From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH] force transport encryption for WebUI logins
Date: Sat, 23 Sep 2017 20:19:02 +0200 [thread overview]
Message-ID: <20170923201902.2c20c178.peter.mueller@link38.eu> (raw)
In-Reply-To: <20170923200625.7d9fe442.peter.mueller@link38.eu>
[-- Attachment #1: Type: text/plain, Size: 4347 bytes --]
Hello Matthias,
your described scenario does not appear on my machine. :-(
However, the "Require ssl" directive seems not to work with the
2.2.x branch, here, we still need the old "SSLRequireSSL". (On
the other hand, it was intended to be used with the new version.)
Which version are you running?
I think the best solution for now is to disregard this patch.
After the Core Update with 2.4.27 version was released, I'll
give it another try.
@All: Anybody against or in favor?
Best regards,
Peter Müller
> Hello Matthias,
>
> tanks for reporting this. I am trying to reproduce here...
>
> Best regards,
> Peter Müller
>
> > Hi Peter,
> >
> > Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
> >
> > During testing I found that every machine in my GREEN net was suddenly
> > able to login through https://[IPFIRE_GREEN_ADDRESS]:[444].
> >
> > No question for admin-username, no password authentification request,
> > nothing.
> >
> > It seems as as if the Authentication Header is missing(?).
> >
> > Only when I remove the "Require ssl" lines (I did this in both files), a
> > browser restart leads to the usual login procedure.
> >
> > Best,
> > Matthias
> >
> > On 08.09.2017 19:19, Peter Müller wrote:
> > > Force SSL/TLS for any WebUI directory which requires an authentication.
> > > This prevents credentials from being transmitted in plaintext, which is
> > > an information leak.
> > >
> > > Scenario: A MITM attacker might block all encrypted traffic to the
> > > firewall's web interface, making the administrator using an unencrypted
> > > connection (i.e. via port 81). Username and password can be easily
> > > logged in transit then.
> > >
> > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > ---
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > index 6f353962e..5ceaa1f32 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > @@ -24,6 +26,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user admin
> > > + Require ssl
> > > </DirectoryMatch>
> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > <Directory /srv/web/ipfire/cgi-bin>
> > > @@ -33,6 +36,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user admin
> > > + Require ssl
> > > <Files chpasswd.cgi>
> > > Require all granted
> > > </Files>
> > > @@ -50,6 +54,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user dial admin
> > > + Require ssl
> > > </Directory>
> > > <Files ~ "\.(cgi|shtml?)$">
> > > SSLOptions +StdEnvVars
> > > @@ -86,5 +91,6 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user admin
> > > + Require ssl
> > > </Directory>
> > > </VirtualHost>
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> > > index 619f90fcc..58d1b54cd 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > @@ -16,6 +16,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user admin
> > > + Require ssl
> > > </DirectoryMatch>
> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > <Directory /srv/web/ipfire/cgi-bin>
> > > @@ -25,6 +26,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user admin
> > > + Require ssl
> > > <Files chpasswd.cgi>
> > > Require all granted
> > > </Files>
> > > @@ -42,6 +44,7 @@
> > > AuthType Basic
> > > AuthUserFile /var/ipfire/auth/users
> > > Require user dial admin
> > > + Require ssl
> > > </Directory>
> > > Alias /updatecache/ /var/updatecache/
> > > <Directory /var/updatecache>
> > >
> >
>
next prev parent reply other threads:[~2017-09-23 18:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-08 17:19 Peter Müller
2017-09-23 17:53 ` Matthias Fischer
2017-09-23 18:06 ` Peter Müller
2017-09-23 18:19 ` Peter Müller [this message]
2017-09-23 19:18 ` Tom Rymes
2017-09-23 19:26 ` Michael Tremer
2017-09-23 19:56 ` Peter Müller
2017-09-23 21:03 ` Michael Tremer
2017-09-24 7:11 ` Peter Müller
2017-09-23 19:35 ` Matthias Fischer
2017-09-23 20:08 ` Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170923201902.2c20c178.peter.mueller@link38.eu \
--to=peter.mueller@link38.eu \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox