You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 15, 2019. It is now read-only.
Assignee: (none)
Status: Resolved (closed on 2012-12-17 09:58:49 +00:00)
Target Version: 1.9
Last Update: 2012-12-17 10:07:07 +00:00 (in Redmine)
Hi.
Icinga-Web ships two "htaccess" files.
I'd suggest to get rid of or better said replace them for several reason:
They're need to be placed in the right directories, which are (especially in packages) located under /usr .
They are however configuration files (the user needs to adapt at least the RewriteBase when he wants to change icinga's path) and configuration files should be in /etc.
They are "hidden" from the user (typically know one looks through all files in /usr, but most people check the config files in /etc... so the user doesn't easily notice if there's something set which e.g. breaks his security.
It further seems that several things are set there which are already set in the "global" apache config file you ship.
Also you never know, whether the user has configured his Apache to consider .htaccess files.
He may have disabled them or configured a different name (e.g. .ht_92384isdflnsldf_access for whatever stupid reason.
If other webservers are used, that the .htaccess files are useless any may even be exposed, which might be unwanted.
The Debian icinga-web maintainer said he did some work to get rid of them (and, I guess, integrate them in the global apache config).
See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679340
Perhaps we can reuse this when he releases it.
Updated by mfriedrich on 2012-09-24 14:16:17 +00:00
problem will be - how to remove the remaining .htaccess files on upgrade, not to break existing setups. i guess that will be the showstopper here, at least in the 1.x tree.
I agree with with Markus.... adding some warning to the release notes should be fine.
If you're concerned about adding such a change in a minor release, just postpone it to the next major... but I really think it shouldn't be a big issue.
The file from Markus, already contains some of the optimisations and security fixes I've reported here in some other bugs... (but not all, AFAICS)
This issue has been migrated from Redmine: https://dev.icinga.com/issues/2759
Created by calestyo on 2012-06-29 23:50:13 +00:00
Assignee: (none)
Status: Resolved (closed on 2012-12-17 09:58:49 +00:00)
Target Version: 1.9
Last Update: 2012-12-17 10:07:07 +00:00 (in Redmine)
Hi.
Icinga-Web ships two "htaccess" files.
I'd suggest to get rid of or better said replace them for several reason:
They're need to be placed in the right directories, which are (especially in packages) located under /usr .
They are however configuration files (the user needs to adapt at least the RewriteBase when he wants to change icinga's path) and configuration files should be in /etc.
They are "hidden" from the user (typically know one looks through all files in /usr, but most people check the config files in /etc... so the user doesn't easily notice if there's something set which e.g. breaks his security.
It further seems that several things are set there which are already set in the "global" apache config file you ship.
Also you never know, whether the user has configured his Apache to consider .htaccess files.
He may have disabled them or configured a different name (e.g. .ht_92384isdflnsldf_access for whatever stupid reason.
If other webservers are used, that the .htaccess files are useless any may even be exposed, which might be unwanted.
The Debian icinga-web maintainer said he did some work to get rid of them (and, I guess, integrate them in the global apache config).
See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679340
Perhaps we can reuse this when he releases it.
Attachments
Relations:
The text was updated successfully, but these errors were encountered: