Looking-Glass Beta-testers: critical bug

[Andy Shellam (Mailing Lists)]

True, however it states in the config file that this variable is only to 
be used if it's not possible to set the authentication in Apache's 
config using the allow,deny directives.  This is the preferred method, 
and that's why you can zero out the array.

The scenario NLG was designed for was when the Nagios server is not 
accessible from a public network (such as the Internet), but you want to 
give an interface to customers to check server status etc, so really 
this is mainly a paranoid safety check.

I do, however, see your point, and I'll perhaps make it so that if no 
hosts are specified, by definition only 127.0.0.1 is allowed to connect 
(as this will account for 'same-server' installs of NLG), and then add a 
"$EnableIPcheck" variable.


Andreas Ericsson wrote:
> Andy Shellam (Mailing Lists) wrote:
>> Hi,
>>
>> To anyone who's testing Nagios Looking Glass 0.2.41, there is a bug 
>> in the code that denies all IPs access to the poller when $AllowedIPs 
>> is not set.
>> It should be that when $AllowedIPs = Array(), any host is allowed a 
>> connection.
>>
>
> This is not a very safe way to go about it. Personally, I think I like 
> the "buggy" code better, although perhaps coupled with a 
> "$disable_security_altogether" variable.
>


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null