Hi,

I am an apache ignoramus who has been trying to follow these instructions on a Debian 3.1 box.  I got hung up for
the following reason.  I had to explicitly enable some apache features, which was a simple matter of making the
following symlinks in /etc/apache2/mods-enabled: 

	proxy.conf -> ../mods-available/proxy.conf
	proxy.load -> ../mods-available/proxy.load
	rewrite.load -> ../mods-available/rewrite.load
	headers.load -> ../mods-available/headers.load
	ssl.conf -> ../mods-available/ssl.conf
	ssl.load -> ../mods-available/ssl.load

Easy enough.  The default proxy.conf has sensible-looking warnings about not running your server as an open proxy.
 However, I wasn't able to tweak it to encrypted port forwarding from :443 to :8079.

What I've done that works is to add a local proxy section to the /etc/apache2/conf.d/elogredirect.conf by Damon
Nettles:

	<VirtualHost *:443>
		### ... everything else

		<Proxy *>
			Allow from all
		</Proxy>
	</VirtualHost>

I think, since this is in a subsection, that it only affects that virtual host.  But it'd be nice if someone who
actually understands this language would reassure me that I'm not setting myself up for some security hole.  At
any rate it took me long enough to figure this out that I thought I'd post a note in public, and this seems like
the forum to do so.

Thanks.

Rob

Hello,

We used the Elog RPM binary installation method to install Elog. Our security scanners are complaining that Elog discloses the version information when you hit a missing page (404 error).  How can I hide this version info? Is there a snippet of code somewhere that I can comment out?

Any help is appreciated.

-Rich

Hello,

We used the Elog RPM binary installation method to install Elog. Our security scanners are complaining that Elog discloses the version information when you hit a missing page (404 error).  How can I hide this version info? Is there a snippet of code somewhere that I can comment out?

Any help is appreciated.

-Rich

I hope this is not something I did. 

I'm using elog 2.3.1 on redhat 7.1 and using stunnel to redirect from port
443 to 8080. When I try to add a new record (click submit) https:// in the
browser gets changed to http://. I ve tried three browsers all with the same
result. If I go into the address field and change it to https:// after
getting a 404 error it works. The record gets posted.

> I hope this is not something I did. 
> 
> I'm using elog 2.3.1 on redhat 7.1 and using stunnel to redirect from port
> 443 to 8080. When I try to add a new record (click submit) https:// in the
> browser gets changed to http://. I ve tried three browsers all with the same
> result. If I go into the address field and change it to https:// after
> getting a 404 error it works. The record gets posted.

Just an update: It does the same thing when I click the back button

Operator error. Figures!

Elog has worked fine for a log time then I upgraded and added stunnel at the
same time. A case of not seeing the forest for the trees.

Thanks for the help.


> > > I'm using elog 2.3.1 on redhat 7.1 and using stunnel to redirect from port
> > > 443 to 8080. When I try to add a new record (click submit) https:// in the
> > > browser gets changed to http://. I ve tried three browsers all with the 
> same
> > > result. If I go into the address field and change it to https:// after
> > > getting a 404 error it works. The record gets posted.
> 
> This is due to a change we had to do in the redirection of the pages. If you 
> submit a page, the result is a redirection using the HTTP 
> statement "Location: ..." inside the header. While this was a relative link 
> in the previous versions, we changed this into an absolute link, which then 
> agrees with the standard. But since elgod does not know if it runs 
> under "http:" or "https:", you have now to add the line
> 
> URL = https://your.server:port
> 
> into elogd.cfg. I will add this note into the documentation.
> 
> - Stefan

I have managed to get this to work (so far).

What I do is use a separate password file and directory for each log.

I haven't tested it with with the current version but it worked fine before
that. My testing consisted of creating a user in the main password file and
see if he could get to anything I didn't want him to. This may not be enough
for something that requires a high level of security. 

When I create a new user I move that line to the appropriate password file if
it isn't already there.

You will get an invalid user message and a prompt if you try access a log that
doesn't have your user name in the password file. 

I only have six people using it so this isn't much trouble.

I would like to see groups implemented to make this more manageable.

> Hi,
> 
> I was wondering if anyone had a solution for my problem.
> We are trying to run several books on one server. The books are grouped 
> such as follows :
> 
> Group Users1 = Book1, Book2, Book3
> Group Users2 = Book4, Book5, Book6
> Group Users3 = Book7, Book8, Book9
> 
> We would like to give access to selected users to only their Group. So that 
> for instance Users1 cannot access the books of group Users3. I was 
> wondering if there is any notion of "User profile" or security per logbook 
> Group implemented?
> 
> What we do for now is that we have 3 different PASSELOG files and for each 
> Book we need to specify which PASSELOG should be used for authentication. 
> This works fine except that we prefer that users do not see the other 
> logbooks listed in the main menu nor the other "inaccessible" logbook tabs 
> in the logbook view. Is there a way to hide these for them (but only for 
> them)?
> 
> Tomas