Hi there. I have been testing a set-up of elog behind an Apache reverse proxy using the Webserver auth method. Apache has been configured for LDAPS with Active Directory allowing us to restrict Elogs by AD group, something not able to be done with the LDAP module.
Testing with Elog 3.1.4 (on Windows) and also Elog 3.1.5 (compiled on Ubuntu 20.04) I experience an issue that when the user logs in for the first time using the above they get the self registration box asking for name and email, and then once they hit save they get an error that says: "Error: Command "Config" not allowed". Once the error is dismissed it never comes back, but its confusing for users who call for help when they first see it.
Is there a way to skip the self registration with the Webserver auth method? and if not is there a reason for the error?
Attached is a copy of the error and an elog config file. Any ideas?
PS. As a side piece the logout options for Webserver needs some enhancement, maybe an option to close the web browser or tab so that it does not retain the logged in cookies. |
[global]
port = 8080
SSL = 0
Page title = Company X
Entries per page = 25
List page title = Company X
Login page title = Company X
Logbook tabs = 0
Menu commands = Back, New, Find, Download, Logout
List Menu commands = New, Find, Logout
Password file = password.pwd
Max content length = 100000
Allow password change = 0
Enable attachments = 0
Show attachments = 0
Hide attachments = 1
List after submit = 1
Logout to main = 0
Allowed encoding = 5
Default encoding = 1
Welcome title = Electronic LogBook
Summary line = 5
Summary line depth = 100
Show top groups = 0
Search all logbooks = 0
Refresh = 300
Login expiration = 0
Reply string =
Suppress default = 2
Thread display = $category entered by $author on $Entry time
Thread icon = Icon
Preset on reply author = $long_name
All display limit = 300
Start page = ?last=31
Bottom text =
Botton text login =
Resolve host names = 1
Suppress Email on edit = 3
[demo]
Theme = default
Hidden = 1
Authentication = File
Comment = General Linux Tips & Tricks
Attributes = Author, Type, Category, Subject
Options Type = Routine, Software Installation, Problem Fixed, Configuration, Other
Options Category = General, Hardware, Software, Network, Other
Extendable Options = Category
Required Attributes = Author, Type
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = Date, Type
Logout to URL = https://intranet.xyz/
[elog]
Hidden = 1
Authentication = Webserver
LDAP register = 0
Self register = 0
Theme = default
Comment = Elog Site
Preset Author = $long_name
Locked Attributes = Author
Attributes = Category, Codes, Synopsis, Event Date, Author
Options Synopsis = Yes, No
Style Synopsis Yes = background-color:yellow
Style Medical Yes = background-color:green
Type Event Date = datetime
Preset Event Date = $datetime
Date format %A %B %d %Y %H:%M
List Display = ID, Event Date, Category, Codes, Synopsis, Date, Author
MOptions Category = Test 1, Test 2
MOptions Codes = MED, ACH
Required Attributes = Author, Event Date, Codes
Style Codes MED = background-color:green
Page Title = Company X
Reverse sort = 1
Quick filter = Date, Category, Codes
Sort Attributes = Event Date
Logfile = Elog.log
Logging level = 3
Logout to URL = https://intranet.xyz/
Bottom text =
|
I found the reason of the bug:
In line 27441 of elogd.cxx the http_user is overwritten by the user saved in the sid_ array as a sideeffect of the sid_check function:
sid_check(getparam("sid"), http_user)
It can solved by changing elogd.cxx @ line 27441
27441c27441,27446
< if (!sid_check(getparam("sid"), http_user)) { /* if we don't have a sid yet, set it */
---
> i=sid_check(getparam("sid"), thumb_name);
> if (i && strcmp(http_user,thumb_name)!=0) { /* user changed */
> sid_remove(getparam("sid"));
> i=FALSE;
> }
> if (!i) { /* if we don't have a sid yet, set it */
Remark: I have used the variables i & thumb_name of the function in a local context. |
Hi,
as I understand right you can do this in the elogd.cfg via
Interface = 127.0.0.1
port = 8080
however than this can be changed by any user how has global admin rights in elog.
So I changed the line in the elogd.service startscript
ExecStart=/usr/local/sbin/elogd -D -p 8080 -n 127.0.0.1 -c /usr/local/elog/elogd.cfg
I hope this has the priority (not tested).
| Nicola wrote: |
|
I am running elog under Apache as explained in the administrator's guide. Everything works fine, butmy IT service complains about the elog port being publicly exposed, so I have to fix this. As far as I understand when running under a reverse proxy there's no need for the port to be publiuclyexposed, but I cannot find how to configure the elog server to expose it only locally
|
|
Hi all,
I am using the Apache webserver authentication and redirection over http (not https). I have configured it 1:1 as described in the Adminguide. In the elog.cfg I set Authentication = Webserver.
All works fine; the webserver requests an authentication and elog recognizes me correctly.
However, when I close and reopen the browser and log in as a different user, elog does not change the user (tested with Firefox and Edge).
I can only change the user if I use a different browser or restart the elogd (reload is not enough).
The X-Forwarded-User header is set to the correct username - I have checked it with a CustomLog in Apache.
Best regards,
Frank |