Zammadã¯ãåºæ¬èªèšŒã®ã¬ã€ã€ãŒãšã¹ã ãŒãºã«çµ±åãããŸãã ãããã£ãŠãã¹ããŒã¿ã¹ã³ãŒããHTTP401Unauthorizedãã¯äœ¿çšãããŸããã å¥ã®æ¹æ³ãšããŠãã¹ããŒã¿ã¹ã³ãŒã403ãé©åãªä»£æ¿æ段ã«ãªããŸãã
å šäœãšããŠãZammadã¯ãåºæ¬èªèšŒãšçµã¿åãããå Žåãå€ãã®åé¡ã¯ãããŸããã ãã ããèŠæ±ãã¹ããŒã¿ã¹ã³ãŒã401ã§å¿çãããçŸåšã®ãŠãŒã¶ãŒãåºæ¬èªèšŒè³æ Œæ å ±ã®åå ¥åãäœåãªããããå Žåãããã€ããããŸãã
ã³ãŒãããŒã¹ã§ã¹ããŒã¿ã¹401ïŒãŸãã¯unauthorized
ïŒãç°¡åã«æ€çŽ¢ã§ããŸãã
https://github.com/zammad/zammad/search?l=Ruby&q=%3Aunauthorized
ãã®åŸ
ãŸãã¯
ã¯ããããã¯ãã°ã§ãããæ©èœã®ãªã¯ãšã¹ããäžè¬çãªè³ªåã¯ãªããšç¢ºä¿¡ããŠããŸãã
æ£ç¢ºãªã€ã³ã¹ããŒã«æ å ±ãä¿æããããã«æåã®èšäºãæŽæ°ããŠãã ãã-ãanyãã¯çŸæç¹ã§ã¯å®éã«ã¯é©åã§ã¯ãããŸãã-ç³ãèš³ãããŸããã :)
ãŸããå®å šãªWebãµãŒããŒæ§æãæäŸããŠãã ããïŒäœ¿çšããŠãããã®ããç¥ãããã ããïŒã ä»ã¯æè¡çãªè³ªåã®ãããªåããããŸãããå®å šã«ç¢ºèªããããšæããŸãã ãããããã®ããã«ã¯ãã¹ãŠãå¿ èŠã§ãã ;ïŒ
ããããšãã
ãŸãäŒã£ããã
åé¡ã®èª¬æãæŽæ°ããŸãã-æåã¯äžè¶³ããŠç³ãèš³ãããŸããïŒ
ãã¹ã
æŽæ°ããŠããã ãããããšãããããŸãã WebãµãŒããŒã®æ§æã¯ãåºæ¬èªèšŒã«ãã£ãŠæ¡åŒµãããããã©ã«ãã®æ§æã§ããïŒ ãã®vhostæ§æãæäŸããŠããã ããŸãããïŒ äœããèŠéããŠããªãããšã確èªããããã ãã«ã
ããããšãïŒ
ã¯ããåºæ¬çã«ã¯Zammad Default config + BasicAuthã ãã§ãã ãããvhostèšå®ã§ãïŒ
auth_basic 'Restricted: general basic auth';
auth_basic_user_file /etc/.htpasswd.d/zammad;
location /ws {
proxy_pass http://zammad_ws;
proxy_redirect off;
proxy_hide_header X-Powered-By;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header CLIENT_IP $remote_addr;
proxy_read_timeout 86400;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size 0;
error_page 502 503 504 =503 @fallback;
}
location / {
try_files $uri @proxy;
}
location <strong i="6">@proxy</strong> {
proxy_pass http://zammad;
proxy_redirect off;
proxy_hide_header X-Powered-By;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_max_temp_file_size 0;
proxy_set_header CLIENT_IP $remote_addr;
error_page 502 503 504 =503 @fallback;
}
ããäžåºŠèª¿ã¹ãŸããã
ç§ãã¡ã®æšæž¬ïŒMichaelãæžããããã«ïŒã¯ãHTTP 401ãè¿ãã®ã§ã¯ãªãïŒãã©ãŠã¶ã«ãæå®ãããåºæ¬èªèšŒè³æ Œæ
å ±ãæ£ãããªããšä¿¡ããããïŒãçŠæ¢ãããŠããHTTP403ãè¿ãããšã§ãã
ç§ããããæ£ããèŠããªããããã¯æå³ããã§ããã
app / controllers / application_controller / handlers_errors.rbïŒL39
respond_to_exception(e, :unauthorized)
ã«çœ®ãæããå¿
èŠããããŸãrespond_to_exception(e, :forbidden)
RFCã«ãããšããã©ãŠã¶ã®åäœã¯ç°ãªãå¿ èŠããããŸãïŒhttps://tools.ietf.org/html/rfc7231#section-6.5.3ïŒïŒããªã¯ãšã¹ãã§èªèšŒè³æ Œæ å ±ãæäŸãããå ŽåããµãŒããŒã¯ããããã¢ã¯ã»ã¹ãèš±å¯ããã«ã¯äžååã§ãããšèŠãªããŸããã¯ã©ã€ã¢ã³ãã¯SHOULDåãèªèšŒæ å ±ã§ãªã¯ãšã¹ããèªåçã«ç¹°ãè¿ããªãã§ãã ãããã
ãã ããå
é±ã®å¥ã®ãããžã§ã¯ãã§åãåé¡ãçºçãã403ã®äœæ¥ãçºçããŸããã
403ãè¿ãä»ã®åé¡ãèŠãããªãå Žåã¯ãPRãçºè¡ã§ããŸãã
ãã¹ã
æéãããã£ãŠãã¿ãŸããã
ããã¯Zammadé¢é£ã®åé¡ïŒã¢ããªã±ãŒã·ã§ã³ããŒã¹ïŒã§ã¯ãªããnginxã®ãããã¯ãšã³ãã®åé¡ãã§ããããšã«æ³šæããŠãã ããã
åºæ¬èªèšŒã®èªèšŒèŠæ±ã¯ãã¢ããªã±ãŒã·ã§ã³ãšããŠZammadã«å°éããããšã¯ãããŸããããnginxãŸãã¯äœ¿çšããä»ã®WebãµãŒããŒã§ãã§ã«çµäºããŠããŸãïŒãããŠãã§ãã¯ãããŠããŸãïŒã
ãããã£ãŠããœãŒã¹ã³ãŒããå€æŽããŠããåé¡ã¯ãŸã£ãã解決ããªããšæããŸãã
æè¡çã«ã¯ã401ã®ç¡èš±å¯ã¯ãç§ãèšããããšããæ£ããã§ãïŒ403ãå¿
èŠã ãšç解ããŠããŸããïŒã
åç
§ïŒ
https://serverfault.com/questions/616770/nginx-auth-basic-401-htpasswd
ãšããã§ïŒ
念ã®ãããZammadã®ããã¯ãšã³ããå¿çã§ããªãããã«ãZammadãããã·ããŒããå®å
šã«ã³ã¡ã³ãã¢ãŠãããŸããã 401ã®çµæã¯åãã§ãããããnginxã®é害ã§ãã :)
ããã¯ãã°ã§ã¯ãªãæè¡çãªè³ªåã§ãããããçµäºããŸãã
ããã«ã¡ã¯@MrGeneration ã
ããã調ã¹ãŠãããŠããããšãã
ãã®åé¡ã¯Zammadã¢ããªã±ãŒã·ã§ã³ã®ç¯å²å€ã®ããã«æãããããšã¯ç解ããŠããŸãããããã§ãïŒNgnixã§ã¯ãªãïŒãããåå ã§ãããšæããŸãã çç±ã説æããããšæããŸãïŒ
ngnixãåºæ¬èªèšŒã䜿çšããããã«æ§æãããŠããªããšä»®å®ããŸãããã ãã®å Žåãç§ãã¡2人ã¯ãZammadã¢ããªã±ãŒã·ã§ã³ïŒngnixã®ãèåŸãïŒãæ£åžžã«æ©èœããããšã«åæããŸãã
ããã§ãäžèšã®æ§æãngnixã«è¿œå ããããšã«ãããåºæ¬èªèšŒãæå¹ã«ããŸãã çŸåšã§ããèªèšŒïŒåºæ¬ãã°ã€ã³ãšZammadãã°ã€ã³ïŒãšZammadã¢ããªã±ãŒã·ã§ã³èªäœã®äž¡æ¹ãå«ããã»ãšãã©ãã¹ãŠãæåŸ ã©ããã«æ©èœããããšã«æ³šæããŠãã ããã
以åã«èª¬æããããšããåé¡ã¯ãã¢ããªã±ãŒã·ã§ã³ãã¹ããŒã¿ã¹ã³ãŒã401ã®ããŒãžãã¬ã³ããªã³ã°ãããšãã«ãåŸã§ïŒZammadïŒã«ãã£ãŠïŒçºçããããšããããŸãããã®å Žåãåºæ¬èªèšŒãæå¹ã«ãªã£ãŠãã_ãã¹ãŠã®WebãµãŒããŒ_ã¯åŒ·å¶çã«ãã°ã¢ãŠãããŸãã
ãã®å Žåãæå³çã«èšãã°401ããã¡ããã©ãããããã«èãããããšã«åæããŸãã æè¡çã«èšãã°ãåºæ¬èªèšŒã§é¿ããããªãåé¡ãçºçããããã403ã«çœ®ãæããå¿
èŠããããŸãã
å€ãã®ãŠãŒã¶ãŒã®Zammadã¢ããªã±ãŒã·ã§ã³ã®UXã«ã圱é¿ãäžããå¯èœæ§ãããããããã®åé¡ãå床éããŠãã ããã
@thorsteneckelããã«ã€ããŠã©ãæããŸããïŒ
ããã¿ããªïŒ 貎éãªæ å ±ãšèª¬æãããããšãã RFCãèªã¿ãŸãããã401ãš403ã®éãã«ã€ããŠã¯ãŸã å°ãæ··ä¹±ããŠããŸãããããããStackOverflowã§ãã®ãã°ããã説æãèŠã€ããŸããã èŠç©ããïŒ
èªèšŒãšã©ãŒã®HTTPã¹ããŒã¿ã¹ã³ãŒãã§ãã401Unauthorizedã«åé¡ããããŸãã ãããŠããã¯ããã ãã§ãïŒããã¯èªèšŒã®ããã§ãããæ¿èªã®ããã§ã¯ãããŸããã
ããããã€ã³ãã«ãªããŸãã Zammadã¯authorization
ãšã©ãŒã«401ã䜿çšããŸãã ããã¯æè¡çã«ééã£ãŠããããããã°ã§ãã åé¡ãåéããŸãã
ãã ãã圱é¿ã確èªããå¿
èŠããããŸãã ããã«ãããã¹ãŠã®å®è£
ãšAPIã³ã³ã·ã¥ãŒããŒã®ããã«ãããã¯é倧ãªå€æŽã ãšæããŸãã
ç§ã®çŸåšã®èšç»ã¯ãZammad3.4ã§401 authorization
ããœããéæšå¥šã«ãã3.5ïŒãŸãã¯3.6ïŒã§ããŒãéæšå¥šã«ããŠ403ã«åãæ¿ããããšã§ãã
ããã«ã€ããŠã¯ã瀟å
ã§ããã«è°è«ããå¿
èŠããããŸãã
ããã«ã€ããŠã®ãããªãèãã¯èª°ã§ããïŒ
ãããã¯çŽ æŽããããã¥ãŒã¹ã§ãïŒ ç§ã«ã¯ããã§ããã
åžžã«ææ°æ å ±ãå ¥æããã«ã¯ïŒæ¬¡ã®4.0ãªãªãŒã¹ã§ãããå®è£ ããŸãã
å éšå®è£ ã®ç®çïŒ https ïŒ
äžèšã®ã³ãããã§ä¿®æ£ãããŸããã ãã£ã³ã¹ãã€ããã§401
ãšã©ãŒã®ã¡ãã»ãŒãžã®äžéšãæ¹åããŸããããåºæ¬çã«å€æŽããã®ã¯ãéèªèšŒãšã©ãŒã403 Forbidden
ã«å€æŽããããšã ã
ããã¯ãææ°ã®develop
ããã±ãŒãžã䜿çšããŠãä»ããçŽ30åã§ãã¹ãã§ããŸãã ããã¯åäœäžã®ãã©ã³ãã§ãããå®å®ããŠããªãããšã«æ³šæããŠãã ããã ãããã£ãŠãå¿
ãããã¯ã¢ãããåããææªã®äºæ
ãäºæ³ããŠãã ãã:)ãã£ãŒãããã¯ããåŸ
ã¡ããŠãããŸãïŒ
æãåèã«ãªãã³ã¡ã³ã
ããã¿ããªïŒ 貎éãªæ å ±ãšèª¬æãããããšãã RFCãèªã¿ãŸãããã401ãš403ã®éãã«ã€ããŠã¯ãŸã å°ãæ··ä¹±ããŠããŸãããããããStackOverflowã§ãã®ãã°ããã説æãèŠã€ããŸããã èŠç©ããïŒ
ããããã€ã³ãã«ãªããŸãã Zammadã¯
authorization
ãšã©ãŒã«401ã䜿çšããŸãã ããã¯æè¡çã«ééã£ãŠããããããã°ã§ãã åé¡ãåéããŸãããã ãã圱é¿ã確èªããå¿ èŠããããŸãã ããã«ãããã¹ãŠã®å®è£ ãšAPIã³ã³ã·ã¥ãŒããŒã®ããã«ãããã¯é倧ãªå€æŽã ãšæããŸãã
ç§ã®çŸåšã®èšç»ã¯ãZammad3.4ã§401
authorization
ããœããéæšå¥šã«ãã3.5ïŒãŸãã¯3.6ïŒã§ããŒãéæšå¥šã«ããŠ403ã«åãæ¿ããããšã§ããããã«ã€ããŠã¯ã瀟å ã§ããã«è°è«ããå¿ èŠããããŸãã
ããã«ã€ããŠã®ãããªãèãã¯èª°ã§ããïŒ