[rt-users] How to use Apache authentication methods for NoAuth pages? (fastcgi and apache2 RT not respecting htaccess)
I have some NoAuth pages I'd like to use with htaccess/htpasswd-style Apache authentication but NoAuth pages served by Request Tracker don't seem to respect my settings in Apache's configuration. Additionally, the pages themselves aren't requesting a username and password which I'd really like for a few of the NoAuth pages. This allows us to give people different summary views of ticket data through our own templates to present RequestTracker tickets to internal groups. So that doesn't work and neither do protections that Apache applies to those files, letting remote users request the .htpasswd and .htaccess files off the filesystem in spite of my configuration in Apache. For example, I have the following in my httpd.conf: Files ~ ^\.ht Order allow,deny Deny from all /Files So I imagine this means RT's fastcgi instance is taking over and these requests aren't actually going to Apache, but I do see them in Apache's log: [20/Mar/2010:22:14:25 -0500] 128.255.76.130 TLSv1 DHE-RSA-AES256-SHA GET /NoAuth/helpdesk/.htaccess HTTP/1.1 15 [20/Mar/2010:22:35:52 -0500] 128.255.76.130 TLSv1 DHE-RSA-AES256-SHA GET /NoAuth/helpdesk/.htaccess HTTP/1.1 15 Any ideas on what is happening? I have no occurrence of AllowOverride None in my httpd.conf. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
VirtualHost prod-interface-ipaddress:8383 ServerName host.fqdn Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/ Alias /NoAuth/resnet/ /local/rt/rt-current/share/html/NoAuth/resnet/ This rather explicitly tells apache *not* to pass the resnet pages through RT, so I'm hardly surprised that it is failing. The only reason I tried that was because RT is not presenting /NoAuth/resnet correctly. When I remove that line and so that the only non-SSL-related directives are: VirtualHost ip.address:8383 ServerName host.fqdn Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/ DocumentRoot /local/rt/rt-current/share/html ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi/ Location /NoAuth/images SetHandler default-handler /Location It doesn't allow a request for /NoAuth/resnet/index.html to be processed at all -- I get an RT page that says the file isn't found. If I just request /NoAuth/resnet/ it generates the page but doesn't execute any of the perl needed to create the table like it does on our production system. This ( http://farm3.static.flickr.com/2769/4408373509_40b85ff521.jpg ) is a window-grab that shows a browser window of how it looks when requesting /NoAuth/resnet/ from RT to better illustrate what I'm seeing in the hopes that it shows something useful to you (or anyone else)! If you don't want to view the image I'll paste what is generated: New Open Resnet Tickets. %PERL my $tickets = new RT::Tickets($user); $tickets-LimitQueue(VALUE = 'resnet'); $tickets-LimitStatus(VALUE = 'open'); $tickets-LimitStatus(VALUE = 'new'); $tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC'); % if ($tickets-Count) { %while (my $ticket = $tickets-Next) { % $restrict = 1; %my $Field1 = $ticket-CustomFieldValues(13); % while (my $Test1 = $Field1-Next()) { % $restrict = $Test1-Content; % } %if($restrict ne 'True') { % $i++; % } % } % } (and then the HTML table with %$ticket-Id% under ID, %$ticket-Subject% under Subject, etc. So it looks to me like the perl isn't being executed at all but I don't know why. This is the last blocker I have before I can deploy 3.8, I have everything else working as before except for these pages. Thank you again for taking the time to assist. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
[rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
I have done some additional troubleshooting and am still hitting a bit of a snag. I have pages created on our 3.6 RT install (apache 1.3) that read similar to this: ...mumble... TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2 %PERL my $tickets = new RT::Tickets($user); $tickets-LimitQueue(VALUE = 'QUEUENAME'); $tickets-LimitStatus(VALUE = 'open'); $tickets-LimitStatus(VALUE = 'new'); $tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC'); /%PERL % if ($tickets-Count) { mumble mumble %INIT my $user = new RT::CurrentUser('guest'); my $queue = new RT::Queue($user); my $i=0; my $restrict; /%INIT This allows a user in our helpdesk to view a page of open issues in this particular example. We authenticate them via htaccess/htpasswd and just let them cruise a page of open issues because we don't want to expose the contents of the tickets to anyone that isn't a