Thruk Cookie Authentication

[aesnau...@gmail.com]

Hi,

We want to use the cookie authentication in Thruk but we don't understant how to configure Thruk and Apache to use this functionnality.
Can you help us ? How configure Thruk and Apache to use cookie authentication in Thruk?

Arnaud

[Sven Nierlein]

Hi Arnaud,

the easiest way would be using OMD (nightly) where you can just switch that feature on by running "omd config".
If you don't want to do that, its just a bit of apache vodoo:

The demo system uses this apache config:

<LocationMatch /thruk>
AuthName "Thruk Demo"
AuthType Basic
AuthUserFile /home/thruk/Thruk/htpasswd.users
order allow,deny
allow from all
require valid-user
</LocationMatch>

RewriteMap users prg:/home/thruk/Thruk/script/thruk_auth

# make all cookies accessible by the url
RewriteCond %{REQUEST_URI} !^/thruk/cgi-bin/restricted.cgi
RewriteCond %{HTTP_COOKIE} (thruk_auth=[^;]+|$) [NC]
RewriteRule ^/(.*)$ /%1/%{REMOTE_ADDR}/____/$1 [C,NS]
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS]
RewriteRule ^/pass/(.*)$ /$1 [NS,E=!REMOTE_USER]
RewriteRule ^/redirect/(.*)$ /$1 [NS,R=302]
RewriteRule ^/loginok/([^/]+)/(.*)$ /$2 [NS,E=REMOTE_USER:$1]

<LocationMatch ^/(?!thruk/cgi-bin/restricted.cgi)>
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>


The first block enables authentication for everything and is the default. The second block rewrites the urls to go
through the thruk_auth script which decides who is authenticated and who isn't. The last block finaly removes authentication
from everything except the restricted.cgi which is used the thruk_auth script to determice if credentials are valid or not.
This method allows you to use all authentication providers of apache. You have to adjust the paths to match your installation.

Sven

[aesnau...@gmail.com]

Hi Sven,

Thanks for you response. I applied this configuration but at the end I'm always logged in Thruk with the default user thrukadmin, whatever the login that I take. Can you help me?

Here, my apache configuration :

<VirtualHost *:80>
    DocumentRoot /usr/share/thruk/root
    CustomLog    /var/log/httpd/thruk_access.log combined
    ErrorLog     /var/log/httpd/thruk_error.log

    <Directory /usr/share/thruk/root>
        Options FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
    </Directory>

    Alias /thruk/documentation.html /usr/share/thruk/root/thruk/documentation.html
    Alias /thruk/startup.html /usr/share/thruk/root/thruk/startup.html
    AliasMatch ^/thruk/(.*\.cgi|.*\.html)  /usr/share/thruk/fcgid_env.sh/thruk/$1
    AliasMatch ^/thruk/plugins/(.*?)/(.*)$  /etc/thruk/plugins/plugins-enabled/$1/root/$2
    Alias /thruk/themes/  /etc/thruk/themes/themes-enabled/
    Alias /thruk /usr/share/thruk/root/thruk

    <LocationMatch /thruk>
        Options ExecCGI
         AuthName "Thruk Demo" 
         AuthType Basic
         AuthUserFile /etc/thruk/htpasswd
         order allow,deny
         allow from all
         require valid-user
     </LocationMatch>

     RewriteMap  users prg:/usr/share/thruk/script/thruk_auth

     # make all cookies accessible by the url
     RewriteCond %{REQUEST_URI}           !^/thruk/cgi-bin/restricted.cgi
     RewriteCond %{HTTP_COOKIE}           (thruk_auth=[^;]+|$)  [NC]
     RewriteRule ^/(.*)$                  /%1/%{REMOTE_ADDR}/____/$1 [C,NS]
     RewriteRule ^(.*)$                   ${users:$1|/loginbad/}  [C,NS]
     RewriteRule ^/pass/(.*)$             /$1 [NS,E=!REMOTE_USER]
     RewriteRule ^/redirect/(.*)$         /$1 [NS,R=302]
     RewriteRule ^/loginok/([^/]+)/(.*)$  /$2 [NS,E=REMOTE_USER:$1]

     <LocationMatch ^/(?!thruk/cgi-bin/restricted.cgi)>
         Order allow,deny
         Allow from all
         Satisfy any
     </LocationMatch> 

    <IfModule mod_fcgid.c>
     # AddHandler fcgid-script .pl
      AddHandler fcgid-script .sh
      MaxRequestsPerProcess 100
    </IfModule>
</VirtualHost>

Arnaud