-
Incident report
-
Resolution: Unresolved
-
Trivial
-
None
-
7.0.16
-
None
Steps to reproduce:
- Use the Zabbix Web Interface behind a Reverse Proxy like Apache or NGINX, so the Reverse Proxy forward the reqeusts to an internal IP-Address
- Configure Users => Authentification => MFA settings => Duo Universal Prompt as in https://www.zabbix.com/documentation/7.0/en/manual/web_interface/frontend_sections/users/authentication/mfa described
- Try to log in with user
Result:
The Duo API return an error because the redirect URI is an internal:
{"error": "invalid_grant", "error_description": "Invalid redirect URI 'http://192.168.1.10/index_mfa.php?request='."}
Expected:
The Duo MFA Screen
Reason:
The index_mfa.php is using the enviroment variables for creating the redirect URL:
$full_duo_redirect_url = implode('', [HTTPS ? 'https://' : 'http://', $_SERVER['HTTP_HOST'], $duo_redirect_uri]);
and
$confirm_data = [
'sessionid' => CSessionHelper::get('confirmid'),
'redirect_uri' => implode('', [HTTPS ? 'https://' : 'http://', $_SERVER['HTTP_HOST'], $duo_redirect_uri])
];
so the internal URL used by the Reverse Proxy is used. the code will only work if the webinterface is directly connected to the internet.
The redirect URL (with protocol type) should be make configurable for these scenario, in the zabbix.conf.php
Workaround:
Edit the index_mfa.php
Change the code with the two lines like this:
$full_duo_redirect_url = implode('', [HTTPS ? 'https://' : 'https://', 'zabbix.yourdomain.example', $duo_redirect_uri]);
$confirm_data = [
'sessionid' => CSessionHelper::get('confirmid'),
'redirect_uri' => implode('', [HTTPS ? 'https://' : 'https://', 'zabbix.yourdomain.example', $duo_redirect_uri])
];