a failure.
--
-- The job identifier is 1337 and the job result is failed.
Apr 07 12:25:23 glpi sudo[3047]: pam_unix(sudo:session): session closed for user root
Apr 07 12:26:01 glpi CRON[3083]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 07 12:26:01 glpi CRON[3084]: (root) CMD (/usr/bin/php7.4 /var/www/html/glpi/front/cron.php &>/dev/null)


After deletion:

    <Directory /var/www/glpi/public>
        Require all granted

        RewriteEngine On

        # Redirect all requests to GLPI router, unless file exists.
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
    </Directory>

Apache starts, but the page doesn't open.

Last edited by WebGreg (2023-04-07 12:41:19)


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#12 2023-04-07 12:50:16

viktor_sc
Member
Registered: 2018-06-26
Posts: 24

Re: Web server root directory configuration is not safe

Yeah I think this change will generate a lot of unnecessary headache among the GLPI community... It was really simple to install it, just like WordPress. But now you have to reconfigure the whole webserver.

Offline

#13 2023-04-07 13:57:39

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

I did the test...


/etc/apache2/sites-available/000-default.conf
DocumentRoot /var/www/html

I'm launching the website http://glpi.domain.com/glpi > works


/etc/apache2/sites-available/default-ssl.conf
DocumentRoot /var/www/html/glpi

I'm launching the website https://glpi.domain.com/ > works


Why doesn't it work with DocumentRoot /var/www/html/glpi/public even with:

    <Directory /var/www/glpi/public>
        Require all granted

        RewriteEngine On

        # Redirect all requests to GLPI router, unless file exists.
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
    </Directory>

Edit... missed html... checking... No. I changed
<Directory /var/www/glpi/public>
to
<Directory /var/www/html/glpi/public>

Apr 07 14:11:29 glpi apachectl[4451]: AH00526: Syntax error on line 17 of /etc/apache2/sites-enabled/000-default.conf:
Apr 07 14:11:29 glpi apachectl[4451]: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration


sudo a2enmod rewrite
sudo service apache2 start

Apache starts now but the page is still not loading

https://glpi.domain.com/ > works but it is still set to DocumentRoot /var/www/html/glpi
http://glpi.comain.com/glpi > HTTP ERROR 500
http://glpi.comain.com/glpi/public > HTTP ERROR 500

Last edited by WebGreg (2023-04-07 14:30:26)


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#14 2023-04-07 23:22:21

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,814
Website

Re: Web server root directory configuration is not safe

viktor_sc wrote:

Yeah I think this change will generate a lot of unnecessary headache among the GLPI community... It was really simple to install it, just like WordPress. But now you have to reconfigure the whole webserver.

Just because you could just install WordPress without setting up a vhost, doesn't mean you should. Same with GLPI.
If you spend enough time on the forums, you will see plenty of people just giving 777 rights on the GLPI folder (everyone can read, write and execute) leaving it very vulnerable.
Enforcing it so GLPI installations can only expose the "public" folder to the web helps ensure security even if someone messed up permissions on purpose or accidentally.

Adding a new vhost isn't complicated in general and there are multiple examples in the installation documentation now including how to make these changes in the ".htaccess" file rather than a vhost in cases where you may not be able to do so like on a hosted server.

https://glpi-install.readthedocs.io/en/ … sites.html

A headache? For some, yes. Unnecessary? I disagree.


GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#15 2023-04-07 23:30:41

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,814
Website

Re: Web server root directory configuration is not safe

WebGreg,

Can you post the full content of the vhost files when configured with the DocumentRoot and Directory set to the public folder, and then just the errors from the Apache error log from when trying to access https://glpi.domain.com/?

You may also want to try restoring the vhost files to the way they were and making the rewrite rule in the ".htaccess" file in the /var/www/html/glpi folder instead.
RewriteBase /
RewriteEngine On
RewriteRule ^(.*)$ public/index.php [QSA,L]


GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#16 2023-04-08 14:38:52

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

Hi cconard96

My /etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		DocumentRoot /var/www/html/glpi/public

		<Directory /var/www/html/glpi/public>
			Require all granted

			RewriteEngine On

			# Redirect all requests to GLPI router, unless file exists.
			RewriteCond %{REQUEST_FILENAME} !-f
			RewriteRule ^(.*)$ index.php [QSA,L]
		</Directory>

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on

		SSLCertificateFile	/etc/ssl/certs/ssl.pem
		SSLCertificateKeyFile	/etc/ssl/private/ssl.key

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		Alias /download /var/lib/ocsinventory-reports/download
		<Directory /var/lib/ocsinventory-reports/download>
			<IfModule mod_authz_core.c>
			 # Apache 2.4
			 #Require all denied
			 Require host localhost
			Require ip 127.0.0.1
		   </IfModule>
		   <IfModule !mod_authz_core.c>
			Order deny,allow
			#Deny from all
			Deny from all
			Allow from localhost
			Allow from 127.0.0.1 ::1
	   </IfModule>
	</Directory>

