Project

General

Profile

[UE] RasberryMatic custom auth

Added by Shaker 2 months ago

Hello,

I am unsure whether to report a bug for version 1.4.65. I haven't seen a fix for it in the release notes of version 1.4.66 and 1.4.67, but I don't know, if reporting a bug for an older version is accepted.

lighttpd is used as a webserver in the RasberryMatic project.
Firmware 3.63.9.20220521 uses lighttpd 1.4.64, which works fine.
In Firmware 3.63.9.20220625, lighttpd 1.4.65 was introduced and since then basic authentication does not work. It allowes access to protected paths without asking for authentication!
In the main configuration file (/etc/lighttpd/lighttpd.conf) that belongs to the firmware, at the bottom there is an

include "/etc/config/lighttpd/*.conf" 

and /etc/config/lighttpd/auth.conf that is a custom, end-user created file, contains an additional configuration like this:
auth.backend = "plain" 
auth.backend.plain.userfile = "/usr/local/etc/.users" 
auth.require = (
  "/addons/xmlapi" =>
  (
    "method" => "basic",
    "realm" => "External access protection",
    "require" => "user=SomeUser" 
  )
)

But when accessing /addons/xmlapi/... with the browser I am not asked for authentication at all, but get all content directly!

When I "extract" all necessary files of lighttpd 1.4.64 from the previous RaspberryMatic firmware and copy them into the new RaspberryMatic firmware, overwriting lighttpd 1.4.65, basic authentication works again!

Is this a bug or have I missed some changes, deprecations or whatever? I have not seen anything regarding basic auth when I search the release notes or bugs here on this page.


Replies (6)

RE: Should I report a bug or not? - Added by gstrauss 2 months ago

lighttpd is used as a webserver in the RasberryMatic project.
Firmware 3.63.9.20220521 uses lighttpd 1.4.64, which works fine.
In Firmware 3.63.9.20220625, lighttpd 1.4.65 was introduced and since then basic authentication does not work.

I appreciate the details, though I must point out that this is not the RaspberryMatic site.
Have you asked on the RaspberryMatic forums if anyone else is having similar problems with basic auth with the new firmware (including updated lighttpd)?
A quick search turned up this, which looks like you: https://github.com/jens-maus/RaspberryMatic/issues/1982 (so why didn't you mention it here?)

Perhaps there is an installation issue in the RaspberryMatic firmware image and mod_auth or related modules are not present?

Please follow the basic instruction on How to Get Support

[Edit: maybe you're not loading "mod_auth" and "mod_authn_file" in server.modules]

To be clear, you are in the right place to ask some questions. If you file a "bug report" for support in the lighttpd issue tracker, such a report will be invalid and you will be pointed back to the forums here (or to RaspberryMatic forums). The lighttpd issue tracker is for issues in lighttpd, not end-user support questions (and not questions about third-party distributions of lighttpd).

RE: Should I report a bug or not? - Added by Shaker 2 months ago

Yes, I understand. Thanks for your quick reply. That's why I was asking whether to open a bug or not, because it looks like a bug to me, but I was unsure. I don't have any otehr installation or "pure" lighttpd environment. But after I downgraded to 1.4.64, which was a success, I thought, it may be a lighttpd bug, not a RaspberryMatic one. One of my attepmts to get it working included adding

server.modules += ( "mod_auth", "mod_authn_file" )

to my config, with no success.

Oh, and you're right. The issue on github is mine, I didn't think about referencing it. I got almost 0 response in the RaspberryMatic forum, and none on github so far, but I felt, this may be too important to simply ignore it.
From what you wrote, I can be sure, this is no lighttp bug? Basic auth still works the way I configured it, right?
Even this would be a help to get closer to the real reason. I will investigate further and wait for help in the other forum or github. Thanks again!

RE: Should I report a bug or not? - Added by gstrauss 2 months ago

Please follow the basic instruction on How to Get Support
It appears that you skipped over the first paragraph.

RE: [UE] RasberryMatic custom auth - Added by gstrauss about 2 months ago

Should I report a bug or not?

No. You also should not title your posts with such useless and vapid noise.

RasberryMatic has its own custom auth module mod_authn_rega.

RE: [UE] RasberryMatic custom auth - Added by Shaker about 2 months ago

I have been ill for quite a while, but I feel like doing everything I can to provide the best information I can about this.

  • I'm on a Raspberry Pi 3B.
  • The OS output is like:
    NAME=Buildroot
    VERSION=-g6a4d9f0
    ID=buildroot
    VERSION_ID=2022.08
    PRETTY_NAME="Buildroot 2022.08"
  • Plus: I attach all of lighttpd I could determine in the last firmware that could do basic auth and in the lastest one that can't. Binaries, modules and config. The config file structure is a little more complex than in the most examples, so I couldn't possibly reduce or simplify it without taking the risk to remove the essential piece of code, that leads to this strange behaviour. Please, keep in mind, that in "/etc/config/lighttpd/auth.conf" there is that piece of code I pasted initially. It is included at the bottom of "/etc/lighttpd/lighttpd.conf".

Yes, RaspberryMatic introduced its own way of securing HTTP. In the UI you find a checkbox, that finally adds another config during the startup of lighttpd, but as simple as a checkbox can be - this simply doesn't work. So I kept my basic auth, that I set up before RaspberryMatic came up with this checkbox. Doing so, I ignore the presence of mod_authn_rega, but make use of plain text user/password file and basic auth.

lighttpd-1.4.64.tar.gz and lighttpd-1.4.65.tar.gz can simply be extracted on the very same RaspberryMatic filesystem with the latest firmware (3.65.11.20221005) to reproduce this.

RE: [UE] RasberryMatic custom auth - Added by gstrauss about 2 months ago

Please follow the basic instruction on How to Get Support

You may have provided other information, but you have failed to follow the very explicit basic instructions.

This is not a RaspberryMatic support site.

    (1-6/6)