Web server root directory configuration is not safe

cconard96 · 2023-06-29 13:09:51

You don't create any new folders or move any of the GLPI files.
The change is strictly done within the web server configuration so that when someone requests /front/central.php for example, the web server transparently redirects it to /public/front/central.php.
Of course, that file doesn't actually exist there, but the request will be handled by the /public/index.php script which verifies it is a file that is allowed to be accessed over the web and then directs the request to the real file if so.

pierreL · 2023-06-29 13:15:31

@alexkenon:

Public folder is available by default, you don't need to create it or add folders in it. You just need to modifiy the conf file for apache in /etc/apache2/sites-available.

@cconard96: I would like to know why the Alias option is not working. I've got 403 error forbidden when I define //namerserver/glpi rather than //namerserver when it is pointing to the public folder to avoid the warning about " Web server root directory configuration is not safe".

Is there a way to fix it ? i think this is a bug in the GLPI 10.0.7 version.

Regards.

Last edited by pierreL (2023-06-29 13:18:54)

pierreL · 2023-06-29 14:15:06

Hello,

henryzwh wrote:

According to a message at Github one can use an "Alias" directive if you have installed glpi in a subdirectory
Alias "/glpi/" "/path/to/your/glpi/"
I tried several variants of this, but it wasn't working for me. I got empty pages, directory index listings instead of the login page and Internal Server errors ("Request exceeded the limit of 10 internal redirects"). I ended up setting DocumentRoot to /var/www/glpi/public with a RewriteRule which rewrites /glpi/ to the root directory:
RewriteRule ^/glpi/(.*)$ /$1 [R=301,NC,L]
It is advisable to change the URL in glpi-agent config accordingly

I tried your tip but it doesn't work. https://mynameserver/glpi -> The requested URL was not found on this server. I'm fed up with that 10.0.7 version. It worked with the previous version and now that we must point to public folder, we've got 403 forbidden error or not found errors.

In my case, I set Alias like this : Alias "/glpi/" "/var/www/glpi/" and DocumentRoot is /var/www/glpi/public

!news!: It works with http://mynameserver/glpi/ but I've still got the " Web server root directory configuration is not safe" message.

Last edited by pierreL (2023-06-29 14:32:03)

alexkenon · 2023-06-29 14:39:55

cconard96 wrote:

You don't create any new folders or move any of the GLPI files.
The change is strictly done within the web server configuration so that when someone requests /front/central.php for example, the web server transparently redirects it to /public/front/central.php.
Of course, that file doesn't actually exist there, but the request will be handled by the /public/index.php script which verifies it is a file that is allowed to be accessed over the web and then directs the request to the real file if so.

pierreL wrote:

@alexkenon:
Public folder is available by default, you don't need to create it or add folders in it. You just need to modifiy the conf file for apache in /etc/apache2/sites-available.
@cconard96: I would like to know why the Alias option is not working. I've got 403 error forbidden when I define //namerserver/glpi rather than //namerserver when it is pointing to the public folder to avoid the warning about " Web server root directory configuration is not safe".
Is there a way to fix it ? i think this is a bug in the GLPI 10.0.7 version.
Regards.

Thank you for your quick help!

Do I understand correctly what needs to be redone like this?

Now I have this configuration

root@VM01:/etc/apache2/sites-enabled# cat glpi.conf
<VirtualHost *:443>
    ServerName vm01.domain.com
    ServerAlias servicedesk.domain.com
    DocumentRoot /var/www/glpi
    SSLEngine on
    SSLCertificateFile ssl/cert.pem
    SSLCertificateKeyFile ssl/cert.key
    #SSLCertificateChainFile ssl/cert.ca-bundle
</VirtualHost>



<VirtualHost *:80>
   ServerAdmin it@domain.com
   DocumentRoot /var/www/glpi
   ServerName vm01.domain.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   <Directory /var/www/glpi>
        Options FollowSymlinks
        AllowOverride All
        Require all granted
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/vm01_error.log
   CustomLog ${APACHE_LOG_DIR}/vm01_access.log combined

</VirtualHost>

And I just take it and do it like this?

