How to restrict inventory to glpi-agent allowed (token /auth)

[tech62]

Is your help request related to a problem?

By default, when installing glpi-agent, anyone who known the url can registering in the inventory.
How restrict that ?

Expected behavior

Restricting inventory only to agent with a token or auth login

Actions you've considered

I see a "token" thing in the glpi-agent (inventory-plugin.cfg and in the documentation), but how to setup/link that with the glpi-agent ? (adding token= in the agent.cfg, generating a user with an api dedicated token ?).

I've check glpi-project/glpi#12706 but the issue not having an update since he was created

Additional context

No response

[AntoninGP]

You can use the Auth-Basic function from Apache and restrict access on the inventory part, server side, to a list of credentials.

https://httpd.apache.org/docs/2.4/en/howto/auth.html

You can launch the agent with the previously created credentials, command-line args are :

--user=USER
user name for server authentication

--password=PASSWORD
password for server authentication

[g-bougard]

Well, you're right.
@stonebuzz should be able to answer you here when he'll be back to work in few days ;-)

[stonebuzz]

Hi @tech62
you can't configure certificate though GLPI agent (Android or iOS).
Only Auth-Basic (with --user, --password) is supported.

Maybe it is possible to do it directly from the OS.

Best regards

[supportuser27]

Hi,
We've managed to set Basic Auth in /front/inventory.php, but all agent still sending information without user and password.
Can anyone give us some more information?
@AntoninGP Wherever I read about it, your name appears. Can you give us an advice, please?
We don't want to publish our server and get inventory from anyone without authentication.
Thanks in advance!!

[g-bougard]

Hi @supportuser27
as @AntoninGP said, you need to set user & password configuration parameters. He provided the way for commandline, but you can set it in dedicated configuration or during installation. On what platform your agents are installed ?
If you install glpi-agent with the MSI installer, you can add USER=... and PASSWORD=... on the MSI command line or in the SetupOptions definition if you're using the VBS script.

[supportuser27]

Hi,
We have Basic Auth in /front/inventory.php
If I install the agent without user and password, the server still receiving the inventory.
If we protect all the glpi directory, user and password come into action, and it's required to install the msi with those parameters.
We don't want to protect all glpi directory, just the inventory.
What are we missing?

This is our Apache Config.

<VirtualHost *:80>

 ServerName glpi.myserver.org

 DocumentRoot /var/www/html/glpi/public

 ErrorLog ${APACHE_LOG_DIR}/error.log

 CustomLog ${APACHE_LOG_DIR}/access.log combined

 <IfModule mod_rewrite.c>

       RewriteEngine On

       RewriteCond %{HTTPS} off

       RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,QSA]

 </IfModule>

 <Directory /var/www/html/glpi/public>

            Require all granted

            RewriteEngine On

            RewriteCond %{REQUEST_FILENAME} !-f

            RewriteRule ^(.*)$ index.php [QSA,L]

 </Directory>

<VirtualHost *:443>

 ServerName glpi.myserver.org

 DocumentRoot /var/www/glpi/public



 Include conf-available/php8.2-fpm.conf



 <FilesMatch "\.(?:cgi|shtml|phtml|php)$">

       SSLOptions +StdEnvVars

 </FilesMatch>

 <Directory /usr/lib/cgi-bin>

       SSLOptions +StdEnvVars

 </Directory>



 <Directory /var/www/glpi/public>

       Require all granted



       RewriteEngine On



       # Ensure authorization headers are passed to PHP.

       # Some Apache configurations may filter them and break usage of API, CalDAV, ...

       RewriteCond %{HTTP:Authorization} ^(.+)$

       RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]



       # Redirect all requests to GLPI router, unless file exists.

       RewriteCond %{REQUEST_FILENAME} !-f

       RewriteRule ^(.*)$ index.php [QSA,L]



 </Directory>



 <FilesMatch "inventory\.php$">

       AuthType basic

       AuthName "Basic Authentication"

       AuthUserFile /etc/apache2/.htpasswd

       Require valid-user

 </FilesMatch>



 <Location "/front/inventory.php">

       AuthType basic

       AuthName "Basic Authentication"

       AuthUserFile /etc/apache2/.htpasswd

       Require valid-user

 </Location>

[g-bougard]

I see in GLPI inventory plugin wiki there is :

# token as private secret used to verify authorization token, not defined by
# default, but mandatory to access API
#token = [secret-string]

Can i use that to secure the inventory access ? Where can i found or create this API token ? What is the format of the token ?

