[mrtg] Re: 14all and authorization

Pavel Ruzicka pavouk at k332.feld.cvut.cz
Wed Jan 24 10:33:38 MET 2007

> > I am using the MRTG tool for quite a while now. At the moment we are
> > building a new system and we will switche to rrdtool mode. In the old
> > situation I could rely on the authorization methods offered by the apache
> > web server (basically the reports are placed in different subdirectories,
> > with different realms).

I was in identical situation and I solved this problem ;-)

> > It seems that the 14all.cgi script doesnot provide this functionality, so
> > allowing group of users access to their reports only. Is there a known
> > solution for this problem?

The name of finess is "REFERER".

I have web directories protected by basic authentication.
There is index.html with links to 14all.cgi with parameters.
Example of HTML code:
<a href="http://mrtg.xx.cz/mrtg-cgi/14all.cgi?log=sw1.xx.cz_fastethernet0_18
&cfg=sw1.xx.cz.cfg">Customers interface</a>

Example of part Apache httpd.conf:
SetEnvIfNoCase Referer "^http://mrtg.xx.cz" local_ref
SetEnvIfNoCase Referer "^https://server2.xxxx.cz/mrtg/" local_ref

<Directory "/usr/local/apache/mrtg-cgi/">
        Order Deny,Allow
        Deny from all
        Allow from env=local_ref

Now if you call 14all.cgi from your server, then graph page is displayed.
But if you call 14all.cgi from another server or you write link in to browser manually,
you will get this message:
You don't have permission to access /mrtg-cgi/14all.cgi on this server.

This method is not 100% secure, because you can teoretically false referer in HTTP
session, but it is better than nothing and easy to implement without modification 

Pavel Ruzicka

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list