user in the system. I'm open to suggestions on other ways of handling this but this is the way it has been done historically but our 3.8 install doesn't seem to like it. It doesn't actually execute any of the %PERL glue and just spits it out into the contents of the page. I am not sure if this is an Apache configuration issue, an RT configuration issue, or both. I do have mod_perl activated in httpd.conf and we are using fastcgi and mason_handler.fcgi for the application itself. In httpd.conf I have been trying out various directives but this is what it looks like as of now for /NoAuth: Location /NoAuth satisfy any SetHandler perl-script PerlOptions +ParseHeaders Options +ExecCGI allow from all /Location ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
One more thing I forgot to add is that I can never access /NoAuth/ on the same port as the RT application itself, it always returns me to the login screen and gives a page not found error. e.g. https://rthost.tld:8383/NoAuth/images/ Gives me an RT-generated The page you requested could not be found | Please check the URL and try again page. In the process of troubleshooting this NoAuth page problem I've setup a vhost for the NoAuth pages, which is where they don't execute. I'm quite certain this is a simple matter but Ive been having a difficult time with it. What should the directives in Apache's httpd.conf look like for proper access to pages under /NoAuth/ directories? On Thu, Mar 4, 2010 at 3:41 PM, Zuckercorn, Barry zuckercorn.ba...@gmail.com wrote: I have done some additional troubleshooting and am still hitting a bit of a snag. I have pages created on our 3.6 RT install (apache 1.3) that read similar to this: ...mumble... TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2 %PERL my $tickets = new RT::Tickets($user); $tickets-LimitQueue(VALUE = 'QUEUENAME'); $tickets-LimitStatus(VALUE = 'open'); $tickets-LimitStatus(VALUE = 'new'); $tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC'); /%PERL % if ($tickets-Count) { mumble mumble %INIT my $user = new RT::CurrentUser('guest'); my $queue = new RT::Queue($user); my $i=0; my $restrict; /%INIT This allows a user in our helpdesk to view a page of open issues in this particular example. We authenticate them via htaccess/htpasswd and just let them cruise a page of open issues because we don't want to expose the contents of the tickets to anyone that isn't a user in the system. I'm open to suggestions on other ways of handling this but this is the way it has been done historically but our 3.8 install doesn't seem to like it. It doesn't actually execute any of the %PERL glue and just spits it out into the contents of the page. I am not sure if this is an Apache configuration issue, an RT configuration issue, or both. I do have mod_perl activated in httpd.conf and we are using fastcgi and mason_handler.fcgi for the application itself. In httpd.conf I have been trying out various directives but this is what it looks like as of now for /NoAuth: Location /NoAuth satisfy any SetHandler perl-script PerlOptions +ParseHeaders Options +ExecCGI allow from all /Location ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
On Thu, Mar 4, 2010 at 3:51 PM, Kevin Falcone falc...@bestpractical.com wrote: On Thu, Mar 04, 2010 at 03:47:21PM -0600, Zuckercorn, Barry wrote: One more thing I forgot to add is that I can never access /NoAuth/ on the same port as the RT application itself, it always returns me to the login screen and gives a page not found error. e.g. https://rthost.tld:8383/NoAuth/images/ Gives me an RT-generated The page you requested could not be found | Please check the URL and try again page. In the process of troubleshooting this NoAuth page problem I've setup a vhost for the NoAuth pages, which is where they don't execute. I'm quite certain this is a simple matter but Ive been having a difficult time with it. What should the directives in Apache's httpd.conf look like for proper access to pages under /NoAuth/ directories? Have you tried the configuration directives from the README included with RT? You shouldn't need any particular /NoAuth/ stanzas, other than the NoAuth/images one, which is really just for performance serving static files. Also, you want to pick mod_perl or fastcgi, not try to use both of them. I did remove my mod_perl load and I have looked at the README included with RT. Under the fastcgi section the only reference to NoAuth is this: Alias /NoAuth/images/ /opt/rt3/share/html/NoAuth/images/ Which I have (though I changed the filesystem path to match my install) in the Virtual Host configuration directive: VirtualHost prod-interface-ipaddress:8383 ServerName host.fqdn Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/ Alias /NoAuth/resnet/ /local/rt/rt-current/share/html/NoAuth/resnet/ DocumentRoot /local/rt/rt-current/share/html ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi/ ...mumble mumble SSL configuration... logs.../VirtualHost I added the /NoAuth/reset/ alias due to that url still not working. If I try to go to https://host.fqdn:8383/NoAuth/resnet/index.html I am getting a page that doesn't render correctly in 3.8 but did in 3.6 (but again I moved from mod_perl to fcgi and am not clear on the impact this has on executing the perl inside the page) Instead of building the nice HTML table with the open tickets for that group to view it spits back the code: %$ticket-Id% Which used to fill a table cell with the ticket ID number. Or `% print $CF1;` where the IP address used to go, etc. If this isn't a supported mechanism (I inherited this RT system) is there a way to provide local users access to the same type of data in a page that can be protected with htaccess instead of browsing full ticket details inside of RT? ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
Instead of building the nice HTML table with the open tickets for that group to view it spits back the code: %$ticket-Id% Which used to fill a table cell with the ticket ID number. Or `% print $CF1;` where the IP address used to go, etc. If this isn't a supported mechanism (I inherited this RT system) is there a way to provide local users access to the same type of data in a page that can be protected with htaccess instead of browsing full ticket details inside of RT? I suppose I should include the full contents of the page so you can see what we were/are actually doing: building.html: html head link rel=stylesheet href=/NoAuth/webrt.css type=text/css titleOpen Incidents at test.edu/title /head bodycenter h1 Open Security Incidents by Building/h1 TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2 %PERL my $tickets = new RT::Tickets($user); $tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC'); $tickets-LimitStatus(VALUE = 'open'); $tickets-LimitStatus(VALUE = 'new'); $tickets-LimitStatus(VALUE = 'stalled'); /%PERL % if ($tickets-Count) { TR TD BGCOLOR=#336699FONT COLOR=#FF bIDb /TD TD BGCOLOR=#336699FONT COLOR=#FF bSubjectb /TD TD BGCOLOR=#336699FONT COLOR=#FF bStatusb /TD TD BGCOLOR=#336699FONT COLOR=#FF bCreatedb /TD TD BGCOLOR=#336699FONT COLOR=#FF bIP Addressb /TD TD BGCOLOR=#336699FONT COLOR=#FF bMACB /TD TD BGCOLOR=#336699FONT COLOR=#FF bPortB /TD TD BGCOLOR=#336699FONT COLOR=#FF bRoomb /TD TD BGCOLOR=#336699FONT COLOR=#FF bBuildingb /TD TD BGCOLOR=#336699FONT COLOR=#FF bCategoryb /TD TD BGCOLOR=#336699FONT COLOR=#FF bNetwork Statusb /TD TD BGCOLOR=#336699FONT COLOR=#FF bJackb /TD td BGCOLOR=#336699FONT COLOR=#FF buserIDb /TD /TR % while (my $ticket = $tickets-Next) { % $status = 1; % $building = 1; % $restrict = 1; % my $Field1 = $ticket-CustomFieldValues(11); % while (my $Test1 = $Field1-Next()) { % $status = $Test1-Content; % } % my $Field2 = $ticket-CustomFieldValues(3); % while (my $Test2 = $Field2-Next()) { % $building = $Test2-Content; % } % my $Field3 = $ticket-CustomFieldValues(13); % while (my $Test3 = $Field3-Next()) { % $restrict = $Test3-Content; % $Test3 = 1; % } % if($building eq $bid $restrict ne 'True') { % $i++; TR % if ($i%2) { BGCOLOR=#dd %} % my $CF; % my $CFValue; % $CF = $ticket-CustomFieldValues(1); while ($CFValue = $CF-Next()){$CF1=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(5); while ($CFValue = $CF-Next()){$CF5=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(2); while ($CFValue = $CF-Next()){$CF2=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(3); while ($CFValue = $CF-Next()){$CF3=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(6); while ($CFValue = $CF-Next()){$CF6=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(10); while ($CFValue = $CF-Next()){$CF10=$CFValue-Content} % $CF = $ticket-CustomFieldValues(7); while ($CFValue = $CF-Next()){$CF7=$CFValue-Content;} % $CF = $ticket-CustomFieldValues(12); while ($CFValue = $CF-Next()){$CF12=$CFValue-Content}; TD %$ticket-Id% /TD TD %$ticket-Subject% /TD TD %$ticket-Status% /TD TD % $ticket-CreatedObj-AsString %/TD /TD TD % print $CF1; /TD TD % print $CF5; /TD TD % print $CF6; /TD tD % print $CF2; /TD TD % print $CF3; /TD TD % print $CF10; /TD TD % print $status; /TD TD % print $CF7; /TD TD % print $CF12; /TD % ($CF5,$CF6,$CF2,$CF3,$CF4,$CF10,$CF7,$CF12) = (,,,); /TR % } % } % } /TABLE %if ($i == 0){ BR H2 There are currently no disabled ports in this building. %} /center /body /html %ARGS $bid = undef /%ARGS %INIT my $user = new RT::CurrentUser('guest'); my $queue = new RT::Queue($user); my $i = 0; my $status; my $building; my $restrict; my $CF1; my $CF5; my $CF6; my $CF2; my $CF3; my $CF4; my $CF10; my $CF7; my $CF12; /%INIT end It would be great if we didn't need to develop a new set of pages to get this type of view out to the helpdesk and building contacts, but like I said I'm open to suggestions if there is a better way. I'm very curious as to why this doesn't work anymore in 3.8 with fastcgi however. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly
[rt-users] Trouble with NoAuth pages and REST urls for email
Hello, I am in the process of moving from RT 3.6 to 3.8 and have managed to get the database migration and upgrade process working smoothly. We're using fastcgi successfully (which is much faster than our production system and Mason) I am however having a hard time getting our old NoAuth pages to work, which in turn means I am having some problems with email interactions with RT. We are using Active Directory to authenticate users which is working very well and have the following VirtualHost configuration: // start VirtualHost n.n.n.n:n ServerName fqdn.tld DocumentRoot /local/rt/rt-current/share/html ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi Location /NoAuth/images SetHandler default /Location Location /REST/1.0/NoAuth satisfy any allow from all /Location Location /NoAuth satisfy any allow from all /Location Location /NoAuth/images SetHandler default-handler /Location Location /rt/ AddDefaultCharset UTF-8 SetHandler fastcgi-script /Location // leaving out ssl junk // end Trying to do a test email: /local/rt/rt-current/bin/rt-mailgate: temp file is '/tmp/nWKJoWPqCW' /local/rt/rt-current/bin/rt-mailgate: connecting to https://fqdn.tld:n/rt//REST/1.0/NoAuth/mail-gateway not ok - Could not load a valid user I also noticed that our old NoAuth pages for things like public ticket overviews (so non-users of RT can view open tickets for a building/site) are not being processed by RT any more. The /NoAuth/ URL will 403, but our pages below that that work on the old system do not get parsed and display the processed information. The page will render with things like: %ARGS $bid = undef %INIT my $user = new RT::CurrentUser('guest'); my $queue = new RT::Queue($user); my $i = 0; my $status; my $building; my $restrict; my $CF1; my $CF8; my $CF2; my $CF3; my $CF5; my $CF10; my $CF7; my $CF12; showing to the user which I believe means that the fcgi isn't processing it at all. My RT log has the following recent events: [Tue Mar 2 18:28:07 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Tue Mar 2 19:53:36 2010] [error]: Couldn't find sender's address (/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67) [Tue Mar 2 19:53:36 2010] [error]: Could not record email: Could not load a valid user (/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75) [Tue Mar 2 19:53:59 2010] [error]: Couldn't find sender's address (/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67) [Tue Mar 2 19:53:59 2010] [error]: Could not record email: Could not load a valid user (/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75) [Tue Mar 2 19:54:05 2010] [debug]: Attempting to use external auth service: Active_Directory (/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64) [Tue Mar 2 19:54:05 2010] [debug]: SSO Failed and no user to test with. Nexting (/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92) [Tue Mar 2 19:54:05 2010] [debug]: Autohandler called ExternalAuth. Response: (0, No User) (/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26) [Tue Mar 2 20:02:58 2010] [error]: Couldn't find sender's address (/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67) [Tue Mar 2 20:02:58 2010] [error]: Could not record email: Could not load a valid user (/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75) I was seeing this in Apache's log: [Tue Mar 02 12:03:27 2010] [error] [client 127.0.0.1] File does not exist: /local/rt/apache/htdocs/REST [Tue Mar 02 13:03:27 2010] [error] [client 127.0.0.1] File does not exist: /local/rt/apache/htdocs/REST So I created a symlink to just see if it would have any impact at all and the message was bounced back to me. I believe it should have been able to match my email address with the information available in the directory as my account on RT has it there as well. Any ideas on how to approach my NoAuth and REST problems? ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com