I setup apache to proxy all requests to zenoss as described here http://www.zenoss.com/community/docs/howtos/setup-zenoss-with-apache/ All http traffic is rewritten to https, and then proxied to zenoss on port 8080. However, zenoss or zope is writing usernames and passwords to urls and apache is logging this. Here's a sample snippet below of my apache access log (sanitized USERNAME and PASSWORD):
> 10.0.2.212 - - [13/Nov/2008:13:27:40 -0600] "GET > /zport/acl_users/cookieAuthHelper/login?came_from=https%3A%2F%2Fzenoss%2Fzport%2Fdmd%2FDevices%2FServer%2FLinux%2FCluster%2Fdevices%2Fblade4-6-1.gsc.wustl.edu&submitted=true&__ac_name=USERNAME&__ac_password=PASSWORD&submit= > HTTP/1.1" 302 116 > "https://zenoss/zport/acl_users/cookieAuthHelper/login_form?came_from=https%3A//zenoss/zport/dmd/Devices/Server/Linux/Cluster/devices/blade4-6-1"; > "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080311 > Firefox/2.0.0.13" This is a big problem for us as we'll be implementing ldap authentication soon. So live passwords for other users will be accessible in the logs. The same info is logged in /usr/local/zenoss/zenoss/log/Z2.log I'm not sure what events are causing this type of logging. The example above was with zenoss 2.2.4..and since then I've upgraded to 2.3.0. I haven't seen any of this logging yet...but I think it will crop up again. I'm just not exactly sure how to trigger it. Has anyone found a workaround for this? -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=27675#27675 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
