kosmo
19 September 2018 09:17
1
My LibreNMS installation is behind Nginx proxy. Few days ago it stopped working.
It looks that the base_url setting is not longer taken under account.https://server-name/login , instead of $base_url/login. Login page could be accessed if I type in browser correct url ($base_url/login), however credentials are posted to https://server-name/login .
====================================
Component | Version
--------- | -------
LibreNMS | 1.43-93-g53a1730fc
DB Schema | 267
PHP | 7.1.21
MySQL | 10.2.17-MariaDB
RRDTool | 1.7.0
SNMP | NET-SNMP 5.7.3
====================================
[OK] Composer Version: 1.7.2
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
kosmo
20 September 2018 08:12
3
Reverse proxy configuration has been verified:
GET / HTTP/1.0
Host: server-name:443
X-Forwarded-For: A.B.C.D
X-Forwarded-Proto: https
Connection: close
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en;q=0.7,en-US;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: language=en librenms_session=eyJpdiI6InBBc3FnRmxEWkpqXC9ZdVFkM1wvMURcL0E9PSIsInZhbHVlIjoiNm5SQ3RyTFpzaE1EdkM0dlN1MDNRSWtHM3QwOFVPaXh1dldhOE9ZM2hCWERhSE5zbkJiMHVMSk51SmF2cEVVN1Qydmx6U012QlJuRURUZGNrY2NDdlE9PSIsIm1hYyI6IjBkMWViMGE3NzI5MTJhNmYzZGQ2MTFhOGVmODY4MDZkY2FmZmZhYmM4YTlkMTEyYzRkNDQyYzhkZTM5M2NmYmMifQ%3D%3D; XSRF-TOKEN=eyJpdiI6IlVwaFdYUitzK1wvdlJZZGlSd1krbk5nPT0iLCJ2YWx1ZSI6InBSeG5zWjNGdkFHXC9CY3ZVd1RlWWlNQ0VDK1V1TFRBVXlGZ0pjeDFjYkcwRUU3djNBUUtKZnlLd01CcUFcL2tDT3hXN3BCR3BGZkh1Q2JhVCtsOGZcL0tBPT0iLCJtYWMiOiI1YjQwYjgxZDc3MTAxNWRiNDAzYWNhYzYzZjMwYmJmZWQzOGNhYzljYTMyM2ExYWE5NzJiMzhjMjVhMDdjMTZmIn0%3D
DNT: 1
Upgrade-Insecure-Requests: 1
HTTP/1.0 302 Found
Date: Wed, 19 Sep 2018 08:52:21 GMT
Server: Apache/2.4.34 (Fedora)
Cache-Control: private, must-revalidate
Location: https://server-name/login
pragma: no-cache
expires: -1
Set-Cookie: librenms_session=eyJpdiI6Ijk2TFBqaFU2MzdrK2xvZ3JtRDNHOWc9PSIsInZhbHVlIjoiWEppdmZSVjhSRlp1OEJSODI5M25tR25KdGRybVBuY3dOUUhXYktLY25ZNFdvdlwvc0tGRWVwYVhCZU1pY0Q0U2VNb3EwYk5POTVQb1VnODdBSGtFZll3PT0iLCJtYWMiOiIxZjEyMjE2ZmI5OGQ3YzQ1NDY1OWIzN2E5MjMwYzZiNzdiYTk1ZmYxZmVkMjhjMDg0YjFjN2JhYjFmY2NhNmI2In0%3D; expires=Wed, 19-Sep-2018 10:52:21 GMT; Max-Age=7200; path=/; httponly
Content-Length: 340
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url=hxxps://server-name/login" />
<title>Redirecting to hxxps://server-name/login>
</head>
<body>
Redirecting to <a href="hxxps://server-name/login">hxxps://server-name/login</a>.
</body>
</html>
I changed https:// to hxxps:// as otherwise I was not allowed to post the log.
kosmo
21 September 2018 13:12
4
I noted, that the problem affects only login page. If I access server directly and pass login page everything works as expected (base_url is taken under account).
You are not being specific enough for me to figure out what your problem is.
kosmo
24 September 2018 17:08
6
Hi.
I ran git bisect. It looks that the problem was introduced in this commit:
commit 32a7c50189b46058d53b8a1de6c2846a16f5e549[email protected]
Use Laravel authentication (#8702)
* Use Laravel for authentication
Support legacy auth methods
Always create DB entry for users (segregate by auth method)
Port api auth to Laravel
restrict poller errors to devices the user has access to
Run checks on every page load. But set a 5 minute (configurable) timer.
Only run some checks if the user is an admin
Move toastr down a few pixels so it isn't as annoying.
Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user.
Add two missing menu entries in the laravel menu
Rewrite 2FA code
Simplify some and verify code before applying
Get http-auth working
Handle legacy $_SESSION differently. Allows Auth::once(), etc to work.
* Fix tests and mysqli extension check
* remove duplicate Toastr messages
* Fix new items
* Rename 266.sql to 267.sql
Regarding my setup:
Front server (SERVER-NAME):
server {
listen 443 ssl;
server_name SERVER-NAME;
root /usr/share/empty;
ssl_certificate /etc/pki/tls/certs/SERVER-NAME.crt;
ssl_certificate_key /etc/pki/tls/private/SERVER-NAME.key;
ssl_ciphers PROFILE=SYSTEM;
ssl_session_timeout 15m;
proxy_bind $remote_addr transparent;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 5m;
location /librenms/ {
proxy_pass http://librenms/;
}
}
Backend (libernms):
<VirtualHost *:80>
ServerName librenms
DocumentRoot "/opt/librenms/html/"
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
</Directory>
</VirtualHost>
LibreNMS Configuration:
(...)
$config['base_url'] = 'hxxps://SERVER-NAME/librenms/';
(...)
Problem:
While hxxps://SERVER-NAME/librenms/ as not logged in user, the LibreNMS redirects to login page hxxps://SERVER-NAME/login instead of hxxps://SERVER-NAME/librenms/login (base_url is not taken under account).
The LibreNMS login page can be accessed using hxxps://SERVER-NAME/librenms/login/, however the login form is posted to hxxps://SERVER-NAME/login (base_url is not taken under account).
If I login on SERVER-NAME and access hxxp://librenms/, I am redirected to hxxp://librenms/login. If I log in, I see dashboard, and all links there are correctly prepended by base_url (hxxps://SERVER-NAME/librenms/).
I hope my description is clear enough. The example HTTP request & reply sniffed between SERVER-NAME and librenms is avaiable in one of my previous posts.
PS: I had to replace http by hxxp and https by hxxps.
Open up app/Http/Controllers/Auth/LoginController.php and add this inside the showLoginForm() function should be line 49:
dd(\Request::header());
Paste the full output here.
Here is from my test setup:
array:14 [▼
"cookie" => array:1 [▶]
"accept-language" => array:1 [▶]
"accept-encoding" => array:1 [▶]
"accept" => array:1 [▶]
"user-agent" => array:1 [▶]
"upgrade-insecure-requests" => array:1 [▶]
"connection" => array:1 [▶]
"host" => array:1 [▼
0 => "librenms.local"
]
"x-forwarded-host" => array:1 [▼
0 => "librenmsrp.local"
]
"x-forwarded-for" => array:1 [▼
0 => "127.0.0.1"
]
"x-forwarded-proto" => array:1 [▼
0 => "https"
]
"content-length" => array:1 [▶]
"content-type" => array:1 [▶]
]
You many need to visit https://librenmsrp.local/login directly so you don’t get redirected.
kosmo
26 September 2018 18:21
8
Hi.
Change:
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 05764e9c2..4efd9f4d7 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -46,6 +46,8 @@ class LoginController extends Controller
public function showLoginForm()
{
+ dd(\Request::header());
+
if (Config::get('public_status')) {
$devices = Device::isActive()->get();
return view('auth.public-status')->with('devices', $devices);
Output when accessing https://SERVER-NAME/librenms/login:
array:11 [▼
"host" => array:1 [▼
0 => "SERVER-NAME:443"
]
"x-forwarded-for" => array:1 [▼
0 => "A.B.C.D" /* IP of machine running web browser */
]
"x-forwarded-proto" => array:1 [▼
0 => "https"
]
"connection" => array:1 [▼
0 => "close"
]
"user-agent" => array:1 [▼
0 => "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
]
"accept" => array:1 [▼
0 => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
]
"accept-language" => array:1 [▼
0 => "pl,en;q=0.5"
]
"accept-encoding" => array:1 [▼
0 => "gzip, deflate, br"
]
"cookie" => array:1 [▼
0 => "language=en; XSRF-TOKEN=eyJpdiI6InlFZDl4VW9WanlsMWJlS3doelRIRWc9PSIsInZhbHVlIjoiMjNRU2ZzRFFLdmVcL3o2ZlBFdHR1YUlRdjBSOG9Bak1YVEsrT0E0dnVYS2ZpUlB0Qk81b1JsUEpCRXhT ▶"
]
"dnt" => array:1 [▼
0 => "1"
]
"upgrade-insecure-requests" => array:1 [▼
0 => "1"
]
]
Output when accessing http://librenms/:
array:7 [
"host" => array:1 [
0 => "librenms"
]
"user-agent" => array:1 [
0 => "ELinks/0.12pre6 (textmode; Linux; 237x62-2)"
]
"referer" => array:1 [
0 => "http://librenms/"
]
"accept" => array:1 [
0 => "*/*"
]
"accept-language" => array:1 [
0 => "system"
]
"connection" => array:1 [
0 => "Keep-Alive"
]
"cookie" => array:1 [
0 => "librenms_session=(...); XSRF-TOKEN=eyJpdiI6InRNKzRkZE1JK09sXC8xb0Z3bXVxVnJBPT0iLCJ2YWx1ZSI6Im1wd1BqRlRwWXFWQ3I3ZGgydU4yejV6cFFUYWxoOHJ5TjM4N3hBQUF5QVRjOTBrRUVLRFwvVlBiUFN6cElZNTVMTVVIQzRtaE1NYUQ4WWIwYzBqVjloQT09IiwibWFjIjoiZTE2MzU1NWY2OTZlODdmMjU0YWNkZDliYmM0ZGI4M2Y5YWE1MjU3MzFlZTc3MjM3OGE5OTI1MjNjODU4OTZmNyJ9"
]
]
Does this fix your issue?
librenms:master ← murrant:proxy-links
opened 07:40PM - 26 Sep 18 UTC
If user sets APP_URL, force the root url to that. Empty strings result in defau… lt behavior.
Fix some of the urls in the laravel templates.
DO NOT DELETE THIS TEXT
#### Please note
> Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting.
- [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/)
#### Testers
If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.
Make sure APP_URL is set in .env properly. I hope it doesn’t break people with working configs though
kosmo
29 September 2018 07:16
10
Hi.
It is almost working. (APP_URL=https://SERVER-NAME/librenms/ )
When I access hxxps://SERVER-NAME/librenms/, I get redirection to hxxps://SERVER-NAME/librenms/login [CORRECT].
After login, I am redirected to hxxps://SERVER-NAME/ instead of hxxps:/SERVER-NAME/librenms/ [INCORRECT]
If I try access the hxxps:/SERVER-NAME/librenms/ again, I see dashboard [CORRECT]
BTW: I noted, that icons on the main menu are no longer displayed. I have no idea if this is related to the problem and/or your changes:
