What is the point of the random url?


#1

Case; a service is installed, ie; collectd-web, a link with a random url is created in the applications tab of the dashboard.

http://server/d6ec64610ed0530493573e140ff570e781a15932/

Ok.

But,

http://server/collectd-web/

… also works.

So, what’s point of the random url?


(Giacomo Sanchietti) #2

It is to avoid information disclosure since there is no authentication.
It’s like when you want to share a private resource from Google or other cloud services.


#3

That’s cool, but, again, why have the default link enabled then?

Let me ask it this way, if you’re going to use security by obscurity, or, as these urls are often described, as passwords, then why hide the door handle but leave the door open by having a default url enabled as well?


#4

Is the url http://server/collectd-web supposed to be accessible from external by default?


(Giacomo Sanchietti) #5

No is not, the http://server/collectd-web is accessible only from trusted networks.
But the obscured URL is world-accessible.

Should we add a little bit of documentation about this?

You can see Apache config here: /etc/httpd/conf.d/collectd-web.conf
The devel doc is here: http://docs.nethserver.org/projects/nethserver-devel/en/latest/random_url.html


(Alessio Fattorini) #6

@fasttech please, do you like fork such doc with notes added by @giacomo?


#7

Ok, so you’ve verified what should be.
So why;

70.209.74.52 - - [27/Jul/2015:10:20:55 -0700] “GET /collectd-web/cgi-bin/time.cgi HTTP/1.1” 200 13 “http://server/collectd-web/” "Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.65 Mobile/12H143 Safari/600.1.4"
70.209.74.52 - - [27/Jul/2015:10:20:55 -0700] “GET /collectd-web/cgi-bin/collection.modified.cgi?action=hostlist_json HTTP/1.1” 200 31 “http://server/collectd-web/” "Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.65 Mobile/12H143 Safari/600.1.4"
70.209.74.52 - - [27/Jul/2015:10:20:57 -0700] “GET /collectd-web/media/css/blueprint/print.css HTTP/1.1” 304 - “http://server/collectd-web/” “Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.65 Mobile/12H143 Safari/600.1.4”

and…

192.168.124.167 - - [27/Jul/2015:10:30:44 -0700] “GET /collectd-web/cgi-bin/collection.modified.cgi?action=show_graph;plugin=cpu;type=cpu;plugin_instance=0;host=server9b.local;timespan=hour;start=09:30%20Jul%2027%202015;end=10:30%20Jul%2027%202015; HTTP/1.1” 200 27250 “http://server9b/collectd-web/” “Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36”

====================

<IfModule !cgi_module>
LoadModule cgi_module modules/mod_cgi.so

Alias /d6ec64610ed0530493573e140ff570e781a15932 /var/www/html/collectd-web

<Directory /var/www/html/collectd-web>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride all
    Order deny,allow
    Allow from 127.0.0.1 192.168.148.0/255.255.255.0
</Directory>

#8

I don’t understand what you’re asking.

I’ll note that when I was digging around, I found the wiki documentation for the nethserver-samba-audit discusses the generation of a random url and states the gui is only available form the local network but documentation for collectd-web does not state lan only.


#9

Looks like /etc/httpd/conf.d/collectd-web.conf

is being overridden by /etc/httpd/conf/httpd.conf

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

I think. I don’t know Apache at all.
Worse, I’m not clear on what conf files can be edited without being overwritten by the templates(?).


#10

What I need is to host a few simple html pages at domain/ which it does now under /var/www/html except that domain/collectd-web is also available to all.

I’m trying to understand how to use the Shared Folders and the Server Alias.

I wish that collectd and roundcube were actually reflected in the shared folders so that the user (myself) would have an example of how to correctly add their vhost.

I’m also wondering if I created this issue by installing collectd-web before installing mail, which then installed the web tools.

I guess I’ll have to keep muddling through these various conf files before I can figure out what will or will not be destroyed by the templates, coming from Zentyal this was definitely an issue, unfortunately I’m trying to replace a disintegrating Zentyal server before it crashes irreparably.

I’m just so short of time, “it never rains but pours”.

I will say the log viewer in nethserver is awesome, especially since Zentyal was pretty much cli only even though they had a very poor, rudimentary log viewing module.


(Giacomo Sanchietti) #11

I’ve tested the behavior of collectd-web module and now I understand your problem.
The behavior changes when there is a shared folder configured as root folder of web server.
I will try to explain it so we can find a better general solution.

Scenario 1
Package nethserver-collected-web installed and NO shared folder configured.

Collectd-web URL is accessible from anywhere with both URLs: /colletcd-web and random URL.

Scenario 2
Package nethserverer-collected-web installed and one shared folder configured with web access and as “Web site root”

Collectd-web URL is accessible from anywhere only with the random URL.

Desired scenario
IMHO the best and simplest behavior is that collectd-web must be accessible only using the random URL from anywhere, no matter if there is a shared folder configured with a web access.

Do you agree @fasttech?

Now I will try to answer your generic questions :smile:

You should use shared folders if you want to publish simple web sites.
For example, given the alias mydomain.com to your server, you can set a shared folder as document root for that domain. You should find the URL for you configuration under the “Generated URLs:” label.
It’s a bit complex, but this is how Apache works.

If you need more help, please post your real example and we will guide you through the correct configuration (I hope ::smiley: )

It’s not your fault, IMO this is an unexpected behavior of the system and should be considered a bug :smile:

Almost any file generated by a template starts with a banner like this:

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l. 
# http://www.nethesis.it - support@nethesis.it
#

#12

I’m sure you would have done your analysis regardless but I did work this out yesterday by trial and error after posting and apologize for not following up sooner.

To begin, this is to be a web and mail server for one domain and a few email users to replace a broken Zentyal install that’s limping along and unworthy of the time necessary to troubleshoot.
I did not understand that installing File Server was necessary for a simple web server which is in fact not so simple once compounded by the installation of collectd-web and roundcube.

I installed Statistics before anything else, including file server, so that’s certainly the first problem because I quickly discovered that /collectd-web available from external, I didn’t believe that to be appropriate when a random url was also generated, so I started digging around, unfortunately, both admin and dev documentation don’t really delve into this, I only understood the schema when I was looking into what samba-audit was, that led me to believe I surely wasn’t understanding something important.

This discussion led me to create a shared folder and then started experimenting as I had time.

Long story short.

/collectd-web is no longer available from external or another local sub… this is important…

I moved the html for the sole domain from /var/www/html and stuck it in the shared folder under /ibay with the shared folder set to Web site root, there is no alias and /collectd-web is no longer available form external, it appears the collectd conf.d as above is now properly applied since I engaged the shared folder. So; simple html pages, random url and webmail available from external, nothing else, good.

Now, the issue is I do not know why because I haven’t been able to find the applicable conf that changed the behavior of apache since the addition of a shared folder, though I see most of the conf settings are covered by the gui now.

Problem, I added another local subnet under trusted networks and it is not being applied though from what I understand of the documentation, as it should be, meaning I should be able to get /collectd-web from the subnet added to trusted networks and I get 404.

Should I create an alias, I’m not sure it’s necessary…

I believe I do, with a random url there’s little need for the default.

I don’t see this, is it because I have not set an alias?

This I understood, what I haven’t found yet is the template file that I could, with caution of course, edit to have a global, persistant application of desired behavior, I’ve been looking everywhere for these base template files.
For example, what if I don’t want webmail accessible from external… it’s not available in shared folders settings in the gui, so that means I must change it in the base template… where’s that. You see? I really have spent some time searching and digging around in the wiki, admin and dev docs and I’ve been coming up empty.


(Giacomo Sanchietti) #13

The correct behavior is:

  • /collectd-web not accessible from anyone
  • random url always accessible from anywhere

Here you are: http://docs.nethserver.org/projects/nethserver-devel/en/latest/templates.html


#14

This is why I’m still confused. :slight_smile: