Re: [PATCH v2] force transport encryption for WebUI logins

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3189 bytes --]

Hi,

On Sun, 2017-09-24 at 18:55 +0200, ummeegge wrote:
> Hi all,
> first of all thanks for this great update and your work on this. Have
> installed Core 114 from testing tree and i wanted to deliver you also some
> feedback.
> 
> - After the update the WUI was not reachable and shows an 503, do not panic ;-
> ) this has happened cause of some of my vhost configurations where the old
> directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log
> did not display some problems cause after the update but also after an reboot
> Apache has not been started again. By the usage of the initscript the problem
> occurs with an

yes, this is a problem that we need to point out in the change log.

Since we are updating to Apache 2.4, we had to update all configuration files.
We also did that for all add-ons that we support. But we cannot update anything
else.

So what the updater does is the following:

1) Remove all add-on configuration files (that we support) in the vhosts
directory.

2) Stop apache

3) Install the update

4) Restart apache but without any add-ons

5) After the core update is finished, all add-on configuration files will be
reinstalled.

If the user has installed some other vhosts, apache won't restart at 4) and they
are on their own.

> 
> -> /etc/init.d/apache restart
> Restarting Apache daemon...
> AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf:
> Invalid command 'Order', perhaps misspelled or defined by a module not
> included in the server configu[ FAIL ]
> 
> Since 'mod_access_compat' is not provided (which is a good thing), the access
> control do not accept the old directives. The fix was not that complicated,
> instead of using e.g.
> 
> Order deny,allow
> Deny from all
> 
> now 
> 
> Require all denied
> 
> needs to be used. I am currently not sure if IPFire provides vhost
> configurations which might have problems with this, the Cacti vhost
> configuration seems to work even the login appears only in HTTP also there are
> a lot of PHP warnings but i think this is out of the scope in here.
> 
> 
> > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> > (perhaps in a school's network) could test this patch too, since these
> > CGIs are not accessible via plaintext anymore.
> > 
> > Both are not working here. "webaccess.cgi" redirects to SSL itself and
> 
> Have tested webaccess.cgi and it works here fine but i think my version
> differs to the default one. I use this version--> http://git.ipfire.org/?p=peo
> ple/ummeegge/ipfire-
> 2.x.git;a=commit;h=8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed it
> longer time ago but i think it may be forgotten? 
> 
> > says "disabled by administrator", while "chpasswd.cgi" just returns
> > a 500 "Internal Server Error". Interesting.
> 
> chpasswd.cgi appears here but if i change the PWD and add 'admin' as current
> user i get an "Fehler: Benutzername existiert nicht" have currently not found
> log messages which points out anything of this problem.
> 
> Some even small feedback from here.
> 
> Greetings,
> 
> Erik
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]