[rt-users] How to use Apache authentication methods for NoAuth pages? (fastcgi and apache2 RT not respecting htaccess)
I have some NoAuth pages I'd like to use with htaccess/htpasswd-style Apache authentication but NoAuth pages served by Request Tracker don't seem to respect my settings in Apache's configuration. Additionally, the pages themselves aren't requesting a username and password which I'd really like for a few of the NoAuth pages. This allows us to give people different summary views of ticket data through our own templates to present RequestTracker tickets to internal groups. So that doesn't work and neither do protections that Apache applies to those files, letting remote users request the .htpasswd and .htaccess files off the filesystem in spite of my configuration in Apache. For example, I have the following in my httpd.conf: Files ~ ^\.ht Order allow,deny Deny from all /Files So I imagine this means RT's fastcgi instance is taking over and these requests aren't actually going to Apache, but I do see them in Apache's log: [20/Mar/2010:22:14:25 -0500] 128.255.76.130 TLSv1 DHE-RSA-AES256-SHA GET /NoAuth/helpdesk/.htaccess HTTP/1.1 15 [20/Mar/2010:22:35:52 -0500] 128.255.76.130 TLSv1 DHE-RSA-AES256-SHA GET /NoAuth/helpdesk/.htaccess HTTP/1.1 15 Any ideas on what is happening? I have no occurrence of AllowOverride None in my httpd.conf. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
VirtualHost prod-interface-ipaddress:8383
ServerName host.fqdn
Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/
Alias /NoAuth/resnet/ /local/rt/rt-current/share/html/NoAuth/resnet/
This rather explicitly tells apache *not* to pass the resnet pages
through RT, so I'm hardly surprised that it is failing.
The only reason I tried that was because RT is not presenting
/NoAuth/resnet correctly. When I remove that line and so that the
only non-SSL-related directives are:
VirtualHost ip.address:8383
ServerName host.fqdn
Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/
DocumentRoot /local/rt/rt-current/share/html
ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi/
Location /NoAuth/images
SetHandler default-handler
/Location
It doesn't allow a request for /NoAuth/resnet/index.html to be
processed at all -- I get an RT page that says the file isn't found.
If I just request /NoAuth/resnet/ it generates the page but doesn't
execute any of the perl needed to create the table like it does on our
production system.
This ( http://farm3.static.flickr.com/2769/4408373509_40b85ff521.jpg )
is a window-grab that shows a browser window of how it looks when
requesting /NoAuth/resnet/ from RT to better illustrate what I'm
seeing in the hopes that it shows something useful to you (or anyone else)!
If you don't want to view the image I'll paste what is generated:
New Open Resnet Tickets.
%PERL my $tickets = new RT::Tickets($user);
$tickets-LimitQueue(VALUE = 'resnet'); $tickets-LimitStatus(VALUE
= 'open'); $tickets-LimitStatus(VALUE = 'new');
$tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC'); %
if ($tickets-Count) { %while (my $ticket = $tickets-Next) { %
$restrict = 1; %my $Field1 = $ticket-CustomFieldValues(13); % while
(my $Test1 = $Field1-Next()) { % $restrict = $Test1-Content; % }
%if($restrict ne 'True') { % $i++; % } % } % }
(and then the HTML table with %$ticket-Id% under ID,
%$ticket-Subject% under Subject, etc.
So it looks to me like the perl isn't being executed at all but I
don't know why.
This is the last blocker I have before I can deploy 3.8, I have
everything else working as before except for these pages. Thank you
again for taking the time to assist.
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
[rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
I have done some additional troubleshooting and am still hitting a bit
of a snag.
I have pages created on our 3.6 RT install (apache 1.3) that read
similar to this:
...mumble...
TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2
%PERL
my $tickets = new RT::Tickets($user);
$tickets-LimitQueue(VALUE = 'QUEUENAME');
$tickets-LimitStatus(VALUE = 'open');
$tickets-LimitStatus(VALUE = 'new');
$tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC');
/%PERL
% if ($tickets-Count) {
mumble mumble
%INIT
my $user = new RT::CurrentUser('guest');
my $queue = new RT::Queue($user);
my $i=0;
my $restrict;
/%INIT
This allows a user in our helpdesk to view a page of open issues in
this particular example. We authenticate them via htaccess/htpasswd
and just let them cruise a page of open issues because we don't want
to expose the contents of the tickets to anyone that isn't a user in
the system.
I'm open to suggestions on other ways of handling this but this is the
way it has been done historically but our 3.8 install doesn't seem to
like it. It doesn't actually execute any of the %PERL glue and just
spits it out into the contents of the page. I am not sure if this is
an Apache configuration issue, an RT configuration issue, or both.
I do have mod_perl activated in httpd.conf and we are using fastcgi
and mason_handler.fcgi for the application itself.
In httpd.conf I have been trying out various directives but this is
what it looks like as of now for /NoAuth:
Location /NoAuth
satisfy any
SetHandler perl-script
PerlOptions +ParseHeaders
Options +ExecCGI
allow from all
/Location
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
One more thing I forgot to add is that I can never access /NoAuth/ on
the same port as the RT application itself, it always returns me to
the login screen and gives a page not found error.
e.g. https://rthost.tld:8383/NoAuth/images/
Gives me an RT-generated The page you requested could not be found |
Please check the URL and try again page. In the process of
troubleshooting this NoAuth page problem I've setup a vhost for the
NoAuth pages, which is where they don't execute.
I'm quite certain this is a simple matter but Ive been having a
difficult time with it. What should the directives in Apache's
httpd.conf look like for proper access to pages under /NoAuth/
directories?
On Thu, Mar 4, 2010 at 3:41 PM, Zuckercorn, Barry
zuckercorn.ba...@gmail.com wrote:
I have done some additional troubleshooting and am still hitting a bit
of a snag.
I have pages created on our 3.6 RT install (apache 1.3) that read
similar to this:
...mumble...
TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2
%PERL
my $tickets = new RT::Tickets($user);
$tickets-LimitQueue(VALUE = 'QUEUENAME');
$tickets-LimitStatus(VALUE = 'open');
$tickets-LimitStatus(VALUE = 'new');
$tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC');
/%PERL
% if ($tickets-Count) {
mumble mumble
%INIT
my $user = new RT::CurrentUser('guest');
my $queue = new RT::Queue($user);
my $i=0;
my $restrict;
/%INIT
This allows a user in our helpdesk to view a page of open issues in
this particular example. We authenticate them via htaccess/htpasswd
and just let them cruise a page of open issues because we don't want
to expose the contents of the tickets to anyone that isn't a user in
the system.
I'm open to suggestions on other ways of handling this but this is the
way it has been done historically but our 3.8 install doesn't seem to
like it. It doesn't actually execute any of the %PERL glue and just
spits it out into the contents of the page. I am not sure if this is
an Apache configuration issue, an RT configuration issue, or both.
I do have mod_perl activated in httpd.conf and we are using fastcgi
and mason_handler.fcgi for the application itself.
In httpd.conf I have been trying out various directives but this is
what it looks like as of now for /NoAuth:
Location /NoAuth
satisfy any
SetHandler perl-script
PerlOptions +ParseHeaders
Options +ExecCGI
allow from all
/Location
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
On Thu, Mar 4, 2010 at 3:51 PM, Kevin Falcone falc...@bestpractical.com wrote: On Thu, Mar 04, 2010 at 03:47:21PM -0600, Zuckercorn, Barry wrote: One more thing I forgot to add is that I can never access /NoAuth/ on the same port as the RT application itself, it always returns me to the login screen and gives a page not found error. e.g. https://rthost.tld:8383/NoAuth/images/ Gives me an RT-generated The page you requested could not be found | Please check the URL and try again page. In the process of troubleshooting this NoAuth page problem I've setup a vhost for the NoAuth pages, which is where they don't execute. I'm quite certain this is a simple matter but Ive been having a difficult time with it. What should the directives in Apache's httpd.conf look like for proper access to pages under /NoAuth/ directories? Have you tried the configuration directives from the README included with RT? You shouldn't need any particular /NoAuth/ stanzas, other than the NoAuth/images one, which is really just for performance serving static files. Also, you want to pick mod_perl or fastcgi, not try to use both of them. I did remove my mod_perl load and I have looked at the README included with RT. Under the fastcgi section the only reference to NoAuth is this: Alias /NoAuth/images/ /opt/rt3/share/html/NoAuth/images/ Which I have (though I changed the filesystem path to match my install) in the Virtual Host configuration directive: VirtualHost prod-interface-ipaddress:8383 ServerName host.fqdn Alias /NoAuth/images/ /local/rt/rt-current/share/html/NoAuth/images/ Alias /NoAuth/resnet/ /local/rt/rt-current/share/html/NoAuth/resnet/ DocumentRoot /local/rt/rt-current/share/html ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi/ ...mumble mumble SSL configuration... logs.../VirtualHost I added the /NoAuth/reset/ alias due to that url still not working. If I try to go to https://host.fqdn:8383/NoAuth/resnet/index.html I am getting a page that doesn't render correctly in 3.8 but did in 3.6 (but again I moved from mod_perl to fcgi and am not clear on the impact this has on executing the perl inside the page) Instead of building the nice HTML table with the open tickets for that group to view it spits back the code: %$ticket-Id% Which used to fill a table cell with the ticket ID number. Or `% print $CF1;` where the IP address used to go, etc. If this isn't a supported mechanism (I inherited this RT system) is there a way to provide local users access to the same type of data in a page that can be protected with htaccess instead of browsing full ticket details inside of RT? ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com 2010 RT Training Sessions! San Francisco, CA, USA - Feb 22 23 Dublin, Ireland - Mar 15 16 Boston, MA, USA - April 5 6 Washington DC, USA - Oct 25 26 Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] RT 3.8 and Apache 2, NoAuth pages not parsed by RT?
Instead of building the nice HTML table with the open tickets for that
group to view it spits back the code:
%$ticket-Id%
Which used to fill a table cell with the ticket ID number. Or `%
print $CF1;` where the IP address used to go, etc.
If this isn't a supported mechanism (I inherited this RT system) is
there a way to provide local users access to the same type of data in
a page that can be protected with htaccess instead of browsing full
ticket details inside of RT?
I suppose I should include the full contents of the page so you can
see what we were/are actually doing:
building.html:
html
head
link rel=stylesheet href=/NoAuth/webrt.css type=text/css
titleOpen Incidents at test.edu/title
/head
bodycenter
h1 Open Security Incidents by Building/h1
TABLE WIDTH=98% CELLSPACING=2 CELLPADDING=5 border=2
%PERL
my $tickets = new RT::Tickets($user);
$tickets-OrderBy(FIELD = 'id', ALIAS = 'main', ORDER = 'DESC');
$tickets-LimitStatus(VALUE = 'open');
$tickets-LimitStatus(VALUE = 'new');
$tickets-LimitStatus(VALUE = 'stalled');
/%PERL
% if ($tickets-Count) {
TR
TD BGCOLOR=#336699FONT COLOR=#FF
bIDb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bSubjectb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bStatusb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bCreatedb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bIP Addressb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bMACB
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bPortB
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bRoomb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bBuildingb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bCategoryb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bNetwork Statusb
/TD
TD BGCOLOR=#336699FONT COLOR=#FF
bJackb
/TD
td BGCOLOR=#336699FONT COLOR=#FF
buserIDb
/TD
/TR
% while (my $ticket = $tickets-Next) {
% $status = 1;
% $building = 1;
% $restrict = 1;
% my $Field1 = $ticket-CustomFieldValues(11);
% while (my $Test1 = $Field1-Next()) {
% $status = $Test1-Content;
% }
% my $Field2 = $ticket-CustomFieldValues(3);
% while (my $Test2 = $Field2-Next()) {
% $building = $Test2-Content;
% }
% my $Field3 = $ticket-CustomFieldValues(13);
% while (my $Test3 = $Field3-Next()) {
% $restrict = $Test3-Content;
% $Test3 = 1;
% }
% if($building eq $bid $restrict ne 'True') {
% $i++;
TR
% if ($i%2) {
BGCOLOR=#dd
%}
% my $CF;
% my $CFValue;
% $CF = $ticket-CustomFieldValues(1); while ($CFValue
= $CF-Next()){$CF1=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(5); while ($CFValue
= $CF-Next()){$CF5=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(2); while ($CFValue
= $CF-Next()){$CF2=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(3); while ($CFValue
= $CF-Next()){$CF3=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(6); while ($CFValue
= $CF-Next()){$CF6=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(10); while ($CFValue
= $CF-Next()){$CF10=$CFValue-Content}
% $CF = $ticket-CustomFieldValues(7); while ($CFValue
= $CF-Next()){$CF7=$CFValue-Content;}
% $CF = $ticket-CustomFieldValues(12); while ($CFValue
= $CF-Next()){$CF12=$CFValue-Content};
TD
%$ticket-Id%
/TD
TD
%$ticket-Subject%
/TD
TD
%$ticket-Status%
/TD
TD
% $ticket-CreatedObj-AsString %/TD
/TD
TD
% print $CF1;
/TD
TD
% print $CF5;
/TD
TD
% print $CF6;
/TD
tD
% print $CF2;
/TD
TD
% print $CF3;
/TD
TD
% print $CF10;
/TD
TD
% print $status;
/TD
TD
% print $CF7;
/TD
TD
% print $CF12;
/TD
% ($CF5,$CF6,$CF2,$CF3,$CF4,$CF10,$CF7,$CF12) = (,,,);
/TR
% }
% }
% }
/TABLE
%if ($i == 0){
BR
H2
There are currently no disabled ports in this building.
%}
/center
/body
/html
%ARGS
$bid = undef
/%ARGS
%INIT
my $user = new RT::CurrentUser('guest');
my $queue = new RT::Queue($user);
my $i = 0;
my $status;
my $building;
my $restrict;
my $CF1; my $CF5; my $CF6; my $CF2; my $CF3; my $CF4; my $CF10; my
$CF7; my $CF12;
/%INIT
end
It would be great if we didn't need to develop a new set of pages to
get this type of view out to the helpdesk and building contacts, but
like I said I'm open to suggestions if there is a better way. I'm
very curious as to why this doesn't work anymore in 3.8 with fastcgi
however.
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly
[rt-users] Trouble with NoAuth pages and REST urls for email
Hello,
I am in the process of moving from RT 3.6 to 3.8 and have managed to
get the database migration and upgrade process working smoothly.
We're using fastcgi successfully (which is much faster than our
production system and Mason)
I am however having a hard time getting our old NoAuth pages to work,
which in turn means I am having some problems with email interactions
with RT.
We are using Active Directory to authenticate users which is working
very well and have the following VirtualHost configuration:
// start
VirtualHost n.n.n.n:n
ServerName fqdn.tld
DocumentRoot /local/rt/rt-current/share/html
ScriptAlias / /local/rt/rt3/bin/mason_handler.fcgi
Location /NoAuth/images
SetHandler default
/Location
Location /REST/1.0/NoAuth
satisfy any
allow from all
/Location
Location /NoAuth
satisfy any
allow from all
/Location
Location /NoAuth/images
SetHandler default-handler
/Location
Location /rt/
AddDefaultCharset UTF-8
SetHandler fastcgi-script
/Location
// leaving out ssl junk
// end
Trying to do a test email:
/local/rt/rt-current/bin/rt-mailgate: temp file is '/tmp/nWKJoWPqCW'
/local/rt/rt-current/bin/rt-mailgate: connecting to
https://fqdn.tld:n/rt//REST/1.0/NoAuth/mail-gateway
not ok - Could not load a valid user
I also noticed that our old NoAuth pages for things like public ticket
overviews (so non-users of RT can view open tickets for a
building/site) are not being processed by RT any more.
The /NoAuth/ URL will 403, but our pages below that that work on the
old system do not get parsed and display the processed information.
The page will render with things like:
%ARGS $bid = undef %INIT my $user = new RT::CurrentUser('guest');
my $queue = new RT::Queue($user); my $i = 0; my $status; my $building;
my $restrict; my $CF1; my $CF8; my $CF2; my $CF3; my $CF5; my $CF10;
my $CF7; my $CF12;
showing to the user which I believe means that the fcgi isn't
processing it at all.
My RT log has the following recent events:
[Tue Mar 2 18:28:07 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Mar 2 19:53:36 2010] [error]: Couldn't find sender's address
(/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67)
[Tue Mar 2 19:53:36 2010] [error]: Could not record email: Could not
load a valid user
(/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)
[Tue Mar 2 19:53:59 2010] [error]: Couldn't find sender's address
(/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67)
[Tue Mar 2 19:53:59 2010] [error]: Could not record email: Could not
load a valid user
(/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)
[Tue Mar 2 19:54:05 2010] [debug]: Attempting to use external auth
service: Active_Directory
(/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:64)
[Tue Mar 2 19:54:05 2010] [debug]: SSO Failed and no user to test
with. Nexting
(/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/lib/RT/Authen/ExternalAuth.pm:92)
[Tue Mar 2 19:54:05 2010] [debug]: Autohandler called ExternalAuth.
Response: (0, No User)
(/local/rt/rt3/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Auth:26)
[Tue Mar 2 20:02:58 2010] [error]: Couldn't find sender's address
(/local/rt/rt3/bin/../lib/RT/Interface/Email/Auth/MailFrom.pm:67)
[Tue Mar 2 20:02:58 2010] [error]: Could not record email: Could not
load a valid user
(/local/rt/rt3/share/html/REST/1.0/NoAuth/mail-gateway:75)
I was seeing this in Apache's log:
[Tue Mar 02 12:03:27 2010] [error] [client 127.0.0.1] File does not
exist: /local/rt/apache/htdocs/REST
[Tue Mar 02 13:03:27 2010] [error] [client 127.0.0.1] File does not
exist: /local/rt/apache/htdocs/REST
So I created a symlink to just see if it would have any impact at all
and the message was bounced back to me. I believe it should have been
able to match my email address with the information available in the
directory as my account on RT has it there as well.
Any ideas on how to approach my NoAuth and REST problems?
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com
2010 RT Training Sessions!
San Francisco, CA, USA - Feb 22 23
Dublin, Ireland - Mar 15 16
Boston, MA, USA - April 5 6
Washington DC, USA - Oct 25 26
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
