I'm trying to enable HTTP authentication for my zabbix server 6.0.20. I have an EC2 instance running on AWS, and I configured ALB using Cognito authentication.
I updated the files /etc/nginx/conf.d/zabbix.conf:
server {
listen 80 default_server;
rewrite ^/?$ /index_http.php redirect;
....
and /usr/share/zabbix/index_http.php:
<?php
require_once dirname(__FILE__).'/include/classes/user/CWebUser.php';
require_once dirname(__FILE__).'/include/config.inc.php';
$redirect_to = (new CUrl('index_http.php'))->setArgument('form', 'default');
$request = getRequest('request', '');
$request = getRequest('request', '');
$test_request = [];
preg_match('/^\/?(?<filename>[a-z0-9\_\.]+\.php)(\?.*)?$/i', $request, $test_request);
if ($request !== '' && !CHtmlUrlValidator::validateSameSite($request)) {
$request = '';
}
if ($request !== '') {
$redirect_to->setArgument('request', $request);
}
if (CAuthenticationHelper::get(CAuthenticationHelper: :HTTP_AUTH_ENABLED) != ZBX_AUTH_HTTP_ENABLED) {
redirect($redirect_to->toString());
}
require_once dirname(__FILE__)."/include/oidc.inc.php";
oidc();
....
the file include/oidc.inc.php:
<?php
$permitted_domains = [
'mydomain.com',
];
require_once dirname(__FILE__).'/classes/user/CWebUser.php';
require_once dirname(__FILE__).'/config.inc.php';
$request = getRequest('request', '');
$test_request = [];
function generateRandomString($length = 16) {
return substr(str_shuffle(str_repeat($x='0123456789abcdef ghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
}
function oidc() {
global $permitted_domains;
// Lets clear untrusted headers
$_SERVER['PHP_AUTH_USER'] = '';
$_SERVER['REMOTE_USER'] = '';
$_SERVER['AUTH_USER'] = '';
if ($_SERVER['HTTP_X_AMZN_OIDC_ACCESSTOKEN'] != '') {
$parts = explode(".", $_SERVER['HTTP_X_AMZN_OIDC_ACCESSTOKEN']);
$obj = json_decode(base64_decode($parts[1]), true);
$roleid = 0;
if ($obj['username'] != '') {
$http_user = $_SERVER['PHP_AUTH_USER'] = strtolower($obj['username']);
if (in_array('zabbix-admin', $obj['cognito:groups'])) {
$roleid = 3;
}
if (in_array("zabbix-read", $obj['cognito:groups'])) {
$roleid = 1;
}
}
}
if (!$http_user) {
return;
}
$parser = new CADNameAttributeParser(['strict' => true]);
if ($parser->parse($http_user) === CParser::PARSE_SUCCESS) {
if (!in_array($parser->getDomainName(), $permitted_domains)) {
return;
}
}
$uinfo = DBfetch(DBselect(
'SELECT u.userid,u.attempt_failed,u.attempt_clock,u.attemp t_ip '.
'FROM users u '.
'WHERE u.username='.zbx_dbstr(strtolower($http_user))
));
if(!$uinfo) {
$name_surname = explode(".", $http_user);
DB::insert('users',[[
'username' => strtolower($http_user),
'name' => strtolower($name_surname[0]),
'surname' => strtolower($name_surname[1]),
'passwd' => generateRandomString(), // unused, but have to set
'autologin' => '1', // used to login by http
'autologout' => '15m',
'roleid' => $roleid,
]]);
}
}
this code works fine, I can create the user in the mysql database.
I enabled on Zabbix GUI HTTP authentication:
when I try to connect to the servers, I login to the Cognito form but I receive this error:
Could someone know how can fix it?