Hi,

On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote:
> Do not allow credentials being submitted in plaintext to Apache.
> Instead, redirect the user with a 301 to the TLS version of IPFire's
> web interface.
> 
> Not sure if this has been merged (and is working) yet... :-)

Why do you doubt that this is working?

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++----------------
>  1 file changed, 8 insertions(+), 16 deletions(-)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> b/config/httpd/vhosts.d/ipfire-interface.conf
> index 27fd25a95..be15cd041 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,25 +12,17 @@
>          Require all granted
>      </Directory>
>      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +        Options SymLinksIfOwnerMatch
> +        RewriteEngine on
> +        RewriteCond %{HTTPS} off
> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> -        AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> -         <Files chpasswd.cgi>
> -            Require all granted
> -        </Files>
> -        <Files webaccess.cgi>
> -            Require all granted
> -        </Files>
> +        Options SymLinksIfOwnerMatch
> +        RewriteEngine on
> +        RewriteCond %{HTTPS} off
> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </Directory>
>      Alias /updatecache/ /var/updatecache/
>  	<Directory /var/updatecache>