You are talking about GLPI-Agent Inventory server plugin: Read the doc first, this is not the same than standard usage.
https://glpi-agent.readthedocs.io/en/latest/plugins/inventory-server-plugin.html
In that case, the glpi-agent is a passive agent and waits a client requests an inventory from another computer.

The token is just a shared secret of your choice.

[felamachado]

I have the same question. With the default configuration, anyone with the server link could inject unwanted data.

I haven't found information on how to restrict this access on server side.

The solution given by @AntoninGP up here seems a bit rudimentary.

I also tried adding to the file

/etc/apache2/sites-available/000-default.conf

the line:

RewriteRule ^ocsinventory - [F,L]

This effectively restricts access, but I can't then manage to authenticate the host that I actually want to add.

[g-bougard]

Hello @felamachado

actually, the only effective and simplest solution is to setup basic authentication other an SSL connection. You can think this is rudimentary, but this is just safe. This may also be really tricky to setup server-side. This solution is used by GLPI Network Cloud for example.

The problem is important when you can't trust all remote clients (most of the time because you need to open your GLPI on internet). You can work around also this problem in another way: for example you can upload locally generated inventory using a safe transport and import the uploaded inventories in GLPI using glpi-injector script.

You should know we want to implement a better solution soon or later, probably for the GLPI 10.1.0 release next year.

[rfcdejong]

Seems a better solution is in GLPI 11? When will that version be released?

[g-bougard]

Hi @rfcdejong

GLPI 11 is actually in beta: https://github.com/glpi-project/glpi/releases/tag/11.0.0-beta4

We expect to publish the final release between September and the end of the year.

[ftoledo]

This setup mode should be very well documented in the agent.
It is not feasible to have to search through forums or web tutorials

[cautiouscoyote]

Agreed. This is rediculous.
Bumping into this now, scraping through forums and what-not to gather bits and pieces, but failing to get a functioning authentication mechanism in place.

Does ANYONE have a working config in place and cares to share? Would be much appreciated.

@g-bougard Any indication - more specific than "next year" please - on when the GLPI 10.1.0 release might hit the road?

[g-bougard]

Hi @cautiouscoyote

I can't speak for the GLPI team and the team is really working hard to propose a release this year. I think there will be a beta or alpha release before next summer. @orthagh can you confirm ?

Anyway concerning the discussed subject, I'm happy to tell you @cconard96 has published a PR for the main GLPI branch (the one used for next major release). That PR proposes OAuth support for agent authentication and I now have to implement the corresponding glpi-agent side support.

[cautiouscoyote]

Thanks, @g-bougard, for this quick update.
I do understand that it is not a small feat to implement properly, but it is good to see this matter is being actively worked on indeed.
Keep up the good work! Will monitor the release notes on this ;-)

[cautiouscoyote]

So, while the OAuth support is likely still some time away, I poked around a bit more with the basic auth option and realized that, in my case, I had to implement that not in Apache which is in front of GLPI, but in Nginx which is in turn in front of the Apache-GLPI combo - and also in front of a number of other services.

Now I have it working, however not just for the inventory part with the agent, but for the whole site. This matter has been asked for in this thread before, but for Apache. Without a proper answer though, as far as I can see.
I would like to ask the same question for Nginx: can this basic auth part be enforced ONLY for the agent/inventory part?

The relevant section of my current Nginx config now looks like this:

[...]
upstream glpi {
server local_GLPI_container_IP_address:80;
}
[...]
location /glpi {
access_log /var/log/nginx/glpi.access.log main;
error_log /var/log/nginx/glpi.error.log;
client_max_body_size 512M;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.glpipasswd;
proxy_pass http://glpi;
}
[...]

Any pointers are appreciated.