Ad Widget

**Palmertree** · 19-11-2008, 00:51

Just make your site https and not http.

**Tenzer** · 19-11-2008, 10:21

This isn't an issue with Zabbix... Since you seem to be running this through the HTTP protocol it will be unencrypted, just as when you log into these forums. As already stated you just have to set up SSL encryption to the webinterface, this is easily done with a homemade certificate, and then all the communication will be encrypted.

**cstackpole** · 19-11-2008, 16:18

I will admit this is not something I am that familiar with, but I thought that it could be done on the login page. I was approached by someone who found the issue while doing a packet capture and I may have just posted in blind ignorance.. :-[

I guess it is time for me to Google this stuff and figure out what I am missing. Any pointers?

I will post back if I find something.

Thanks!

**xs-** · 19-11-2008, 16:22

use mod_ssl and make an ssl vhost

if you are googling it, search for apache vhost ssl
should get you started

**cstackpole** · 19-11-2008, 17:01

Thanks! I am Googleing that now.

I also looked up what I thought was the secure PHP login, and I found out it is for something else entirely.

Well, at least I am learning something new! :-)

**cstackpole** · 19-11-2008, 17:31

OK. Wow. That was easy. The very first hit on Google was a straight walk through for me and I learned something new*.

I have a few error messages that showed up when I restarted Apache that I don't know what they mean. It all seems to work but I am going to investigate the messages to see if they are something I should care about.

Thanks for the pointers everyone!

*The saying goes "You learn something new everyday" so does this mean I get to go home early??

**cstackpole** · 19-11-2008, 17:53

So these are the messages I am getting.

Code:

Restarting web server: apache2[Wed Nov 19 09:46:26 2008] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Wed Nov 19 09:46:26 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
 ... waiting [Wed Nov 19 09:46:27 2008] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Wed Nov 19 09:46:27 2008] [warn] NameVirtualHost *:80 has no VirtualHosts

I found a solution that makes the errors go away when I start apache, but then I get these errors on the webpage

Code:

Secure Connection Failed
An error occurred during a connection to host.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
    * Please contact the web site owners to inform them of this problem.

So I guess I can't go home early cause I am not done learning. Any suggestions?

Well time for me to go back to Google...

**jamesh** · 05-10-2009, 20:58

I adapted a script originally written for MediaWiki that forces SSL for auth pages and non-SSL for everything else (to avoid the SSL overhead).

New file ./include/ssl-login.inc.php

Code:

<?php
# Secure the login page.

# Get server variables
$domain = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];

# Are we on the sign-in page or not?
$onSignInPage = false;
$signInPageNames = array('index.php','users.php','authentication.php','popup_usrgrp.php','popup_media.php','popup_users.php','popup_right.php','usergrps.php');  // lowercase on purpose
if ( $uri == "/" )
{
	$onSignInPage = true;
}
else
{
	foreach ($signInPageNames as $p)
	{
		if ( strstr(strtolower($uri), "/$p") )
		{
			$onSignInPage = true;
		}
	}
}

# Secure only the login page. Un-secure all other pages.
if ( !checkArrayValue($_SERVER, 'HTTPS', 'on') && $onSignInPage ) {
  header('Location: https://' . $domain . $uri);
} elseif ( checkArrayValue($_SERVER, 'HTTPS', 'on') && ! $onSignInPage ) {
  header('Location: http://' . $domain . $uri);
}

function checkArrayValue($arr, $key, $value) {
  return array_key_exists($key, $arr) && $arr[$key] == $value;
}
?>

Add to bottom of ./conf/zabbix.conf.php

Code:

include_once 'include/ssl-login.inc.php';

**NicoZanferrari** · 28-11-2011, 15:40

Be careful!

This ssl-login.inc.php modification gives some strange side-effects, look at http://www.zabbix.com/forum/showthread.php?p=93746

**jamesh** · 29-11-2011, 17:08

I've updated the code in my post with a fix that addresses this issue.

Ad Widget

Plaintext passwords on login page

Plaintext passwords on login page

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment