Package: icinga-web Version: 1.7.1-1 Severity: wishlist
Hi Markus. Maybe it's worth to add the following extra usefule info to README.Debian. Pick what you like: 1) The UNIX user under which Icinga-Web runs needs access to both databases: icinga (as user icinga per default) and icinga_web (as user icinga_web per default). 2) When Icinga-Web runs under a non www-data UNIX user, permission of these files need to be adapted: /etc/icinga-web/conf.d/access.xml /etc/icinga-web/conf.d/auth.xml /etc/icinga-web/conf.d/database-ido.xml /etc/icinga-web/conf.d/databases.xml /etc/icinga-web/conf.d/database-web.xml /etc/icinga-web/conf.d/module_reporting.xml /var/log/icinga-web/ /var/lib/icinga-web/app/cache/ - Any others? - Does it need access to the well known files from icinga like status.dat? You know, that I'd like a more generic way for this (see the very simple one, I suggested yesterday on the pkg-nagios list) but as long as you don't agree here, we should add thse hints :) 3) Add a hint, that whenever the configs are changed, one needs to rm -rf /var/lib/icinga-web/app/cache/* or some stuff won't get "active". 4) When changing the base-URL from /icinga-web to e.g. just /icinga, one needs to adapt the apache.conf (ou said the .htaccess go away so no need to mention this change for them) and /etc/icinga-web/conf.d/icinga.xml. <setting name="appkit.web_path">/icinga</setting> <setting name="appkit.image_path">/icinga/images</setting> They mention that this shall only be done, when knowing what you're doing,... any idea what they mean? 5) PHP Hardening / Suhosin I personally try to harden my PHP config as much as possible, especially setting doc_root and open_basedir. Now doc_root is less for hardening and is used to construct the file paths: One example way of using it is: doc_root = /var/www And adding a symlink "icinga-web" at /var/www/ that points to /usr/share/icinga-web/pub . open_basedir is more interesing: So far I needed to set: open_basedir = "/usr/share/icinga-web:/var/lib/icinga-web:/var/log/icinga-web:/etc/icinga-web" Funny, it actually works even without /etc/icinga-web, but I don't understand why. Given that Suhosin is currently non-functional, I haven't any infos on that yet. 6) PHP Misc I needed to set: zlib.output_compression = Off Icinga-web seems to ship similar functionallity itself. Per default this is Off anyway,.. but it may help people like me who changed the default. 7) I personally stumbled accross not having activated mod_rewrite at first, when I haven't had looked yet in these .htaccess files. But when they go away now, we don't need to give special hints on this, IMHO. 8) I'd like to see how to configure HTTP Basic Auth and/or SSL cert based authentication. But I haven't found out yet whether that works and how. 9) Do you know whether Icinga-Web needs read/write access to the icinga DB? Or would read- only be enough? HTH, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
