On Sun, 2017-09-24 at 22:15 +0200, Peter Müller wrote: > Hello Michael, > > > Hi, > > > > good testing guys. > > Thanks. > > > > I think the patch looks fine, but I think while we are at it, we should also > > clean up the vhost configuration files. They are messy. Really really messy. > > Yes, indeed. > > > > There is sections for the dial user which never existed in IPFire. There is also > > directory directives for the dial user. These can all be removed I think. > > > > I have no idea what is using that access to the graphs directories. I think that > > can also be removed. > > > > Then we have multiple CGI files that redirect to SSL themselves. I think we can > > let Apache do that, if that isn't even caught automatically by redirecting > > everything that isn't the update cache or proxy.pac to SSL. > > > > Anyone wants to work on this? > > I can have a look at the vhost config files within this week. The CGIs are perhaps > too difficult for me, since I am not familiar with Perl at the moment. > > Does this make the patch sent in obsolete/should I work on top of it? Please work on top of it. I will merge this shortly. Best, -Michael > > Best regards, > Peter Müller > > > > -Michael > > > > On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote: > > > Hello Matthias, > > > > > > thanks for testing. Please see my comments below... > > > > > > > Hi Peter, > > > > > > > > I did the following: > > > > > > > > Stopped Apache on my testmachine (192.168.100.251), patched files, > > > > started apache, accesses made with FF 55.0.3. > > > > > > > > 1. Accessing "http://192.168.100.251:444": > > > > > > > > "Bad Request > > > > > > > > Your browser sent a request that this server could not understand. > > > > Reason: You're speaking plain HTTP to an SSL-enabled server port. > > > > Instead use the HTTPS scheme to access this URL, please. > > > > Apache Server at ipfiretest.localdomain Port 444" > > > > > > That is normal and also appears without my patch. > > > > > > > > 2. Accessing "https://192.168.100.251:444" > > > > > > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > > your username and password. The site says: “IPFire - Restricted”" > > > > => username / password > > > > > > This is normal, too. > > > > > > > > 3. Browser-Restart, reopening page, same result as 2., "Authentication > > > > Required..." > > > > > > OK. > > > > > > > > 4. Accessing "http://192.168.100.251:81": > > > > > > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > > your username and password. The site says: “IPFire - Restricted”" > > > > => username / password > > > > > > Yep, here is the change: The browser is being redirected to the secure > > > version. > > > > > > > > 5. Accessing "https://192.168.100.251:81": > > > > > > > > "Secure Connection Failed > > > > > > > > An error occurred during a connection to 192.168.100.251:81. SSL > > > > received a record that exceeded the maximum permissible length. Error > > > > code: SSL_ERROR_RX_RECORD_TOO_LONG" > > > > > > This is because there is no SSL engine running on port 81. Apache > > > returns a "Bad Request" answer, which is surprisingly not understood > > > by the browser. > > > > > > > > Any anything else I could do? > > > > > > Not directly. > > > > > > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" > > > (perhaps in a school's network) could test this patch too, since these > > > CGIs are not accessible via plaintext anymore. > > > > > > Both are not working here. "webaccess.cgi" redirects to SSL itself and > > > says "disabled by administrator", while "chpasswd.cgi" just returns > > > a 500 "Internal Server Error". Interesting. > > > > > > But since that is a special use case, I assume the patch works fine. > > > > > > Best regards and thanks again, > > > Peter Müller > > > > > > > > Best, > > > > Matthias > > > > > > > > On 24.09.2017 09:06, Peter Müller wrote: > > > > > Force the usage of SSL when accessing protected locations. > > > > > > > > > > Queries to the plain text interface on port 81 will be answered > > > > > with a 301 ("Moved permanently") status. > > > > > > > > > > All authentication directives on port 81 are disabled to prevent > > > > > data leakage. > > > > > > > > > > Signed-off-by: Peter Müller > > > > > --- > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > index 6f353962e..bec0d580b 100644 > > > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > > @@ -23,7 +23,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > > > @@ -32,7 +35,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > Require all granted > > > > > > > > > > @@ -40,7 +46,10 @@ > > > > > Require all granted > > > > > > > > > > > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > > > > > > @@ -49,7 +58,10 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user dial admin > > > > > + > > > > > + Require user dial admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > SSLOptions +StdEnvVars > > > > > @@ -85,6 +97,9 @@ > > > > > AuthName "IPFire - Restricted" > > > > > AuthType Basic > > > > > AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + > > > > > + Require user admin > > > > > + Require ssl > > > > > + > > > > > > > > > > > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > > > index 619f90fcc..a0537b392 100644 > > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > > > @@ -12,36 +12,25 @@ > > > > > Require all granted > > > > > > > > > > > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > > > AllowOverride None > > > > > - Options None > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user admin > > > > > - > > > > > - Require all granted > > > > > - > > > > > - > > > > > - Require all granted > > > > > - > > > > > - > > > > > - Require user admin > > > > > - > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > > > > > > > > > > > > AllowOverride None > > > > > - Options None > > > > > - AuthName "IPFire - Restricted" > > > > > - AuthType Basic > > > > > - AuthUserFile /var/ipfire/auth/users > > > > > - Require user dial admin > > > > > + Options SymLinksIfOwnerMatch > > > > > + RewriteEngine on > > > > > + RewriteCond %{HTTPS} off > > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > > > > > > > Alias /updatecache/ /var/updatecache/ > > > > > > > > > > > > > > > > > >