[Pkg-cacti-maint] Bug#660853: cacti: External auth does not work behind a reverse proxy (HTTP_REMOTE_USER contains login, not REMOTE_USER)

Thierry Murgue thierry.murgue at univ-st-etienne.fr
Wed Feb 22 11:53:01 UTC 2012 

Package: cacti
Version: 0.8.7g-1+squeeze1
Severity: normal

Please consider to check non only REMOTE_USER, PHP_AUTH_USER and REDIRECT_REMOTE_USER, but also HTTP_* variants.
Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see configuration just below), authentication information are stored
in HTTP_REMOTE_USER, not in REMOTE_USER.

<Location /cacti>
 ... Some auth directives
 RewriteEngine    on
 RewriteCond  %{LA-U:REMOTE_USER}    (.+)
 RewriteRule . - [E=RU:%1]
 RequestHeader set REMOTE_USER %{RU}e
 
 ProxyPass http://#HOST#/cacti
 ProxyPassReverse http://#HOST#/cacti
</Location> 

Here is a patch, if you decide to insert these checks.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  apache2                2.2.16-6+squeeze6 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze6 Apache HTTP Server - traditional n
ii  dbconfig-common        1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libapache2-mod-php5    5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  libphp-adodb           5.10-1            The ADOdb database abstraction lay
ii  mysql-client-5.1 [virt 5.1.49-3          MySQL database client binaries
ii  php5                   5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  php5-cli               5.3.3-7+squeeze8  command-line interpreter for the p
ii  php5-mysql             5.3.3-7+squeeze8  MySQL module for php5
ii  php5-snmp              5.3.3-7+squeeze8  SNMP module for php5
ii  rrdtool                1.4.3-1           time-series data storage and displ
ii  snmp                   5.4.3~dfsg-2      SNMP (Simple Network Management Pr
ii  ucf                    3.0025+nmu1       Update Configuration File: preserv

Versions of packages cacti recommends:
ii  iputils-ping                3:20100418-3 Tools to test the reachability of 
ii  logrotate                   3.7.8-6      Log rotation utility
ii  mysql-server                5.1.49-3     MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-ser 5.1.49-3     MySQL database server binaries and

Versions of packages cacti suggests:
pn  php5-ldap                     <none>     (no description available)

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch
Type: text/x-c
Size: 776 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cacti-maint/attachments/20120222/2290463f/attachment.bin>

More information about the Pkg-cacti-maint mailing list