You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2023-05-15 19:51:05

Mamo
Member
From: Czech republic
Registered: 2023-05-15
Posts: 25

Web server root directory configuration is not safe

Hi.

I have installed GLPI, moved CONFIG and FILES directories.
But it is still displayed "Web server root directory configuration is not safe as it permits access to non-public files".

I read about to change Apache web root from "...glpi" to "...glpi/public", but when I do it GLPI don't work. ".../front/central.php" url not found message is displayed.
I think there are other important subdirectories in the "...glpi" directory that will be hidden for the web server.

Can someone help me?

Thanks.

GLPI 10.0.7 ( => /var/www/glpi_web)
Installation mode: TARBALL
Current language:cs_CZ

Operating system: Linux GLPI 5.10.0-22-amd64 #1 SMP Debian 5.10.178-3 (2023-04-22) x86_64
PHP 8.2.5 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bz2, calendar,
	ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli,
	mysqlnd, openssl, pcre, pdo_mysql, posix, random, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem,
	sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="600" memory_limit="64M" post_max_size="8M" safe_mode="" session.save_handler="files"
	upload_max_filesize="2M" 
Software: Apache/2.4.56 (Debian) (Apache/2.4.56 (Debian) Server at 10.112.0.100 Port 80
)
	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Server Software: Debian 11
	Server Version: 10.5.19-MariaDB-0+deb11u2
	Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
	Parameters: glpi_user@localhost/glpi_db
	Host info: Localhost via UNIX socket
	
PHP version (8.2.5) is supported.PHP version (8.2.5) is supported.
Sessions configuration is OK.Sessions configuration is OK.
Allocated memory is sufficient.Allocated memory is sufficient.
mysqli extension is installed.mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.curl extension is installed.
gd extension is installed.gd extension is installed.
intl extension is installed.intl extension is installed.
libxml extension is installed.libxml extension is installed.
zlib extension is installed.zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.5.19) is supported.Database engine version (10.5.19) is supported.
No files from previous GLPI version detected.No files from previous GLPI version detected.
The log file has been created successfully.The log file has been created successfully.
Write access to /var/lib/glpi/_cache has been validated. The directory could not be created in /etc/glpi/. Write access to /var/lib/glpi/_cron has been validated. Write access to /var/lib/glpi has been validated. Write access to /var/lib/glpi/_dumps has been validated. Write access to /var/lib/glpi/_graphs has been validated. Write access to /var/lib/glpi/_lock has been validated. Write access to /var/lib/glpi/_pictures has been validated. Write access to /var/lib/glpi/_plugins has been validated. Write access to /var/lib/glpi/_rss has been validated. Write access to /var/lib/glpi/_sessions has been validated. Write access to /var/lib/glpi/_tmp has been validated. Write access to /var/lib/glpi/_uploads has been validated.Write access to /var/lib/glpi/_cache has been validated.
The directory could not be created in /etc/glpi/.
Write access to /var/lib/glpi/_cron has been validated.
Write access to /var/lib/glpi has been validated.
Write access to /var/lib/glpi/_dumps has been validated.
Write access to /var/lib/glpi/_graphs has been validated.
Write access to /var/lib/glpi/_lock has been validated.
Write access to /var/lib/glpi/_pictures has been validated.
Write access to /var/lib/glpi/_plugins has been validated.
Write access to /var/lib/glpi/_rss has been validated.
Write access to /var/lib/glpi/_sessions has been validated.
Write access to /var/lib/glpi/_tmp has been validated.
Write access to /var/lib/glpi/_uploads has been validated.

Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.
GLPI data directories are located in a secured path.GLPI data directories are located in a secured path.
Sessions configuration is secured.Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.OS and PHP are relying on 64 bits integers.
exif extension is installed.exif extension is installed.
ldap extension is installed.ldap extension is installed.
openssl extension is installed.openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi_web/marketplace has been validated.Write access to /var/www/glpi_web/marketplace has been validated.
Timezones seems loaded in database.Timezones seems loaded in database.