root@VM01:/etc/apache2/sites-enabled# cat glpi.conf
<VirtualHost *:443>
    ServerName vm01.domain.com
    ServerAlias servicedesk.domain.com
    DocumentRoot /var/www/glpi/public
    SSLEngine on
    SSLCertificateFile ssl/cert.pem
    SSLCertificateKeyFile ssl/cert.key
    #SSLCertificateChainFile ssl/cert.ca-bundle
</VirtualHost>



<VirtualHost *:80>
   ServerAdmin it@domain.com
   DocumentRoot /var/www/glpi/public
   ServerName vm01.domain.com
   <Directory /var/www/glpi/public>
        Options FollowSymlinks
        AllowOverride All
        Require all granted
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/vm01_error.log
   CustomLog ${APACHE_LOG_DIR}/vm01_access.log combined

</VirtualHost>

Is it true or not? Thank you very much in advance!

pierreL · 2023-06-29 15:06:44

@alexkenon: Yes it is good but in my case, I added it in <VirtualHost *:443>:

<Directory /var/www/glpi/public>
Options FollowSymlinks
AllowOverride All
Require all granted
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>

The only problem that we encounter is that we can't connect with that address : http(s)://yournameserver/glpi/ anymore. (It worked before) Now, it is htpp(s)://yournameserver/ that is used now. If you try http(s)://yournameserver/glpi/ you've got a 403 forbidden error.

Last edited by pierreL (2023-06-29 15:10:29)

alexkenon · 2023-06-30 12:55:26

pierreL wrote:

@alexkenon: Yes it is good but in my case, I added it in <VirtualHost *:443>:
<Directory /var/www/glpi/public>
Options FollowSymlinks
AllowOverride All
Require all granted
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
</Directory>
The only problem that we encounter is that we can't connect with that address : http(s)://yournameserver/glpi/ anymore. (It worked before) Now, it is htpp(s)://yournameserver/ that is used now. If you try http(s)://yournameserver/glpi/ you've got a 403 forbidden error.

Hi. Yes, that's right, I need to add to section 443. I did as in the instructions without adding this:

Options FollowSymlinks
AllowOverride All

In the end, it turned out like this:

<VirtualHost *:443>
   ServerName ....
   ServerAlias  ....
   DocumentRoot /var/www/glpi/public
   <Directory /var/www/glpi/public>
        Require all granted
        RewriteEngine On
        # Redirect all requests to GLPI router, unless file exists.
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^(.*)$ index.php [QSA,L]
   </Directory>
   SSLEngine on
   SSLCertificateFile ssl/cert.pem
   SSLCertificateKeyFile ssl/cert.key
   #SSLCertificateChainFile ssl/cert.ca-bundle
</VirtualHost>

Could you show your section (virtualhost) 80?

pierreL · 2023-06-30 15:53:04

@alexkenon: You can see my last config file here: forum.glpi-project.org/viewtopic.php?pid=502744#p502744

katamadone · 2023-08-30 14:52:14

I do have difficulties with nginx configuration and
"Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details."
First I was on the completely path and move files in to public. But now I have the feeling I'm right, but could not create any situation when the configuration is working.

Current configuration 10.0.3:

URL to Web https__ownasset.domain.tld_ (so without glpi - dashboard url https__ownasset.domain.tld_front/central.php
Path to unzipped GLPI: /var/nginx/html/ changed in the process to /var/www/glpi

    server {
        listen       80;
        server_name  ownasset.domain.tld;
        root         /var/nginx/html/;
        return 301 https://$host;

        include /etc/nginx/default.d/*.conf;

        access_log  /var/log/nginx/asset.access.log  main;

        #error_page  404              /404.html;
    
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  ownasset.domain.tld;
        root         /var/www/glpi/;

        client_max_body_size 10M;

        include /etc/nginx/default.d/*.conf;

        ssl_certificate      /etc/pki/tls/certs/*****.crt;
        ssl_certificate_key  /etc/pki/tls/private/*****.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    }

Installation of 10.0.9 successfully worked. Moved config / files / log as advices. All fine so far only the warning "Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details." is there as intended.
If I change now the "root" to /var/www/glpi/pubic without moving files or whatsover I'm able to login but afterwards I receive "File not found."
For easier reading i only give you the https conf