	</VirtualHost>
</IfModule>

Apache start:
[Sat Apr 08 14:35:08.342292 2023] [mpm_prefork:notice] [pid 11743] AH00163: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f mod_perl/2.0.11 Perl/v5.30.0 configured -- resuming normal operations
[Sat Apr 08 14:35:08.342426 2023] [core:notice] [pid 11743] AH00094: Command line: '/usr/sbin/apache2'

Trying to open the page
https://glpi.domain.com/

[Sat Apr 08 14:35:49.131764 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning:  include(/var/www/html/glpi/public/inc/based_config.php): failed to open stream: No such file or directory in /var/www/html/glpi/public/index.php on line 51
[Sat Apr 08 14:35:49.131813 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning:  include(): Failed opening '/var/www/html/glpi/public/inc/based_config.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/glpi/public/index.php on line 51
[Sat Apr 08 14:35:49.131825 2023] [php7:warn] [pid 11745] [client ip:54333] PHP Warning:  Use of undefined constant GLPI_CONFIG_DIR - assumed 'GLPI_CONFIG_DIR' (this will throw an Error in a future version of PHP) in /var/www/html/glpi/public/index.php on line 54
[Sat Apr 08 14:35:49.131860 2023] [php7:error] [pid 11745] [client ip:54333] PHP Fatal error:  Uncaught Error: Class 'Session' not found in /var/www/html/glpi/public/index.php:59\nStack trace:\n#0 {main}\n  thrown in /var/www/html/glpi/public/index.php on line 59

Last edited by WebGreg (2023-04-08 15:37:44)


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#17 2023-04-08 15:49:57

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,814
Website

Re: Web server root directory configuration is not safe

Nothing seems wrong with this config to me.

For me, I have a separate config file just for my development GLPI instance with vhosts for HTTP and HTTPS in it:

<VirtualHost *:80>
        ServerName glpi.localhost
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Directory /var/www/html/glpi/public>
                Require all granted
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        ServerName glpi.localhost
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/glpi.crt
        SSLCertificateKeyFile /etc/ssl/private/glpi.key
        <Directory "/var/www/html/glpi/public">
                Require all granted
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>
</VirtualHost>

For debugging:
1. Is /var/www/html/glpi/.htaccess empty/all commented out or was something added?
2. Are there other enabled vhosts? "sudo apachectl -S" can be used to show all enabled vhosts


GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#18 2023-04-08 21:47:45

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

Ad 2.

VirtualHost configuration:
*:80                   glpi.domain.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  glpi.domain.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
User: name="www-data" id=33
Group: name="www-data" id=33

Ad 1. all commented


I tried with your config and the same warrnings and errors:

PHP Warning:  include(/var/www/html/glpi/public/inc/based_config.php): failed to open stream: No such file or directory in /var/www/html/glpi/public/index.php on line 51
PHP Warning:  include(): Failed opening '/var/www/html/glpi/public/inc/based_config.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/glpi/public/index.php on line 51
PHP Warning:  Use of undefined constant GLPI_CONFIG_DIR - assumed 'GLPI_CONFIG_DIR' (this will throw an Error in a future version of PHP) in /var/www/html/glpi/public/index.php on line 54
PHP Fatal error:  Uncaught Error: Class 'Session' not found in /var/www/html/glpi/public/index.php:59\nStack trace:\n#0 {main}\n  thrown in /var/www/html/glpi/public/index.php on line 59

I copied the bin directory from glpi to glpi/public. Another attempt to open https://glpi.directory.com and...

Application dependencies are not up to date.
Run "php bin/console dependencies install" in the glpi tree to fix this.

But I can't:
sh: 1: composer: not found


I wonder why it is looking for the inc directory in public, since it is normally not there.

Failed opening '/var/www/html/glpi/public/inc/based_config.php

Maybe that's the problem.

Last edited by WebGreg (2023-04-08 22:10:59)


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#19 2023-04-09 12:05:46

cedric-anne
Administrator
Registered: 2018-07-02
Posts: 85

Re: Web server root directory configuration is not safe

@WebGreg

As far as I understand, you moved the `/var/www/html/glpi/index.php`  file to `/var/www/html/glpi/public/index.php`, and you also copied the `bin` directory to another location. GLPI source files should not be moved.
You should reinstall your GLPI files and keep them where they are. It will probably sole many of your problems.

Offline

#20 2023-04-09 12:53:34

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

Hi @cedric-anne

First I had a problem. After that, I started copying.

But I listened to you and... amazingly it works (I must have made some other mistake earlier, which I corrected later, but during the tests I already generated others).

So if anyone has settings as above then I would recommend actually deleting the entire glpi directory and starting over smile

Thank You.

Last edited by WebGreg (2023-04-09 13:40:21)


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#21 2023-04-20 17:52:44

ajavor
Member
Registered: 2018-03-20
Posts: 2

Re: Web server root directory configuration is not safe

Hi @WebGreg

I see you are also using OCS Inventory on the same server as GLPI.
I updated GLPI to version 10.0.7 according to the instructions (removed the entire glpi directory, uploaded the new version, restored the folders: config, files, marketplace and plugins from the backup and finally updated the database).
Apache2 configuration identical as above - GLPI works flawlessly, but OCS clients stopped connecting to the server.
When in the apache2 configuration I comment out the following lines:

  #RewriteEngine On

# Redirect all requests to GLPI router, unless file exists.
  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteRule ^(.*)$ index.php [QSA,L]

then communication to clients to OCS starts working, but of course GLPI doesn't work anymore.

