From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] force transport encryption for WebUI logins Date: Sat, 23 Sep 2017 20:06:25 +0200 Message-ID: <20170923200625.7d9fe442.peter.mueller@link38.eu> In-Reply-To: <9b317dbc-f461-d993-428a-d9a5bdaf1210@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4226086218159450390==" List-Id: --===============4226086218159450390== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Matthias, tanks for reporting this. I am trying to reproduce here... Best regards, Peter M=C3=BCller > Hi Peter, >=20 > Please review this patch... (http://patchwork.ipfire.org/patch/1413/) >=20 > During testing I found that every machine in my GREEN net was suddenly > able to login through https://[IPFIRE_GREEN_ADDRESS]:[444]. >=20 > No question for admin-username, no password authentification request, > nothing. >=20 > It seems as as if the Authentication Header is missing(?). >=20 > Only when I remove the "Require ssl" lines (I did this in both files), a > browser restart leads to the usual login procedure. >=20 > Best, > Matthias >=20 > On 08.09.2017 19:19, Peter M=C3=BCller wrote: > > Force SSL/TLS for any WebUI directory which requires an authentication. > > This prevents credentials from being transmitted in plaintext, which is > > an information leak. > >=20 > > Scenario: A MITM attacker might block all encrypted traffic to the > > firewall's web interface, making the administrator using an unencrypted > > connection (i.e. via port 81). Username and password can be easily > > logged in transit then. > >=20 > > Signed-off-by: Peter M=C3=BCller > > --- > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/htt= pd/vhosts.d/ipfire-interface-ssl.conf > > index 6f353962e..5ceaa1f32 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > @@ -24,6 +26,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user admin > > + Require ssl > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > @@ -33,6 +36,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user admin > > + Require ssl > > > > Require all granted > > > > @@ -50,6 +54,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user dial admin > > + Require ssl > > > > > > SSLOptions +StdEnvVars > > @@ -86,5 +91,6 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user admin > > + Require ssl > > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/v= hosts.d/ipfire-interface.conf > > index 619f90fcc..58d1b54cd 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > @@ -16,6 +16,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user admin > > + Require ssl > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > @@ -25,6 +26,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user admin > > + Require ssl > > > > Require all granted > > > > @@ -42,6 +44,7 @@ > > AuthType Basic > > AuthUserFile /var/ipfire/auth/users > > Require user dial admin > > + Require ssl > > > > Alias /updatecache/ /var/updatecache/ > > > > =20 >=20 --===============4226086218159450390==--