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  ownasset.domain.tld;
        root         /var/www/glpi/public;

        client_max_body_size 10M;

        include /etc/nginx/default.d/*.conf;

        ssl_certificate      /etc/pki/tls/certs/*****.crt;
        ssl_certificate_key  /etc/pki/tls/private/*****.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    }

I also tried adding

    server {
        listen       443 ssl;
        server_name  ownasset.domain.tld;
        root         /var/www/glpi/public;

        client_max_body_size 10M;

        include /etc/nginx/default.d/*.conf;

        location / {
           try_files $uri /index.php$is_args$args;
        }

        location ~ ^/index\.php$ {
         # the following line needs to be adapted, as it changes depending on OS distributions and PHP versions
    
         fastcgi_pass unix:/run/php-fpm/www.sock;
         #server unix:/run/php-fpm/www.sock;

         fastcgi_split_path_info ^(.+\.php)(/.*)$;
         include fastcgi_params;

         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        ssl_certificate      /etc/pki/tls/certs/*****.crt;
        ssl_certificate_key  /etc/pki/tls/private/****.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

    }

What am I missing

katamadone · 2023-09-08 13:30:55

anyone using nginx with glpi?

TheToyDoll · 2023-09-13 15:47:25

Hi. For those that are using Apache I've recently found a solution for this issue that have worked for me.

My DocumentRoot was "/var/www/html". When I installed GLPI the last year I extracted the compressed file glpi-10.0.4 in other folder and then moved the files, so my glpi document root wasn't "/var/www/html/glpi/".

Apparently, it is important to have it in that folder to work after 10.0.7. Until the update and this public folder change, the webserver was working fine.

My virtualhost config file before:

<VirtualHost *:80>
        ServerName glpi.local

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/public

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Then I created a folder named glpi inside /var/www/html/ and moved all files that were on html to it.
My virtualhost config file after:

<VirtualHost *:80>
        ServerName glpi.local

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory /var/www/html/glpi/public>
                Require all granted
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>


</VirtualHost>

After that the alert disappeared and the webserver started to work normally.
So if you don't have your DocumentRoot into the folder "/var/www/html/glpi", as I had, I recommend ypu to do it this way.
Maybe it is the same problem if you are using nginx, but i haven't tried.
Hope it help for you too.

Last edited by TheToyDoll (2023-09-13 15:50:57)

Yann1ck · 2023-09-21 14:19:01

Hello

I have two vhosts, one in http which redirects to the second in https

when I add these lines on https vhost my Apache service gives me an error after restart and I have no access to glpi.

RewriteCond %{REQUEST_FILENAME} !-f
         RewriteRule ^(.*)$ index.php [QSA,L]

Some one have an idea ?

Yann1ck · 2023-09-21 16:20:50

its ok with command "a2enmod rewrite" and after i always had a problem for load glpi home page.

so i make only one vhost for both http 80 with https 443, with redirection for 80 to 443:

<VirtualHost *:80>
        ServerName glpi.mydomain.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        Redirect Permanent / https://glpi.mydomainssl.com

        <Directory /var/www/html/glpi/public>
                Require all granted
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>
</VirtualHost>

<VirtualHost *:443>
        ServerName glpi.mydomain.com
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile mypath
        SSLCertificateKeyFile mypath
        <Directory "/var/www/html/glpi/public">
                Require all granted
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>
</VirtualHost>

Jow-Indio · 2023-10-27 13:11:20

Hello.

Im using IIS and the file in inetpub\GPLI\src\System\Requirement\SafeDocumentRoot.php contains this...

 if (realpath($initial_script) === realpath(sprintf('%s/public/index.php', GLPI_ROOT))) {
            // Configuration is safe if install/update script is accessed through `public/index.php` router script.
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.');
        }

I updated to this code and message disapear...

namespace Glpi\System\Requirement;

/**
 * @since 10.0.7
 */
final class SafeDocumentRoot extends AbstractRequirement
{
    public function __construct()
    {
        $this->title = __('Safe configuration of web root directory');
        $this->description = sprintf(
            __('Web server root directory should be `%s` to ensure non-public files cannot be accessed.'),
            realpath(GLPI_ROOT) . DIRECTORY_SEPARATOR . 'public'
        );
        $this->optional = true;
    }

    protected function check()
    {
        if (isCommandLine()) {
            $this->out_of_context = true;
            $this->validated = false;
            $this->validation_messages[] = __('Checking web server root directory configuration cannot be done on CLI context.');
            return;
        }

        // Modifique esta parte para verificar se a estrutura de diretórios está configurada corretamente.
        $webRoot = realpath(GLPI_ROOT);
        $publicDir = $webRoot . DIRECTORY_SEPARATOR . 'public';
        
        // Verifica se o diretório raiz do servidor web é configurado corretamente.
        if (is_dir($publicDir) && file_exists($publicDir . DIRECTORY_SEPARATOR . 'index.php')) {
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is safe.');
        }
    }
}

Last edited by Jow-Indio (2023-10-27 15:07:44)

cconard96 · 2023-10-30 12:37:37

Jow-Indio wrote:

Hello.

Im using IIS and the file in inetpub\GPLI\src\System\Requirement\SafeDocumentRoot.php contains this...

 if (realpath($initial_script) === realpath(sprintf('%s/public/index.php', GLPI_ROOT))) {
            // Configuration is safe if install/update script is accessed through `public/index.php` router script.
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.');
        }

I updated to this code and message disapear...

namespace Glpi\System\Requirement;

/**
 * @since 10.0.7
 */
final class SafeDocumentRoot extends AbstractRequirement
{
    public function __construct()
    {
        $this->title = __('Safe configuration of web root directory');
        $this->description = sprintf(
            __('Web server root directory should be `%s` to ensure non-public files cannot be accessed.'),
            realpath(GLPI_ROOT) . DIRECTORY_SEPARATOR . 'public'
        );
        $this->optional = true;
    }

    protected function check()
    {
        if (isCommandLine()) {
            $this->out_of_context = true;
            $this->validated = false;
            $this->validation_messages[] = __('Checking web server root directory configuration cannot be done on CLI context.');
            return;
        }

        // Modifique esta parte para verificar se a estrutura de diretórios está configurada corretamente.
        $webRoot = realpath(GLPI_ROOT);
        $publicDir = $webRoot . DIRECTORY_SEPARATOR . 'public';
        
        // Verifica se o diretório raiz do servidor web é configurado corretamente.
        if (is_dir($publicDir) && file_exists($publicDir . DIRECTORY_SEPARATOR . 'index.php')) {
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is safe.');
        }
    }
}

That is not a solution. It would always believe the web configuration was safe even though it isn't. The point of that code was to determine if the first PHP script called is the index.php from the public folder. As long as you set the document root in the web config to the "public" folder inside GLPI, and then configure a rewrite for all requests so that they are redirected to the "public" folder, the GLPI code should work.
For example, a request to "/front/central.php" would be rewritten as "/public/front/central.php". Since there is no "/front/central.php" inside the public folder, the request is automatically handled by "public/index.php" which then calls code to proxy the request back to the actual "/front/central.php" script after checking that it is a file allowed to be accessed through the web (it is).

Jow-Indio · 2023-10-30 12:56:08

cconard96 wrote:

Jow-Indio wrote:
Hello.
Im using IIS and the file in inetpub\GPLI\src\System\Requirement\SafeDocumentRoot.php contains this...
 if (realpath($initial_script) === realpath(sprintf('%s/public/index.php', GLPI_ROOT))) {
            // Configuration is safe if install/update script is accessed through `public/index.php` router script.
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details.');
        }
I updated to this code and message disapear...
namespace Glpi\System\Requirement;

/**
 * @since 10.0.7
 */
final class SafeDocumentRoot extends AbstractRequirement
{
    public function __construct()
    {
        $this->title = __('Safe configuration of web root directory');
        $this->description = sprintf(
            __('Web server root directory should be `%s` to ensure non-public files cannot be accessed.'),
            realpath(GLPI_ROOT) . DIRECTORY_SEPARATOR . 'public'
        );
        $this->optional = true;
    }

    protected function check()
    {
        if (isCommandLine()) {
            $this->out_of_context = true;
            $this->validated = false;
            $this->validation_messages[] = __('Checking web server root directory configuration cannot be done on CLI context.');
            return;
        }