Any hint how to run it now so that both OCS and GLPI systems run in parallel, as before the update GLPI?

update:
This is a "Virtual" directory for handling OCS Inventory NG agents communications. In apache2 conf it looks like this:

<Location /ocsinventory>
          order deny,allow
          allow from all
          SetHandler perl-script
          PerlHandler Apache::Ocsinventory
  </Location>

update2:
OK, I'll answer myself. In apache configuration add:

  AliasMatch "/ocsinventory" "/var/www/glpi/ocsinventory"

Last edited by ajavor (2023-05-12 18:31:35)

Offline

#22 2023-05-17 11:33:10

Predatir
Member
Registered: 2023-05-17
Posts: 1

Re: Web server root directory configuration is not safe

ajavor wrote:

Hi @WebGreg
update2:
OK, I'll answer myself. In apache configuration add:

  AliasMatch "/ocsinventory" "/var/www/glpi/ocsinventory"

After doing this both glpi and ocsinventory work but when I try to open OCS Inventory NG plugin in glpi I get an error

Not Found

The requested URL was not found on this server.

The URL is /plugins/ocsinventoryng/front/ocsng.php
Update:

After adding line AliasMatch "/plugins/ocsinventoryng/front/ocsng.php" "var/www/glpi/plugins/ocsinventoryng"
the error changed to 403. Forbidden. You don't have permission to access this resource.
I tried doing a fix from github (I can't post url) that says to change <Location /plugins> in file z-ocsinventory-server.conf but I don't have that line in the file.

Last edited by Predatir (2023-05-17 13:58:51)

Offline

#23 2023-05-26 10:21:04

WebGreg
Member
Registered: 2020-02-27
Posts: 740

Re: Web server root directory configuration is not safe

ajavor wrote:

Hi @WebGreg

I see you are also using OCS Inventory on the same server as GLPI.

Hi. Sorry but no. I tested OCS during the implementation, but gave up on it at the very beginning. I have some old lines of OCS configuration text left over. Now only GLPI + native inventory.


--
GLPI 10.0.17
GLPI-Inventory 1.4.0
Ubuntu Server 20.04 LTS

Offline

#24 2023-06-02 10:05:11

SDLTom
Member
Registered: 2023-06-01
Posts: 2

Re: Web server root directory configuration is not safe

Good morning,

My URL is https:// helpdesk.domain.com / glpi

I have moved the files and config directory to the recommend locations, this is working fine.

NGINX, however, is not working.

I have tried the alias mentioned. I just cannot get it to work. Does anyone have a working example of an NGINX config please?

This is my attempt.

server {
        listen          443;
        server_name     helpdesk.domain.com;

        root    /var/www/html/glpi/public;
        index  index.php;

        access_log /var/log/nginx/helpdesk.domain.com.access.log;
        error_log /var/log/nginx/helpdesk.domain.com.com.error.log;


    ssl_certificate /etc/ssl/certs/star.domain.com.crt;
    ssl_certificate_key /etc/ssl/private/star.domain.com.key;

    ssl on;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    add_header Expect-CT "enforce, max-age=300, report-uri='https://helpdesk.domain.com/'";
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        client_max_body_size 100M;

        autoindex off;

location / {
      try_files $uri $uri/ =404;
      autoindex on;
   }

location /glpi {
      alias /var/www/html/glpi/public;
   }

   location /api {
      rewrite ^/api/(.*)$ /apirest.php/$1 last;
   }

   location ~ [^/]\.php(/|$) {
      #alias /var/www/html/glpi/public;
      fastcgi_pass unix:/run/php/php8.2-fpm.sock;

      # regex to split $uri to $fastcgi_script_name and $fastcgi_path
      fastcgi_split_path_info ^(.+\.php)(/.+)$;

      # Check that the PHP script exists before passing it
      try_files $fastcgi_script_name =404;

      # Bypass the fact that try_files resets $fastcgi_path_info
      # # see: http://trac.nginx.org/nginx/ticket/321
      set $path_info $fastcgi_path_info;
      fastcgi_param  PATH_INFO $path_info;

      fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_script_name;
      fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

       include fastcgi_params;

      # allow directory index
      fastcgi_index index.php;
   }
}

Last edited by SDLTom (2023-06-02 10:25:52)

Offline

#25 2023-06-29 12:57:43

alexkenon
Member
Registered: 2019-07-17
Posts: 31

Re: Web server root directory configuration is not safe

Hi. I have GLPI 10.0.7, apache. Where can I see the list of actions to remove the message "Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details." ?

I understand that i need to change the apache configuration by following the link: https://glpi-install.readthedocs.io/en/ … sites.html But is that the only thing to do?

As I understand it, i need to create a "public" folder inside the "glpi" folder, and i also need to transfer some folders and files from "glpi/" to "glpi/public". The question is what? Where can I read it?

Offline

Board footer

Powered by FluxBB