Skip to content
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.

[dev.icinga.com #2759] replace ./pub/.htaccess and ./pub/soap/.htaccess #825

Closed
icinga-migration opened this issue Jun 29, 2012 · 6 comments

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/2759

Created by calestyo on 2012-06-29 23:50:13 +00:00

Assignee: (none)
Status: Resolved (closed on 2012-12-17 09:58:49 +00:00)
Target Version: 1.9
Last Update: 2012-12-17 10:07:07 +00:00 (in Redmine)


Hi.

Icinga-Web ships two "htaccess" files.

I'd suggest to get rid of or better said replace them for several reason:
They're need to be placed in the right directories, which are (especially in packages) located under /usr .

  • They are however configuration files (the user needs to adapt at least the RewriteBase when he wants to change icinga's path) and configuration files should be in /etc.

  • They are "hidden" from the user (typically know one looks through all files in /usr, but most people check the config files in /etc... so the user doesn't easily notice if there's something set which e.g. breaks his security.

  • It further seems that several things are set there which are already set in the "global" apache config file you ship.

  • Also you never know, whether the user has configured his Apache to consider .htaccess files.
    He may have disabled them or configured a different name (e.g. .ht_92384isdflnsldf_access for whatever stupid reason.

  • If other webservers are used, that the .htaccess files are useless any may even be exposed, which might be unwanted.

The Debian icinga-web maintainer said he did some work to get rid of them (and, I guess, integrate them in the global apache config).
See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679340
Perhaps we can reuse this when he releases it.

Attachments


Relations:

@icinga-migration
Copy link
Author

Updated by calestyo on 2012-07-28 23:29:13 +00:00

The Debian Maintainer has finished this.... works great, so you could take this over and get rid of the nasty .htaccess files.

@icinga-migration
Copy link
Author

Updated by mfriedrich on 2012-09-24 14:16:17 +00:00

problem will be - how to remove the remaining .htaccess files on upgrade, not to break existing setups. i guess that will be the showstopper here, at least in the 1.x tree.

@icinga-migration
Copy link
Author

Updated by mfrosch on 2012-09-24 14:20:02 +00:00

  • File added icinga-web.conf.in

Attached is a icinga-web.conf.in which is intended to replace the current one and the .htaccess files.

I'd vote for removing the .htaccess files by default and moving them to a contrib area.

Docs have to be updated to warn the user to remove them when using the new config.

It will not really brake, but the .htaccess files will outrule the apache conf, unless we include "AllowOverride none".

@icinga-migration
Copy link
Author

Updated by calestyo on 2012-09-24 14:51:35 +00:00

I agree with with Markus.... adding some warning to the release notes should be fine.
If you're concerned about adding such a change in a minor release, just postpone it to the next major... but I really think it shouldn't be a big issue.

The file from Markus, already contains some of the optimisations and security fixes I've reported here in some other bugs... (but not all, AFAICS)

Cheers,
Chris.

@icinga-migration
Copy link
Author

Updated by mfrosch on 2012-12-17 09:58:49 +00:00

  • Status changed from New to Resolved

Will be fixed with #3500

Regards
Markus

@icinga-migration
Copy link
Author

Updated by mfrosch on 2012-12-17 10:07:07 +00:00

  • Target Version set to 1.9

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant