[Pkg-nagios-devel] Bug#679421: icinga-web: add useful information to README.Debian
Christoph Anton Mitterer
calestyo at scientia.net
Thu Jun 28 15:17:22 UTC 2012
Package: icinga-web
Version: 1.7.1-1
Severity: wishlist
Hi Markus.
Maybe it's worth to add the following extra usefule info to README.Debian.
Pick what you like:
1) The UNIX user under which Icinga-Web runs needs access to both databases:
icinga (as user icinga per default) and icinga_web (as user icinga_web per default).
2) When Icinga-Web runs under a non www-data UNIX user, permission of these files need
to be adapted:
/etc/icinga-web/conf.d/access.xml
/etc/icinga-web/conf.d/auth.xml
/etc/icinga-web/conf.d/database-ido.xml
/etc/icinga-web/conf.d/databases.xml
/etc/icinga-web/conf.d/database-web.xml
/etc/icinga-web/conf.d/module_reporting.xml
/var/log/icinga-web/
/var/lib/icinga-web/app/cache/
- Any others?
- Does it need access to the well known files from icinga like status.dat?
You know, that I'd like a more generic way for this (see the very simple one, I
suggested yesterday on the pkg-nagios list) but as long as you don't agree here, we
should add thse hints :)
3) Add a hint, that whenever the configs are changed, one needs to
rm -rf /var/lib/icinga-web/app/cache/*
or some stuff won't get "active".
4) When changing the base-URL from /icinga-web to e.g. just /icinga, one needs to
adapt the apache.conf (ou said the .htaccess go away so no need to mention this change
for them) and /etc/icinga-web/conf.d/icinga.xml.
<setting name="appkit.web_path">/icinga</setting>
<setting name="appkit.image_path">/icinga/images</setting>
They mention that this shall only be done, when knowing what you're doing,... any idea
what they mean?
5) PHP Hardening / Suhosin
I personally try to harden my PHP config as much as possible, especially setting
doc_root and open_basedir.
Now doc_root is less for hardening and is used to construct the file paths:
One example way of using it is:
doc_root = /var/www
And adding a symlink "icinga-web" at /var/www/ that points to /usr/share/icinga-web/pub
.
open_basedir is more interesing: So far I needed to set:
open_basedir = "/usr/share/icinga-web:/var/lib/icinga-web:/var/log/icinga-web:/etc/icinga-web"
Funny, it actually works even without /etc/icinga-web, but I don't understand why.
Given that Suhosin is currently non-functional, I haven't any infos on that yet.
6) PHP Misc
I needed to set:
zlib.output_compression = Off
Icinga-web seems to ship similar functionallity itself.
Per default this is Off anyway,.. but it may help people like me who changed the default.
7) I personally stumbled accross not having activated mod_rewrite at first, when
I haven't had looked yet in these .htaccess files. But when they go away now,
we don't need to give special hints on this, IMHO.
8) I'd like to see how to configure HTTP Basic Auth and/or SSL cert based authentication.
But I haven't found out yet whether that works and how.
9) Do you know whether Icinga-Web needs read/write access to the icinga DB? Or would read-
only be enough?
HTH,
Chris.
More information about the Pkg-nagios-devel
mailing list