        // Modifique esta parte para verificar se a estrutura de diretórios está configurada corretamente.
        $webRoot = realpath(GLPI_ROOT);
        $publicDir = $webRoot . DIRECTORY_SEPARATOR . 'public';
        
        // Verifica se o diretório raiz do servidor web é configurado corretamente.
        if (is_dir($publicDir) && file_exists($publicDir . DIRECTORY_SEPARATOR . 'index.php')) {
            $this->validated = true;
            $this->validation_messages[] = __('Web server root directory configuration seems safe.');
        } else {
            $this->validated = false;
            $this->validation_messages[] = __('Web server root directory configuration is safe.');
        }
    }
}
That is not a solution. It would always believe the web configuration was safe even though it isn't. The point of that code was to determine if the first PHP script called is the index.php from the public folder. As long as you set the document root in the web config to the "public" folder inside GLPI, and then configure a rewrite for all requests so that they are redirected to the "public" folder, the GLPI code should work.
For example, a request to "/front/central.php" would be rewritten as "/public/front/central.php". Since there is no "/front/central.php" inside the public folder, the request is automatically handled by "public/index.php" which then calls code to proxy the request back to the actual "/front/central.php" script after checking that it is a file allowed to be accessed through the web (it is).

Hello,

In IIS where can y change the request to point to public? its very anoing the message...

cconard96 · 2023-10-30 15:10:28

Did you try the configuration in the installation documentation?

https://glpi-install.readthedocs.io/en/ … figuration

lones · 2023-10-31 10:41:46

For Apache I solved it,

After I have changed my

# nano /etc/apache2/sites-available/name_of_your.conf

as below

<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/glpi/public
        ServerName myserver.com
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/STAR_mysite.crt
        SSLCertificateKeyFile /etc/ssl/private/mysite.key
        SSLCertificateChainFile /etc/ssl/certs/STAR_mysite.ca-bundle
        <Directory /var/www/html/glpi/public>
                Options FollowSymLinks
                Require all granted
                AllowOverride All
                RewriteEngine On
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteRule ^(.*)$ index.php [QSA,L]
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

I only have above codes in my .conf file I don't have for port 80 (http)

then I ran below commands

#sudo a2enmod rewrite
#sudo systemctl restart apache2

Note that once you do this you won't be able to reach your glpi as https[:]//yoursite.com/glpi (it will get denied)
you should just access via name of your server by simply just erasing "/glpi" part
example:
old : https[:]//lonesticket.com/glpi
now : https[:]//lonesticket.com

cconard96 · 2023-10-31 15:16:30

lones wrote:

Note that once you do this you won't be able to reach your glpi as https[:]//yoursite.com/glpi (it will get denied)

Did you try adding 'Alias "/glpi" "/var/www/html/glpi/public"' in the VirtualHost part?

lones · 2023-10-31 16:03:21

cconard96 wrote:

lones wrote:
Note that once you do this you won't be able to reach your glpi as https[:]//yoursite.com/glpi (it will get denied)
Did you try adding 'Alias "/glpi" "/var/www/html/glpi/public"' in the VirtualHost part?

No I didn't because I always wanted to reach glpi only by my servername
so actually it solved my 2 problems in one shot
but anyway thank you much for the answer

Regards

yakin · 2023-11-02 21:40:12

cconard96 wrote:

lones wrote:
Note that once you do this you won't be able to reach your glpi as https[:]//yoursite.com/glpi (it will get denied)
Did you try adding 'Alias "/glpi" "/var/www/html/glpi/public"' in the VirtualHost part?

My solution.

Angh0r · 2023-12-13 18:02:07

I'm running GLPI on Synology WebStation. I can run it with the nginx webserver but if the root points to "/glpi/public" there is a File Not Found message instead of the proper web page.
While the root points to "/glpi/" path all work fine but there is big orange box screaming at me Not the best implementation of the "security idea".

On Apache 2.4 there is error 500 no matter what I do.

Is anyone running GLPI on Synology and sorted this out?

cconard96 · 2023-12-13 22:32:41

Angh0r wrote:

I can run it with the nginx webserver but if the root points to "/glpi/public" there is a File Not Found message instead of the proper web page.