GLPI_ROOT: "/var/www/glpi_web"
GLPI_CONFIG_DIR: "/etc/glpi/"
GLPI_VAR_DIR: "/var/lib/glpi"
GLPI_LOG_DIR: "/var/log/glpi"
GLPI_MARKETPLACE_DIR: "/var/www/glpi_web/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/lib/glpi"
GLPI_CACHE_DIR: "/var/lib/glpi/_cache"
GLPI_CRON_DIR: "/var/lib/glpi/_cron"
GLPI_DUMP_DIR: "/var/lib/glpi/_dumps"
GLPI_GRAPH_DIR: "/var/lib/glpi/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/_locales"
GLPI_LOCK_DIR: "/var/lib/glpi/_lock"
GLPI_PICTURE_DIR: "/var/lib/glpi/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/_plugins"
GLPI_RSS_DIR: "/var/lib/glpi/_rss"
GLPI_SESSION_DIR: "/var/lib/glpi/_sessions"
GLPI_TMP_DIR: "/var/lib/glpi/_tmp"
GLPI_UPLOAD_DIR: "/var/lib/glpi/_uploads"
GLPI_INVENTORY_DIR: "/var/lib/glpi/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/"
GLPI_I18N_DIR: "/var/www/glpi_web/locales"
GLPI_VERSION: "10.0.7"
GLPI_SCHEMA_VERSION: "10.0.7@5d45269702917a32805e25b678f6779a98b145f6"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2023"

Offline

#2 2023-05-15 20:27:19

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,813
Website

Re: Web server root directory configuration is not safe

Please post your Apache vhost configuration.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#3 2023-05-17 21:56:40

Mamo
Member
From: Czech republic
Registered: 2023-05-15
Posts: 25

Re: Web server root directory configuration is not safe

Thanks for your reaction. We finally solved it.
Sorry for the unnecessary question.

Offline

#4 2023-05-17 22:40:43

sandroalves
Member
Registered: 2021-07-03
Posts: 33

Re: Web server root directory configuration is not safe

Mamo wrote:

Thanks for your reaction. We finally solved it.
Sorry for the unnecessary question.

Hello,

I have the same problem, but my environment is Windows.

I did the same file movement that you mentioned and it also gave error.

How did you solve it?

How is your directory structure?

Thanks.

Offline

#5 2023-05-18 16:45:58

kaczy
Member
Registered: 2023-03-23
Posts: 4

Re: Web server root directory configuration is not safe

I also need help. Thanks

Offline

#6 2023-05-18 17:51:47

Mamo
Member
From: Czech republic
Registered: 2023-05-15
Posts: 25

Re: Web server root directory configuration is not safe

We changed configuration of site and .htaccess (moving settings from .htaccess to .conf).

BEFORE

glpi_ssl.conf

<VirtualHost _default_:443>
    ServerName glpi_server.local
   
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/glpi

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLVerifyClient optional_no_ca

    ErrorLog ${APACHE_LOG_DIR}/error_glpi.log
    CustomLog ${APACHE_LOG_DIR}/access_glpi.log combined

</VirtualHost>

.htaccess for "/var/www/glpi"

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule api/(.*)$ apirest.php/$1
</IfModule>


AFTER

glpi_ssl.conf

<VirtualHost _default_:443>
    ServerName glpi.local
       
    ServerAdmin webmaster@localhost
   
    DocumentRoot /var/www/glpi_web/public
   
<Directory /var/www/glpi_web/public>
    Require all granted
   
    RewriteEngine On

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule ^(.*)$ index.php [QSA,L]
    RewriteRule api/(.*)$ apirest.php/$1
</Directory>
       
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLVerifyClient optional_no_ca

    ErrorLog ${APACHE_LOG_DIR}/error_glpi.log
    CustomLog ${APACHE_LOG_DIR}/access_glpi.log combined

</VirtualHost>

.htaccess for "/var/www/glpi" (probably not needed)

<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
    deny from all
</IfModule>


The GLPI_ROOT settings remained on "/var/www/glpi".

Offline

#7 2023-05-19 18:07:20

salimedwardo
Member
Registered: 2022-12-11
Posts: 9

Re: Web server root directory configuration is not safe

Thanks for your reaction. We finally solved it.

Offline

#8 2023-05-19 20:08:16

kaczy
Member
Registered: 2023-03-23
Posts: 4

Re: Web server root directory configuration is not safe

Thanks!

Offline

#9 2023-05-20 18:39:02

sandroalves
Member
Registered: 2021-07-03
Posts: 33

Re: Web server root directory configuration is not safe

Hi,

It still didn't work for me, I've always used a windows server with GLPI and I can't figure out what to do to adjust it.

I created a new IIS website and put all the files in the same directory.

But in the site path, when I point to the root path the setup works.

But when I point the path to the public directory it shows 404 error.

Another option I can do is change the paths, but I also don't understand how I should do it.

The following directories must be stored outside of "Unit:\WebSites\glpi":
‣ "Unit:\WebSites\glpi/files" ("GLPI_VAR_DIR")
‣ "Unit:\WebSites\glpi\config" ("GLPI_CONFIG_DIR")

I don't understand which path format should I inform in the variable.

Thanks.

Thanks.

xMpo8Au.png

DTKQvH8.png

Last edited by sandroalves (2023-05-20 19:07:56)

Offline

Pages: 1

Board footer

Powered by FluxBB