Update from 2.0.0p26 to 2.0.0p30 (CRE) breaks access to dashboard from kiosk

frakka · November 23, 2022, 11:07am

CMK version: 2.0.0p30cre
OS version: Oracle Linux Server release 8.7

Error message: None.

We have some kiosk accessing to checkMk dashboard using username and password embedded in the url.
To make the url easier to be typed and to void some issues with the certification authority which releases our SSL certificate, we created a virtualhost on apache webserver acting as ssl terminator and which adds username and password using a rewrite rule so we don’t need to left username and password around.

For example:

Kiosk calls this url: http://tv.mydomain.it/mo/
On “tv.mydomain.it” there is a location like this:

<Location /mo/>
                ProxyPreserveHost on
                ProxyPass https://mysite.mydomain.it/
                ProxyPassReverse /
                ProxyPassReverse https://mysite.mydomain.it/
</Location>

and rewrite rule like this:

Rewriterule ^/mo/$  https://mysite.mydomain.it/mo_master/check_mk/login.py?_origtarget=/mo_master/check_mk/dashboard.py?name=lep_simple_problems&_username=tv&_password=mypassword&_login=1 [P]

Everything is working until the update to the version 2.0.0p30 and is still working on some non-updated site which are still on 2.0.0p26.

Now when we call the url http://tv.mydomain.it/mo/ instead of having the dashboard shown at this url
http://tv.mydomain.it/mo/mo_master/check_mk/dashboard.py?name=lep_simple_problems

we get the login page so it seems the auth info were missed.

http://tv.mydomain.it/mo/mo_master/check_mk/login.py?_origtarget=index.py%3Fstart_url%3Ddashboard.py%253Fname%253Dlep_simple_problems

Any idea to point us to the right direction?

frakka · November 23, 2022, 1:21pm

I made some deep on site’s logs and I found that in the web.log I got this line:

2022-11-23 14:05:19,111 [30] [cmk.web 60146] Using the GET method to authenticate against login.py leaks user credentials in the Apache logs (see more details in our Werk 14261). Consider using the POST method.

The referred werk applies to version 2.2.0i1 but this seem to fit my issue.
Can someone confirm that some modification was made on login.py also in versions between 2.0.0.p26 and 2.0.0.p30 which can lead to this behaviour?

[EDIT]:
Uhm… No, it doesn’t fit.
If I call the full url of my dashboard with embedded credential I can still login to the dashboard but also got the advice in the web.log so it seems always be logged.
So calling the full dashboard url with credential is still functional, something goes wrong while it goes through the reverse proxy and this changed between p26 and p30…

frakka · November 23, 2022, 6:20pm

Solved.

The issue was the “Path” value in the session cookie.
On sites on 2.0.0p26 it was issued with value “Path=/”, on sites updated to version 2.0.0p30 it is issues with “Path=/<site_name>” and this breaks its usage for authentication through the reverse proxy.

I added a Header edit* Set-Cookie etc... directive to my reverse proxy to edit the cookie and it works again.

system · November 23, 2023, 6:21pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.