[Pkg-nagios-changes] [pkg-check-mk] 01/01: update debian/apache.* configs based on newer upstream, disable potentially dangerous multisite services and add comments explaining why

Matt Taggart taggart at moszumanska.debian.org
Sat Jun 6 00:09:50 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taggart pushed a commit to branch master
in repository pkg-check-mk.

commit 5b6ef2efbebfe4de2d3db9848c10dfd805612b52
Author: Matt Taggart <taggart at debian.org>
Date:   Fri Jun 5 17:08:48 2015 -0700

    update debian/apache.* configs based on newer upstream, disable potentially dangerous multisite services and add comments explaining why
---
 debian/apache.icinga  | 59 ++++++++++++++++++++++++++++++++++++++-------------
 debian/apache.nagios3 | 59 ++++++++++++++++++++++++++++++++++++++-------------
 debian/changelog      |  3 +++
 3 files changed, 91 insertions(+), 30 deletions(-)

diff --git a/debian/apache.icinga b/debian/apache.icinga
index 459b898..bf9da8d 100644
--- a/debian/apache.icinga
+++ b/debian/apache.icinga
@@ -1,4 +1,4 @@
-# Created by setup of check_mk version 1.1.6p1
+# Created by setup of check_mk version 1.2.6p4
 # This file will *not* be overwritten at the next setup
 # of check_mk. You may edit it as needed. In order to get
 # a new version, please delete it and re-run setup.sh.
@@ -10,12 +10,12 @@
 # inconveniance.
 
 <IfModule mod_python.c>
-    Alias /check_mk /usr/share/check_mk/web/htdocs
-    <Directory /usr/share/check_mk/web/htdocs>
+  Alias /check_mk /usr/share/check_mk/web/htdocs
+  <Directory /usr/share/check_mk/web/htdocs>
         AddHandler mod_python .py
         PythonHandler index
-        PythonDebug On 
-        DirectoryIndex index.py
+        PythonDebug On
+	DirectoryIndex index.py
 
         #Handle apache 2.2 and 2.4
         <IfVersion >= 2.3>
@@ -25,23 +25,52 @@
             Order deny,allow
             allow from all
         </IfVersion>
-        # Need Nagios authentification. Please edit the
-        # following: Set AuthName and AuthUserFile to the
-        # same value that you use for your Nagios configuration!
-        AuthName "Icinga Access"
+	# Need Nagios authentification. Please edit the
+	# following: Set AuthName and AuthUserFile to the
+	# same value that you use for your Nagios configuration!
+        Order deny,allow
+        allow from all
+	AuthName "Icinga Access"
         AuthType Basic
         AuthUserFile /etc/icinga/htpasswd.users
         require valid-user
 
-        ErrorDocument 403 "<h1>Authentication Problem</h1>Either you've entered an invalid password or the authentication<br>configuration of your check_mk web pages is incorrect.<br><br>Please make sure that you've edited the file<br><tt>/etc/apache2/conf.d/check_mk</tt> and made it use the same<br>authentication settings as your Nagios web pages.<br>Restart Apache afterwards."
-        ErrorDocument 500 "<h1>Server or Configuration Problem</h1>A Server problem occurred. You'll find details in the error log of Apache. One possible reason is, that the file <tt>/etc/nagios/htpasswd.users</tt> is missing. You can create that file with <tt>htpasswd</tt> or <tt>htpasswd2</tt>. A better solution might be to use your existing htpasswd file from your Nagios installation. Please edit <tt>/etc/apache2/conf.d/check_mk</tt> and change the path there. Restart Apache afterwards."
-      </Directory>
+	ErrorDocument 403 "<h1>Authentication Problem</h1>Either you've entered an invalid password or the authentication<br>configuration of your check_mk web pages is incorrect.<br><br>Please make sure that you've edited the file<br><tt>/etc/apache2/conf.d/check_mk</tt> and made it use the same<br>authentication settings as your Nagios web pages.<br>Restart Apache afterwards."
+	ErrorDocument 500 "<h1>Server or Configuration Problem</h1>A Server problem occurred. You'll find details in the error log of Apache. One possible reason is, that the file <tt>/etc/icinga/htpasswd.users</tt> is missing. You can create that file with <tt>htpasswd</tt> or <tt>htpasswd2</tt>. A better solution might be to use your existing htpasswd file from your Nagios installation. Please edit <tt>/etc/apache2/conf.d/check_mk</tt> and change the path there. Restart Apache afterwards."
+  </Directory>
+  ## WARNING: automation is part of multisite, more information at
+  ##  http://mathias-kettner.com/checkmk_multisite_automation.html
+  ## It uses a shared secret rather than HTTP Auth for authentication and
+  ## and is potentially exposed to public networks so is disabled on Debian
+  ## by default. If you need this feature, be sure you understand the
+  ## security implications and take necessary precautions before turning it on.
+  ## Automation is done without HTTP Auth
+  #<Location "/check_mk/automation.py">
+  #     Order allow,deny
+  #     Allow from all
+  #     Satisfy any
+  #</Location>
+
+  ## WARNING: like automation above, run_cron is part of multisite.
+  ## It does not use HTTP Auth, but is only exposed to localhost. Having
+  ## it enabled has less risk, but since it's part of multisite it is
+  ## also disabled by default on Debian.
+  ## Trigger cron jobs. This is done without authentication
+  #<Location "/check_mk/run_cron.py">
+  #    Order deny,allow
+  #    Deny from all
+  #    Allow from 127.0.0.1
+  #    Satisfy any
+  #</Location>
+
 </IfModule>
 
+
+
 <IfModule !mod_python.c>
-    Alias /check_mk /usr/share/check_mk/web/htdocs
-    <Directory /usr/share/check_mk/web/htdocs>
+  Alias /check_mk /usr/share/check_mk/web/htdocs
+  <Directory /usr/share/check_mk/web/htdocs>
         Deny from all
         ErrorDocument 403 "<h1>Check_mk: Incomplete Apache2 Installation</h1>You need mod_python in order to run the web interface of check_mk.<br> Please install mod_python and restart Apache."
-    </Directory>
+  </Directory>
 </IfModule>
diff --git a/debian/apache.nagios3 b/debian/apache.nagios3
index a3b4603..ca819ff 100644
--- a/debian/apache.nagios3
+++ b/debian/apache.nagios3
@@ -1,4 +1,4 @@
-# Created by setup of check_mk version 1.1.6p1
+# Created by setup of check_mk version 1.2.6p4
 # This file will *not* be overwritten at the next setup
 # of check_mk. You may edit it as needed. In order to get
 # a new version, please delete it and re-run setup.sh.
@@ -10,12 +10,12 @@
 # inconveniance.
 
 <IfModule mod_python.c>
-    Alias /check_mk /usr/share/check_mk/web/htdocs
-    <Directory /usr/share/check_mk/web/htdocs>
+  Alias /check_mk /usr/share/check_mk/web/htdocs
+  <Directory /usr/share/check_mk/web/htdocs>
         AddHandler mod_python .py
         PythonHandler index
-        PythonDebug On 
-        DirectoryIndex index.py
+        PythonDebug On
+	DirectoryIndex index.py
 
         #Handle apache 2.2 and 2.4
         <IfVersion >= 2.3>
@@ -25,23 +25,52 @@
             Order deny,allow
             allow from all
         </IfVersion>
-        # Need Nagios authentification. Please edit the
-        # following: Set AuthName and AuthUserFile to the
-        # same value that you use for your Nagios configuration!
-        AuthName "Nagios Access"
+	# Need Nagios authentification. Please edit the
+	# following: Set AuthName and AuthUserFile to the
+	# same value that you use for your Nagios configuration!
+        Order deny,allow
+        allow from all
+	AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /etc/nagios3/htpasswd.users
         require valid-user
 
-        ErrorDocument 403 "<h1>Authentication Problem</h1>Either you've entered an invalid password or the authentication<br>configuration of your check_mk web pages is incorrect.<br><br>Please make sure that you've edited the file<br><tt>/etc/apache2/conf.d/check_mk</tt> and made it use the same<br>authentication settings as your Nagios web pages.<br>Restart Apache afterwards."
-        ErrorDocument 500 "<h1>Server or Configuration Problem</h1>A Server problem occurred. You'll find details in the error log of Apache. One possible reason is, that the file <tt>/etc/nagios/htpasswd.users</tt> is missing. You can create that file with <tt>htpasswd</tt> or <tt>htpasswd2</tt>. A better solution might be to use your existing htpasswd file from your Nagios installation. Please edit <tt>/etc/apache2/conf.d/check_mk</tt> and change the path there. Restart Apache afterwards."
-    </Directory>
+	ErrorDocument 403 "<h1>Authentication Problem</h1>Either you've entered an invalid password or the authentication<br>configuration of your check_mk web pages is incorrect.<br><br>Please make sure that you've edited the file<br><tt>/etc/apache2/conf.d/check_mk</tt> and made it use the same<br>authentication settings as your Nagios web pages.<br>Restart Apache afterwards."
+	ErrorDocument 500 "<h1>Server or Configuration Problem</h1>A Server problem occurred. You'll find details in the error log of Apache. One possible reason is, that the file <tt>/etc/nagios/htpasswd.users</tt> is missing. You can create that file with <tt>htpasswd</tt> or <tt>htpasswd2</tt>. A better solution might be to use your existing htpasswd file from your Nagios installation. Please edit <tt>/etc/apache2/conf.d/check_mk</tt> and change the path there. Restart Apache afterwards."
+  </Directory>
+  ## WARNING: automation is part of multisite, more information at
+  ##  http://mathias-kettner.com/checkmk_multisite_automation.html
+  ## It uses a shared secret rather than HTTP Auth for authentication and
+  ## and is potentially exposed to public networks so is disabled on Debian
+  ## by default. If you need this feature, be sure you understand the
+  ## security implications and take necessary precautions before turning it on.
+  ## Automation is done without HTTP Auth
+  #<Location "/check_mk/automation.py">
+  #     Order allow,deny
+  #     Allow from all
+  #     Satisfy any
+  #</Location>
+
+  ## WARNING: like automation above, run_cron is part of multisite.
+  ## It does not use HTTP Auth, but is only exposed to localhost. Having
+  ## it enabled has less risk, but since it's part of multisite it is
+  ## also disabled by default on Debian.
+  ## Trigger cron jobs. This is done without authentication
+  #<Location "/check_mk/run_cron.py">
+  #    Order deny,allow
+  #    Deny from all
+  #    Allow from 127.0.0.1
+  #    Satisfy any
+  #</Location>
+
 </IfModule>
 
+
+
 <IfModule !mod_python.c>
-    Alias /check_mk /usr/share/check_mk/web/htdocs
-    <Directory /usr/share/check_mk/web/htdocs>
+  Alias /check_mk /usr/share/check_mk/web/htdocs
+  <Directory /usr/share/check_mk/web/htdocs>
         Deny from all
         ErrorDocument 403 "<h1>Check_mk: Incomplete Apache2 Installation</h1>You need mod_python in order to run the web interface of check_mk.<br> Please install mod_python and restart Apache."
-    </Directory>
+  </Directory>
 </IfModule>
diff --git a/debian/changelog b/debian/changelog
index 80dbb21..ab7a9e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,9 @@ check-mk (1.2.6p4-1) UNRELEASED; urgency=medium
      check_mk_agent_logwatch.{example,install}
   * regenerate defaults.* starting with upstream versions generated by
      setup.sh and then porting forward the debian specific changes.
+  * regenerate apache.* starting with upstream versions generated by
+     setup.sh and then porting forward the debian specific changes.
+     Disable multisite automation.py and run_cron.py services by default.
 
  -- Matt Taggart <taggart at debian.org>  Wed, 20 May 2015 15:09:13 -0700
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-check-mk.git

More information about the Pkg-nagios-changes mailing list