From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] force transport encryption for WebUI logins Date: Sun, 24 Sep 2017 19:49:38 +0100 Message-ID: <1506278978.18494.77.camel@ipfire.org> In-Reply-To: <4773DDA3-E77B-432D-B29F-30CC95F34583@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6102040660930921316==" List-Id: --===============6102040660930921316== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sun, 2017-09-24 at 18:55 +0200, ummeegge wrote: > Hi all, > first of all thanks for this great update and your work on this. Have > installed Core 114 from testing tree and i wanted to deliver you also some > feedback. >=20 > - After the update the WUI was not reachable and shows an 503, do not panic= ;- > ) this has happened cause of some of my vhost configurations where the old > directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_l= og > did not display some problems cause after the update but also after an rebo= ot > Apache has not been started again. By the usage of the initscript the probl= em > occurs with an yes, this is a problem that we need to point out in the change log. Since we are updating to Apache 2.4, we had to update all configuration files. We also did that for all add-ons that we support. But we cannot update anythi= ng else. So what the updater does is the following: 1) Remove all add-on configuration files (that we support) in the vhosts directory. 2) Stop apache 3) Install the update 4) Restart apache but without any add-ons 5) After the core update is finished, all add-on configuration files will be reinstalled. If the user has installed some other vhosts, apache won't restart at 4) and t= hey are on their own. >=20 > -> /etc/init.d/apache restart > Restarting Apache daemon... > AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf: > Invalid command 'Order', perhaps misspelled or defined by a module not > included in the server configu[ FAIL ] >=20 > Since 'mod_access_compat' is not provided (which is a good thing), the acce= ss > control do not accept the old directives. The fix was not that complicated, > instead of using e.g. >=20 > Order deny,allow > Deny from all >=20 > now=20 >=20 > Require all denied >=20 > needs to be used. I am currently not sure if IPFire provides vhost > configurations which might have problems with this, the Cacti vhost > configuration seems to work even the login appears only in HTTP also there = are > a lot of PHP warnings but i think this is out of the scope in here. >=20 >=20 > > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" > > (perhaps in a school's network) could test this patch too, since these > > CGIs are not accessible via plaintext anymore. > >=20 > > Both are not working here. "webaccess.cgi" redirects to SSL itself and >=20 > Have tested webaccess.cgi and it works here fine but i think my version > differs to the default one. I use this version--> http://git.ipfire.org/?p= =3Dpeo > ple/ummeegge/ipfire- > 2.x.git;a=3Dcommit;h=3D8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed= it > longer time ago but i think it may be forgotten?=20 >=20 > > says "disabled by administrator", while "chpasswd.cgi" just returns > > a 500 "Internal Server Error". Interesting. >=20 > chpasswd.cgi appears here but if i change the PWD and add 'admin' as current > user i get an "Fehler: Benutzername existiert nicht" have currently not fou= nd > log messages which points out anything of this problem. >=20 > Some even small feedback from here. >=20 > Greetings, >=20 > Erik >=20 >=20 --===============6102040660930921316== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuSC9rSUFDZ2tRZ0hudy8yK1EKQ1FjbWJ3LzZBc0FFQmxnaFQ5 YnF3dnBGUEZSRG8rUDFGR3RzWmV1dm1LZVFOVUV6YU4zZStVMHRweTFCaG42Ygo2dWxPTEd5Y1Iz c2JZR2ZSVU9jWXBlQmxqUTk0VmVRaWs4cHpEbkhPU0t6bVVMdHY0WkNuRDlDdjJrdVBtSDJkCnZt ck1CK0Q0ZGdLdFh5RTFpQ0Mrbi9UYmhGc1dsNFg5d2FtWnpzWktzNmU2WEltTFRSM1pqTDk4c1pr dm9DdGQKRWpzRGhsRXJDanpUempjSGJGc3h3dGlMa0o1bUFDanJ2dmhFUlBVcXgzOTBTd0FQeUdU Um56b2J6eW1NUmZzegozekxOK3RCcDkxYktocUVBWjZLdExBcDBYWVpIcUR5QUFPSnZCbkFNamt5 bCtVbjRxcURkOHJScHQxb2NEVndJCmZBQlBDYmxTWmZwMGlHclpsWUU1MjZibk93Nmw1RWRlUEgy YXRNSEtENngvWGdHVlg2eHBHVmRZbUI0dTl2N0EKN0ZMRlJHZ00vMCttS1FUdkhHSmZCa1IzeVVH Vk1yUE1RbTZ6bHVwU0ZwaUNVR2QxUmlwWjBpZHVTbTJrWmtvZApzUEJTdWloU2Q2Q1BUNldDMm9u dC9xMkxmamhvbDZyanJjNnR1QzVUMjhuRVJRVWd6R0hndTNvUlNwaFNheUJ2CmNoQW1weFRWdFQr bVdCbzd6MStmdGl0eHJXUzQ1dHI1dDdvTTF6M0x4ZlIrWDB3ZWZCTG80RHBkcEhmWHR2cXoKUUMy U3N5NGJVcHF0YVUxSFFQYSsrN3lBd3pHWVZUS09ET3ppOWxGM09nN3dCdXJuQlMySGlJN09IWW9u dzFQMwpMSEo0OW1RMFhKdjlQci9UWXBjYlJWRWxra3lkS3NHeEVKeEtKUWhkdW55aUwzcFpTYzg9 Cj1la0dtCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============6102040660930921316==--