Please post your full nginx server config. The installation documentation has more changes for nginx shown which are required besides the change to the root path.

Angh0r wrote:

Not the best implementation of the "security idea"

If you have a better solution that ensures files like configs, uploads, etc are not exposed accidentally over the web, feel free to share your suggestions. This configuration is not unique to GLPI. Plenty of modern web applications utilize this same setup.

jhoux@zirrusone.com · 2023-12-15 00:26:41

I suspect a Github Issue needs to be opened about this for remediation. But I'm posting here first because maybe I just don't understand the docs or the problem.

The Official Docs talk about two suggestions.
- Redirect all requests for non-existing files to public/index.php
glpi-install.readthedocs.io/en/latest/prerequisites.html#webserver-configuration
- Block access to everything inside install/ folder.
glpi-install.readthedocs.io/en/latest/install/index.html#post-installation

I followed the guidance to the letter, and the result is this error:
"Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details."

There appears to be some kind of disconnect here. Are the docs wrong, or did I miss some other point in the docs?

cconard96 · 2023-12-15 00:33:45

jhoux@zirrusone.com wrote:

I suspect a Github Issue needs to be opened about this for remediation. But I'm posting here first because maybe I just don't understand the docs or the problem

The error you are getting indicates that the "Redirect all requests for non-existing files to public/index.php" part wasn't completed.

What does your web server config look like currently? Also, was the web server service restarted after making the config change?

jhoux@zirrusone.com · 2023-12-15 00:45:17

In the root glpi folder (var/www/glpi), I added a .htaccess file (because testing first with .htaccess is easier than testing in a VHost file) with the following code:

Require all granted

RewriteEngine On

# Redirect all requests to GLPI router, unless file exists.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]

............

When I navigate to "mydomain/anything-non-existant-here", browser loads "mydomain/front/central.php" as expected.

I looked at src/System/Requirement/SafeDocumentRoot.php, but to be honest, I don't understand the code. I'm a C# dev.... php is secondary, and I'm not fully understanding the way the check algorithm operates.

Forum GLPI-Project

Announcement

#26 2023-06-29 13:09:51

Re: Web server root directory configuration is not safe

#27 2023-06-29 13:15:31

Re: Web server root directory configuration is not safe

#28 2023-06-29 14:15:06

Re: Web server root directory configuration is not safe

#29 2023-06-29 14:39:55

Re: Web server root directory configuration is not safe

#30 2023-06-29 15:06:44

Re: Web server root directory configuration is not safe

#31 2023-06-30 12:55:26

Re: Web server root directory configuration is not safe

#32 2023-06-30 15:53:04

Re: Web server root directory configuration is not safe

#33 2023-08-30 14:52:14

Re: Web server root directory configuration is not safe

#34 2023-09-08 13:30:55

Re: Web server root directory configuration is not safe

#35 2023-09-13 15:47:25

Re: Web server root directory configuration is not safe

#36 2023-09-21 14:19:01

Re: Web server root directory configuration is not safe

#37 2023-09-21 16:20:50

Re: Web server root directory configuration is not safe

#38 2023-10-27 13:11:20

Re: Web server root directory configuration is not safe

#39 2023-10-30 12:37:37

Re: Web server root directory configuration is not safe

#40 2023-10-30 12:56:08

Re: Web server root directory configuration is not safe

#41 2023-10-30 15:10:28

Re: Web server root directory configuration is not safe

#42 2023-10-31 10:41:46

Re: Web server root directory configuration is not safe

#43 2023-10-31 15:16:30

Re: Web server root directory configuration is not safe

#44 2023-10-31 16:03:21

Re: Web server root directory configuration is not safe

#45 2023-11-02 21:40:12

Re: Web server root directory configuration is not safe

#46 2023-12-13 18:02:07

Re: Web server root directory configuration is not safe

#47 2023-12-13 22:32:41

Re: Web server root directory configuration is not safe

#48 2023-12-15 00:26:41

Re: Web server root directory configuration is not safe

#49 2023-12-15 00:33:45

Re: Web server root directory configuration is not safe

#50 2023-12-15 00:45:17

Re: Web server root directory configuration is not safe

Board footer