From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] force transport encryption for WebUI logins
Date: Sun, 24 Sep 2017 19:56:08 +0100
Message-ID: <1506279368.18494.81.camel@ipfire.org>
In-Reply-To: <20170924130415.65717685.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0265620994133853849=="
List-Id: <development.lists.ipfire.org>

--===============0265620994133853849==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

good testing guys.

I think the patch looks fine, but I think while we are at it, we should also
clean up the vhost configuration files. They are messy. Really really messy.

There is sections for the dial user which never existed in IPFire. There is a=
lso
directory directives for the dial user. These can all be removed I think.

I have no idea what is using that access to the graphs directories. I think t=
hat
can also be removed.

Then we have multiple CGI files that redirect to SSL themselves. I think we c=
an
let Apache do that, if that isn't even caught automatically by redirecting
everything that isn't the update cache or proxy.pac to SSL.

Anyone wants to work on this?

-Michael

On Sun, 2017-09-24 at 13:04 +0200, Peter M=C3=BCller wrote:
> Hello Matthias,
>=20
> thanks for testing. Please see my comments below...
>=20
> > Hi Peter,
> >=20
> > I did the following:
> >=20
> > Stopped Apache on my testmachine (192.168.100.251), patched files,
> > started apache, accesses made with FF 55.0.3.
> >=20
> > 1. Accessing "http://192.168.100.251:444":
> >=20
> > "Bad Request
> >=20
> > Your browser sent a request that this server could not understand.
> > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > Instead use the HTTPS scheme to access this URL, please.
> > Apache Server at ipfiretest.localdomain Port 444"
>=20
> That is normal and also appears without my patch.
> >=20
> > 2. Accessing "https://192.168.100.251:444"
> >=20
> > "Authentication Required...https://192.168.100.251:444 is requesting
> > your username and password. The site says: =E2=80=9CIPFire - Restricted=
=E2=80=9D"
> > =3D> username / password =20
>=20
> This is normal, too.
> >=20
> > 3. Browser-Restart, reopening page, same result as 2., "Authentication
> > Required..."
>=20
> OK.
> >=20
> > 4. Accessing "http://192.168.100.251:81":
> >=20
> > "Authentication Required...https://192.168.100.251:444 is requesting
> > your username and password. The site says: =E2=80=9CIPFire - Restricted=
=E2=80=9D"
> > =3D> username / password =20
>=20
> Yep, here is the change: The browser is being redirected to the secure
> version.
> >=20
> > 5. Accessing "https://192.168.100.251:81":
> >=20
> > "Secure Connection Failed
> >=20
> > An error occurred during a connection to 192.168.100.251:81. SSL
> > received a record that exceeded the maximum permissible length. Error
> > code: SSL_ERROR_RX_RECORD_TOO_LONG"
>=20
> This is because there is no SSL engine running on port 81. Apache
> returns a "Bad Request" answer, which is surprisingly not understood
> by the browser.
> >=20
> > Any anything else I could do?
>=20
> Not directly.
>=20
> It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> (perhaps in a school's network) could test this patch too, since these
> CGIs are not accessible via plaintext anymore.
>=20
> Both are not working here. "webaccess.cgi" redirects to SSL itself and
> says "disabled by administrator", while "chpasswd.cgi" just returns
> a 500 "Internal Server Error". Interesting.
>=20
> But since that is a special use case, I assume the patch works fine.
>=20
> Best regards and thanks again,
> Peter M=C3=BCller
> >=20
> > Best,
> > Matthias
> >=20
> > On 24.09.2017 09:06, Peter M=C3=BCller wrote:
> > > Force the usage of SSL when accessing protected locations.
> > >=20
> > > Queries to the plain text interface on port 81 will be answered
> > > with a 301 ("Moved permanently") status.
> > >=20
> > > All authentication directives on port 81 are disabled to prevent
> > > data leakage.
> > >=20
> > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > ---
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > index 6f353962e..bec0d580b 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > @@ -23,7 +23,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </DirectoryMatch>
> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > >      <Directory /srv/web/ipfire/cgi-bin>
> > > @@ -32,7 +35,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >          <Files chpasswd.cgi>
> > >              Require all granted
> > >          </Files>
> > > @@ -40,7 +46,10 @@
> > >              Require all granted
> > >          </Files>
> > >          <Files dial.cgi>
> > > -            Require user admin
> > > +		<RequireAll>
> > > +			Require user admin
> > > +			Require ssl
> > > +		</RequireAll>
> > >          </Files>
> > >      </Directory>
> > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > @@ -49,7 +58,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user dial admin
> > > +	<RequireAll>
> > > +		Require user dial admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </Directory>
> > >      <Files ~ "\.(cgi|shtml?)$">
> > >  	SSLOptions +StdEnvVars
> > > @@ -85,6 +97,9 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </Directory>
> > >  </VirtualHost>
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > index 619f90fcc..a0537b392 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > @@ -12,36 +12,25 @@
> > >          Require all granted
> > >      </Directory>
> > >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
> > >      </DirectoryMatch>
> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > >      <Directory /srv/web/ipfire/cgi-bin>
> > >          AllowOverride None
> > > -        Options None
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > -         <Files chpasswd.cgi>
> > > -            Require all granted
> > > -        </Files>
> > > -        <Files webaccess.cgi>
> > > -            Require all granted
> > > -        </Files>
> > > -        <Files dial.cgi>
> > > -            Require user admin
> > > -        </Files>
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
> > >      </Directory>
> > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > >          AllowOverride None
> > > -        Options None
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user dial admin
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
> > >      </Directory>
> > >      Alias /updatecache/ /var/updatecache/
> > >  	<Directory /var/updatecache>
> > >  =20
>=20
>=20

--===============0265620994133853849==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxuSC84Z0FDZ2tRZ0hudy8yK1EKQ1FlRnZoQUFqZ1haWkpMeG50
SGc2OXlkK01KVFNGZlRLL1IrMXlTVXlvYzd4MEo0c25XRnJXQjl6NUIxWnpWcwo4MzMvaDl6RjZs
Q2NNL2Q5UXROaUw0T0tEMzRyU1NkOW03eEpWUzNZbzQ4bUJDV0ZFck5ZYmhQR1ZjRE51TzRsCmVL
cjlVUjMrcDg4MkM1QTZoaDBlRE14dU9lL1dOaGRmc0YrMjNOUHc2a2FSblM4elR3cHlYVktaNnZh
Uk1EbzcKWklCaG42Y0d5ZEpkcnZlTEZyVnZuRWQyNUMxQUh5NUpJVFhPWWFPcmp2RGx4TzhnbXFa
cEgxWE1CbWRUOHhTTQpFTmdpa1lUUXFodEltVTBwdTZ0bE4yWnBybUVpM1FoY0htblhuN0pkbHZL
cXlIYzV2Yko3ZjRwSm4yZWxoa0V4Clo5dmxFNWNDV0VFVVFGd3R2d055N3hDL0N1RVVzdnB2b3dZ
Wmh5bE45TTcrNG1YQjZLYzUrejd0aG9mNlhyWlQKekdNNGxYbGhiRE9YVDVVQ3pXNDRkalNFdUM2
WnFqM0QxZVYyRE9JZGtoMk5Va2RMOTBLWVhtZG1FWHZDTUx6agpjcE9XLy9pb0pLSzB2OWZWSm83
WXEvVGk4amFkMFVMTWZod1laOWhXeWFiWnNzWmk2bUlaYkFPYWNHa0pQVE4yCmFKR1Z0RnVDaDdm
dm5zUEFCVzZTbHY5RnVWNVNEQmRRR1RUVGpOYzM2SEYzUXpKQUp4SlowMGFUbmpzWHg5QUsKQjY2
R2ZlZUFMQVNDT05yS1FwMW5DeXFYS1l4QkVWSW45QXROcW5GUW9MSlJkWHl6M0JqVVRvTk96V1k0
T1hZawppRXN6Tnd0TjBmSmh2N2dJVnRNZXkxcXNKSE5SaCtQU3ZmUGh1TGZBOFJUNVcvaTdQeWs9
Cj1ndDlJCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============0265620994133853849==--