processone
WebAdmin is empty in ejabberd 24.06
Problem
I was using ejabberd's WebAdmin perfectly with ejabberd 24.02. Now I've updated to ejabberd 24.06 and
- I can login correctly to the new WebAdmin: it shows the logo, navigation menu, welcome page...
- But there is no content: all the pages are empty, nothing to administer!
This is how the WebAdmin looks right now:
And the ejabberd.log file shows:
[info] Access to WebAdmin page vhosts/ for account [email protected] was denied
What's the problem? How to solve it?
Explanation of WebAdmin in 24.06
Until ejabberd 24.02, when you login to webadmin successfully, you immediately had access to all the pages and content.
In ejabberd 24.06, the WebAdmin uses commands API to generate the page content. Let's view the process in detail:
1. Accessing URL
ejabberd.yml contains something like this:
hosts:
- example.org
listen:
-
port: 5280
module: ejabberd_http
request_handlers:
/admin: ejabberd_web_admin
And you can open a web browser with any of those URLs:
- A) http://127.0.0.1:5280/admin/
- B) http://localhost:5280/admin/
- C) http://10.20.30.40:5280/admin/
- D) http://example.org:5280/admin/
Let's assume that example.org directs to the IP address 10.20.30.40.
2. The browser immediately requests the login credentials. If you configure like this:
acl:
admin:
user: [email protected]
access_rules:
configure:
allow: admin
Then you can login with
- A) http://127.0.0.1:5280/admin/ login with
[email protected] - B) http://localhost:5280/admin/ login with
[email protected] - C) http://10.20.30.40:5280/admin/ login with
[email protected] - D) http://example.org:5280/admin/ login with
timor[email protected]
3. The WebAdmin site shows the logo, navigation menu and welcome page.
The WebAdmin also shows pages content depending on the permissions that the user has to execute API commands.
For example, this configuration gives access ONLY from 127.0.0.1 and ::1 to user [email protected]:
acl:
admin:
user: [email protected]
loopback:
ip:
- 127.0.0.0/8
- ::1/128
access_rules:
configure:
allow: admin
trusted_network:
allow: loopback
api_permissions:
"admin access":
who:
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
- A) http://127.0.0.1:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
- B) http://localhost:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
- C) http://10.20.30.40:5280/admin/ --> :x: fails due to a bug in ejabberd 24.06 !!
- D) http://example.org:5280/admin/ from the same machine --> :white_check_mark:
- E) http://example.org:5280/admin/ from a different machine --> :x: fails due to
api_permissionsconfiguration !!
Solution to bug in 3.A/B/C
There is a bug in ejabberd 24.06 that appears when you visit an WebAdmin URL but login with an account in another vhost. A fix is already available in git (https://github.com/processone/ejabberd/commit/54f5db851defb5f69e75830081c6aad4a991a20e).
You can update ejabberd from git and recompile, or wait for a newer ejabberd release, or:
If you want to login with account [email protected], then please open the URL http://example.org:5280/admin/ , not localhost or 127.0.0.1 or anything else. That is, make sure the host in the URL matches the host in your login account.
Solution to configuration problem in 3.E
The default api_permissions only allows to execute commands from localhost to admin accounts.
Let's add a new permission in api_permissions to allow executing commands from ejabberd_web_admin to admin accounts from any machine:
api_permissions:
"webadmin":
from:
- ejabberd_web_admin
who:
access:
allow:
- acl: admin
what:
- "*"
Yes, it was solved in ejabberd 24.07. This issue can be closed, and probably can be unpinned in the github issues list
Also keep in mind that the administrator login is only small case, for example kjhjgjhghj, and not HGKjghgfrf. Previously this was allowed in version 24.10 and higher, no
Im facing this problem on 24.12.0 again. Seems like some regression. Please fix it. Thank you
I didn't notice the changes of api_permissions in the ejabberd.yml.example. Thank you for hint @licaon-kter.