Remove self-service from external auth

Icinga Web Modules Icinga Director
, , ,
1

Hi,

never thought to open a thread on such a topic.
We have icingaweb2 set up with external Apache Authentication. Thus I want to remove self-service from Apache authentication.

I tried the usual things as

<Location /icingaweb2/director/self-service>
   Order allow,deny
   Allow from all
   Satisfy any
   AuthType none
</Location>

I already made for sure that

<Directory "/usr/share/icingaweb2">
    AllowOverride AuthConfig Limit
</Directory>

is set as director is not within

<Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride AuthConfig Limit
....

Any ideas? DebugLog does not really helped…

Best & Thanks,
M.

2

Hi,

we had similar issue and it costs me 2 days to find a solution :frowning:

And Finally here it is…
The problem is that we cannot handle URI inside the location because it is changed due to REWRITE Rules…

So then the solution was to set a varaible called self-service when a Powershell comes in and later use this env:
SetEnvIf User-Agent “.WindowsPowerShell.” self-service

and:
Require valid-user
Require env self-service

This means(as RequireAny is implcit) we required a valid-user OR a User-Agent which contains WindowsPowerShell( which is protected by api-key and this stuff handled outside apache)

# cat /etc/apache2/conf-enabled/icingaweb2.conf
Alias /icingaweb2 "/usr/share/icingaweb2/public"

<Directory "/usr/share/icingaweb2/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted

    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

    <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /icingaweb2
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    </IfModule>

    <IfModule !mod_rewrite.c>
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /icingaweb2/error_norewrite.html
    </IfModule>

    DirectoryIndex index.php
</Directory>


SetEnvIf User-Agent ".*WindowsPowerShell.*" self-service


<Location /icingaweb2>
        Order allow,deny
        Allow from all

        AuthType openid-connect
        Require valid-user
        Require env self-service
        SSLRequireSSL
        SSLOptions +StdEnvVars
</Location>

#