HTTP AUTH no longer working following upgrade

Forum for questions and support relating to the 1.34.x releases only.
Post Reply
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

HTTP AUTH no longer working following upgrade

Post by MJN »

FIrstly, apologies for the 3rd consecutive post following my upgrade from v1.32.2 to v1.34.5 - they are not intended to be gripes, or at least not at ZoneMinder anyway!

For years now (just gone 13!) I've been using HTTP basic authentication (sent through HTTPS) with Zoneminder and only now following the upgrade has it stopped working. Specifically, it appears to be causing an infinite redirect on login such that I can't access the system. Chrome reports 'ERR_TOO_MANY_REDIRECTS' and Firefox something more ambiguous but enabling the network developer tool shows mutliple redirects too.

My Apache config is the default /etc/apache2/conf-available/zoneminder.conf file supplied with the package (installed via iconnor's PPA) with the addition of the following simple config added to the <Directory /usr/share/zoneminder/www> directive:

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user
The relevant (or what I assume to be relevant) ZoneMinder config options are:

Screenshot from 2020-03-04 22-55-10.png
Screenshot from 2020-03-04 22-55-10.png (50.72 KiB) Viewed 7988 times

If I disable HTTP authentication I am presented with the ZoneMinder authentication screen (which I've never seen before) and I can login fine.

I don't expect anyone to debug what I can only assume is any issue with my own configuration, but if anything jumps out I would be ever so grateful for it being pointed out. I have been randomly trying different ZoneMinder options without success but I am stabbing in the dark with this strategy.
rockedge
Posts: 1173
Joined: Fri Apr 04, 2014 1:46 pm
Location: Connecticut,USA

Re: HTTP AUTH no longer working following upgrade

Post by rockedge »

have you worked with AUTH_TYPE set to builtin?
set AUTH_RELAY to hashed and supply a string for AUTH_HASH_SECRET

remove the block

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user
test and see if that works better.

otherwise the login screen should not appear using HTTP basic authentication I don't think.
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

Re: HTTP AUTH no longer working following upgrade

Post by MJN »

rockedge wrote: Wed Mar 04, 2020 11:35 pm have you worked with AUTH_TYPE set to builtin?
set AUTH_RELAY to hashed and supply a string for AUTH_HASH_SECRET

remove the block

Code: Select all

AuthType Basic
AuthName "ZoneMinder - Unauthorised Access Prohibited"
AuthUserFile /home/mathew/NewtonNet/zmhtpasswds 
Require valid-user
test and see if that works better.
Thanks for your thoughts on this.

With the configuration as advised, I can log in (via ZoneMinder's own login screen). But my issue is I want to use HTTP basic authentication as I have various other rudimentary clients pulling streams from Zoneminder that can handle HTTP AUTH but seemingly not interface with Zoneminder's built-in authentication. I could of course revert back to v1.32.3 but obviously I'd rather not do that.
otherwise the login screen should not appear using HTTP basic authentication I don't think.
Indeed, and it doesn't with the AUTH-TYPE set to remote. More specifically, it never used to - now I can't get anything to appear when HTTP auth is enabled in Apache because of the endless redirects.
rockedge
Posts: 1173
Joined: Fri Apr 04, 2014 1:46 pm
Location: Connecticut,USA

Re: HTTP AUTH no longer working following upgrade

Post by rockedge »

I understand why you would like it to remain with basic auth.

you are on version 1.34+ correct? have you also enabled Options->System->OPT_USE_LEGACY_API_AUTH ?

I don't think that is it though.
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: HTTP AUTH no longer working following upgrade

Post by asker »

Yeah, I think basic auth is completely broken in 1.34. Isaac mentioned it in slack yesterday. I don't use it, but he might be looking into fixing it now (if he hasn't fixed it already)
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

Re: HTTP AUTH no longer working following upgrade

Post by MJN »

rockedge wrote: Wed Mar 04, 2020 11:53 pm I understand why you would like it to remain with basic auth.
It always felt quite simple for me, and I've always been confident in its use (when used within HTTPS).

As a temporary workaround I have disabled OPT_USE_AUTH in ZoneMinder and reenabled HTTP AUTH in Apache. This gives me the access control I require, albeit without the ability to control what individual users can do within ZoneMinder. Truth be told that could be an acceptable long-term solution for me as there is only me that accesses it and I'd only set up different users to limit what certain 3rd party devices could access (including my homemade Internet-enable cat feeder of all things!).
you are on version 1.34+ correct? have you also enabled Options->System->OPT_USE_LEGACY_API_AUTH ?

I don't think that is it though.
Worth asking though but, yes, I've tried with that enabled (I think it's the default judging by the explanatory text).
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

Re: HTTP AUTH no longer working following upgrade

Post by MJN »

asker wrote: Wed Mar 04, 2020 11:57 pm Yeah, I think basic auth is completely broken in 1.34. Isaac mentioned it in slack yesterday. I don't use it, but he might be looking into fixing it now (if he hasn't fixed it already)
Ah, okay! That's actually good news (for me) because I was at a complete loss as to how my Apache config could've been incompatible and no longer giving the intended result. Dare I say it but I even thought 'if I can't get this working I might need to look elsewhere'! As mentioned, I've been using Zoneminder for 13 years now (since 2007) and so it would be with some regret if that ended up being the case.

As mentioned above I've disabled OPT_USE_AUTH and then may well prove to be perfectly acceptable for my requirements with just HTTP AUTH being used to control access (to my Zoneminder installation as a whole rather than restricting access to particular cameras and features).
User avatar
MJN
Posts: 251
Joined: Wed Jan 17, 2007 10:29 am
Location: Wiltshire, UK

Re: HTTP AUTH no longer working following upgrade

Post by MJN »

Aaagh... just discovered someone has already filed a bug here. Apologies for all the noise here.
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: HTTP AUTH no longer working following upgrade

Post by iconnor »

I believe I have it fixed in master, will be in 1.34.6.

Lots of interesting considerations though. There may be further work to do here.
STORTZ
Posts: 2
Joined: Wed Feb 01, 2023 4:46 pm

Re: HTTP AUTH no longer working following upgrade

Post by STORTZ »

Again, followed the ZoneMinder destructions and had an issue logging in once I enabled authentication in step two of this painful setup lol..

I did exactly what the instructions said, and boom, couldn't log in with the suggested admin/admin default credentials..

So I updated the creds manually in the database to save me time of an entire reinstall..

Is this the recommended way, probably not. Does it work, yes!

I did the following:

#mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 72
Server version: 5.5.68-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

#MariaDB [(none)]> use zm;
Database changed

#MariaDB [zm]> update Users set Password="yournewfancypasswordthatwillwork" where Username="admin";
Query OK, 1 row affected (0.00 sec)
sname5978
Posts: 1
Joined: Tue Feb 21, 2023 12:54 pm

Re: HTTP AUTH no longer working following upgrade

Post by sname5978 »

You sure Basic Auth is the issue? Had a customer recently where an application using EWS stopped working and it was because it was using an older TLS version which MS is phasing out
momix




indigocard.com activate
Post Reply