Re: [PATCH] force transport encryption for WebUI logins

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH] force transport encryption for WebUI logins
Date: Sat, 23 Sep 2017 20:06:25 +0200	[thread overview]
Message-ID: <20170923200625.7d9fe442.peter.mueller@link38.eu> (raw)
In-Reply-To: <9b317dbc-f461-d993-428a-d9a5bdaf1210@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 3599 bytes --]

Hello Matthias,

tanks for reporting this. I am trying to reproduce here...

Best regards,
Peter Müller

> Hi Peter,
> 
> Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
> 
> During testing I found that every machine in my GREEN net was suddenly
> able to login through https://[IPFIRE_GREEN_ADDRESS]:[444].
> 
> No question for admin-username, no password authentification request,
> nothing.
> 
> It seems as as if the Authentication Header is missing(?).
> 
> Only when I remove the "Require ssl" lines (I did this in both files), a
> browser restart leads to the usual login procedure.
> 
> Best,
> Matthias
> 
> On 08.09.2017 19:19, Peter Müller wrote:
> > Force SSL/TLS for any WebUI directory which requires an authentication.
> > This prevents credentials from being transmitted in plaintext, which is
> > an information leak.
> > 
> > Scenario: A MITM attacker might block all encrypted traffic to the
> > firewall's web interface, making the administrator using an unencrypted
> > connection (i.e. via port 81). Username and password can be easily
> > logged in transit then.
> > 
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index 6f353962e..5ceaa1f32 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -24,6 +26,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user admin
> > +        Require ssl
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > @@ -33,6 +36,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user admin
> > +        Require ssl
> >          <Files chpasswd.cgi>
> >              Require all granted
> >          </Files>
> > @@ -50,6 +54,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user dial admin
> > +        Require ssl
> >      </Directory>
> >      <Files ~ "\.(cgi|shtml?)$">
> >  	SSLOptions +StdEnvVars
> > @@ -86,5 +91,6 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user admin
> > +        Require ssl
> >      </Directory>
> >  </VirtualHost>
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 619f90fcc..58d1b54cd 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -16,6 +16,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user admin
> > +        Require ssl
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > @@ -25,6 +26,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user admin
> > +        Require ssl
> >           <Files chpasswd.cgi>
> >              Require all granted
> >          </Files>
> > @@ -42,6 +44,7 @@
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> >          Require user dial admin
> > +        Require ssl
> >      </Directory>
> >      Alias /updatecache/ /var/updatecache/
> >  	<Directory /var/updatecache>
> >   
>

next prev parent reply	other threads:[~2017-09-23 18:06 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-08 17:19 Peter Müller
2017-09-23 17:53 ` Matthias Fischer
2017-09-23 18:06   ` Peter Müller [this message]
2017-09-23 18:19     ` Peter Müller
2017-09-23 19:18       ` Tom Rymes
2017-09-23 19:26         ` Michael Tremer
2017-09-23 19:56           ` Peter Müller
2017-09-23 21:03             ` Michael Tremer
2017-09-24  7:11               ` Peter Müller
2017-09-23 19:35       ` Matthias Fischer
2017-09-23 20:08         ` Peter Müller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170923200625.7d9fe442.peter.mueller@link38.eu \
    --to=peter.mueller@link38.eu \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox