Separating alternate pageset
list Becker Christian
Hello, we are running Xymon 4.3.11 on RHEL 6.2 with apache 2.2.15. I followed the Xymon website to install our Xymon system. We have configured 922 monitored devices. Now we are in the situation that we need to present some special devices to an external company. I did this by setting up an alternate pageset, following the Tips and Tricks section from the Xymon website. Everything is working as expected, but the external company is able to „break out“ of this special pageset. I disabled the menu bar on the start page of this alternate pageset using an alternate template header file. But as soon as they click on any green / yellow / red button from any test, they end up in the normal Xymon page containing the results of this test AND the menu bar. Is there any way to „jail“ this alternate pageset, or to configure it without presenting the menu bar, or to set up some rewrite rules, so that the external company cannot use the menu bar or break out of this special page set? xymongen doesn’t seem to make this happen.... Or is there another possibility that i haven’t seen until now? For example, by sending this alternate pageset to another system or something else.... Regards Christian Christian Becker IT-Services user-e4a19bfb94c0@xymon.invalid<mailto:user-e4a19bfb94c0@xymon.invalid> Mittelrhein-Verlag GmbH August-Horch-Straße 28 D-56070 Koblenz Verleger und Geschäftsführer: Walterpeter Twer Reg.-Gericht Koblenz HRB 121 Finanzamt Koblenz Str.Nr. 22 65 10 285 2 www.rhein-zeitung.de<http://www.rhein-zeitung.de/>;
list John Thurston
On 6/29/2016 9:37 AM, Becker Christian wrote: - snip -
▸
Now we are in the situation that we need to present some special devices to an external company. I did this by setting up an alternate pageset, following the Tips and Tricks section from the Xymon website. Everything is working as expected, but the external company is able to
„break out“ of this special pageset. - snip -Even if you succeed in stripping the menus from all of the alternate pages, the URLs and cgis are still going to work. It isn't going to be hard to look at the address bar:
https://xymon.bar.com/xymon-cgi/svcstatus.sh?HOST=foo.bar.com&SERVICE=info
and figure out that any host can be displayed just by changing the "HOST=" value. Alternate page sets (on the same web server) are not going to really "jail" those users.
See if you can publish your alternate page set on an apache vhost. You could then prevent the external users from reaching your primary vhost.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska
list Becker Christian
Hello, See if you can publish your alternate page set on an apache vhost. You could then prevent the external users from reaching your primary vhost. I tried this already but didn’t' succeed (could be depending on my setup). At this time I don't really know how to configure this; think I have a try-and-error phase in front of me.... Regards Christian Christian Becker IT-Services user-e4a19bfb94c0@xymon.invalid
▸
Mittelrhein-Verlag GmbH
August-Horch-Straße 28
D-56070 Koblenz
Verleger und Geschäftsführer: Walterpeter Twer
Reg.-Gericht Koblenz HRB 121
Finanzamt Koblenz Str.Nr. 22 65 10 285 2
www.rhein-zeitung.de
▸
-----Ursprüngliche Nachricht-----
Von: Xymon [mailto:xymon-bounces at xymon.com] Im Auftrag von John Thurston
Gesendet: Mittwoch, 29. Juni 2016 19:54
An: xymon at xymon.com
Betreff: Re: [Xymon] Separating alternate pageset
On 6/29/2016 9:37 AM, Becker Christian wrote:
- snip -Now we are in the situation that we need to present some special devices to an external company. I did this by setting up an alternate pageset, following the Tips and Tricks section from the Xymon website. Everything is working as expected, but the external company is able to „break out“ of this special pageset. - snip -
Even if you succeed in stripping the menus from all of the alternate pages, the URLs and cgis are still going to work. It isn't going to be hard to look at the address bar:
https://xymon.bar.com/xymon-cgi/svcstatus.sh?HOST=foo.bar.com&SERVICE= info
▸
and figure out that any host can be displayed just by changing the "HOST=" value. Alternate page sets (on the same web server) are not going to really "jail" those users.
See if you can publish your alternate page set on an apache vhost. You could then prevent the external users from reaching your primary vhost.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Enterprise Technology Services
Department of Administration
State of Alaska