From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2] force transport encryption for WebUI logins Date: Sun, 24 Sep 2017 09:06:25 +0200 Message-ID: <20170924090625.48d4eea2.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3667168974338898697==" List-Id: --===============3667168974338898697== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Force the usage of SSL when accessing protected locations. Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status. All authentication directives on port 81 are disabled to prevent data leakage. Signed-off-by: Peter M=C3=BCller --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v= hosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ @@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + Require all granted @@ -40,7 +46,10 @@ Require all granted - Require user admin + + Require user admin + Require ssl + @@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user dial admin + + Require user dial admin + Require ssl + SSLOptions +StdEnvVars @@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + + Require user admin + Require ssl + diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhost= s.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - - Require all granted - - - Require all granted - - - Require user admin - + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] Alias /updatecache/ /var/updatecache/ --===============3667168974338898697==--