Restrict access to web-interface by IP or AuthType Basic via .htacess using Check MK 2.2.0

mrk · June 2, 2023, 1:28pm

CMK version: Open Monitoring Distribution Version 2.2.0.cre
OS version: Ubuntu 20.04.6 LTS

Hello Checkmk Uers out there,

I started using Checkmk in Version 1.x
In those days, I used to protect the web interface from unauthorized access, by using Apache’s access control to whitelist known IPs and using Basic Auth for external access from unknown IPs.

That worked in Check_MK v1.x, Check_MK v2.0.0.x and even in 2.1.0p13.cre flawless.

To upgrade to Check_MK 2.2.0, I first performed an update to 2.1.0p28.cre and updated to 2.2.0.cre afterwards.

Now three days after the update I notice, that access by Basic Auth from a random IP does not work anymore.
At first I the Basic Auth mechanism prompts me to enter my Basic Auth credentials. This steps works well, because in connection the checkmk login windows appears.
But if I enter my checkmk credentials now, I am not redirected to the dashboard. Instead I am redirected back to the checkmk login.

189.2.154.195 - - [01/Jun/2023:17:13:16 +0200] "GET /sitename/check_mk/login.py?_origtarget=index.py HTTP/1.1" 200 2097 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
189.2.154.195 - - [01/Jun/2023:17:13:17 +0200] "POST /sitename/check_mk/login.py HTTP/1.1" 302 203 "https://checkmk.fqdn.de/sitename/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
189.2.154.195 - - [01/Jun/2023:17:13:17 +0200] "GET /sitename/check_mk/index.py HTTP/1.1" 302 271 "https://checkmk.fqdn.de/sitename/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
189.2.154.195 - - [01/Jun/2023:17:13:17 +0200] "GET /sitename/check_mk/login.py?_origtarget=index.py HTTP/1.1" 200 2097 "https://checkmk.fqdn.de/sitename/check_mk/login.py?_origtarget=index.py" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"

If I am connecting from a whitelisted IP (and no Basic Auth login), I get redirected to the dashbaord as expected.

So my question is at this point:
Did something change in that way of processing login credentials (Basic Auth vs Bearer Auth) that parallel usage is now impossible?

Thx in advance
mrks

mrk · June 13, 2023, 9:50am

I ended up deactivating Basic Auth.
It seems to me that CheckMK cant handle to type of authentication headers.

Maximilian · June 13, 2023, 1:45pm

Hey @mrk,

in a similar topic we found a solution with enabled BasicAuth, perhaps that’s a “better” solution?

Greetings
Max

system · June 12, 2024, 1:45pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.