Ad Widget

**tibal** · 15-08-2011, 16:59

Hello Ira,

Experiencing the very same issue with other applications when using HTTP authentication, I've used some hacks to make this work.

1) you can change the code to make it return a 401 error code when accessing the logout page. Not sure if that's doable in Zabbix.

2) with Apache you may return a custom code for that page.

Code:

        RewriteEngine On
        RewriteCond "%{REQUEST_URI}" "/zabbix/index.php"
        RewriteCond "%{QUERY_STRING}" "reconnect=1"
        RewriteRule ".*" "%{REQUEST_URI}" [L,R=401]

Cheers

**ira** · 15-08-2011, 17:24

Do you already use the code in your zabbix config?
I tried it but it doesn't show any effect...

The page is still like before

I check, the rewrite module is on

**tibal** · 15-08-2011, 17:42

Originally posted by ira

Do you already use the code in your zabbix config?

No I don't use it, but I tested the Apache config before putting it here. It matched the logout URL and sent the 401 that invalidates the browser authentication.

Could you enable the mod_rewrite log and see it it matches the URL ?

Code:

RewriteLog "/tmp/mod_rewrite.log" 
RewriteLogLevel 3

**tibal** · 15-08-2011, 17:47

Originally posted by tibal

Code:

RewriteLogLevel 3

Maybe 3 is not enough, you may need to increase the level.

**ira** · 15-08-2011, 18:06

I put RewriteLogLevel 9
But there is no data in mod-rewrite.log

ls -l /tmp/mod_rewrite.log
-rw-r--r-- 1 root root 0 Aug 15 17:43 /tmp/mod_rewrite.log

**tibal** · 15-08-2011, 18:16

Originally posted by ira

ls -l /tmp/mod_rewrite.log
-rw-r--r-- 1 root root 0 Aug 15 17:43 /tmp/mod_rewrite.log

That's strange... I guess you did not create the file youself but apache did so.
The RewriteEngine, RewriteCond and RewriteRule lines should be inside the <VirtualHost> root, not in a <Directory> or <Location> scope.
I'd say this is the problem.

I tested this on Debian Squeeze with the packaged version of zabbix and apache. Zabbix frontend only created file /etc/apache2/conf.d/zabbix with a simple Alias directive to map /zabbix to it's directory. Then in /etc/apache2/sites-enabled/000-default I put the Rewrite directives inside the VirtualHost. Nothing more, that's the base config of Apache.

/etc/apache2/conf.d/zabbix

Code:

# Define /zabbix alias, this is the default
<IfModule mod_alias.c>
    Alias /zabbix /usr/share/zabbix
</IfModule>

/etc/apache2/sites-enabled/000-default

Code:

<VirtualHost *:80>  
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RedirectMatch ^/?$ /zabbix/

        RewriteEngine On
        RewriteCond "%{REQUEST_URI}" "/zabbix/index.php"
        RewriteCond "%{QUERY_STRING}" "reconnect=1"
        RewriteRule ".*" "%{REQUEST_URI}" [L,R=401]
</VirtualHost>

**ira** · 15-08-2011, 18:34

Ok, I moved the Rewrite Rules from conf.d/zabbix.conf in sites-enabled/default-ssl (I use Redirection from http to https, that's why I use default-ssl)

Now Logout is redirected to 401:
URI shows: 401 Authorization required

https://zabbix/zabbix/index.php?reconnect=1

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Apache/2.2.16 (Debian) Server at zabbix Port 443

But this doesn't destroy the session. If delete the reconnect=1 in the URI then I'm still logged in.

Im Log /tmp/mod_rewrite.log: [15/Aug/2011:18:31:55 +0200] [zabbix/sid#7fbaf7480d08][rid#7fbaf775bff0/initial] (2) forcing responsecode 401 for /zabbix/index.php

**tibal** · 15-08-2011, 18:59

Unfortunately this doesn't work with every browser. As you can see in this thread, killing the HTTP authentication is not something well defined:
http://stackoverflow.com/questions/4...logout-via-php

Maybe you could change the rewrite rule that way. It will force an other user.

Code:

RewriteRule ".*" "https://logout@%{HTTP_HOST}%{REQUEST_URI}" [L,R]

Still the best thing is to close your browser.

**ira** · 16-08-2011, 10:00

Good Morning Tibal

Now it shows a redirection problem and after then it forces a login window.
It reaches the goal that the user loggs out, but the whole http authentication makes me doubt if it is the best option.

Thank you very much for the help.

Ira

Ad Widget

Logout Problem bei HTTP Authentication

Logout Problem bei HTTP Authentication

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment