From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] force transport encryption for WebUI logins
Date: Sun, 24 Sep 2017 13:04:15 +0200 [thread overview]
Message-ID: <20170924130415.65717685.peter.mueller@link38.eu> (raw)
In-Reply-To: <77e3e42a-1f64-3be9-6f09-061a7c44b725@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 6835 bytes --]
Hello Matthias,
thanks for testing. Please see my comments below...
> Hi Peter,
>
> I did the following:
>
> Stopped Apache on my testmachine (192.168.100.251), patched files,
> started apache, accesses made with FF 55.0.3.
>
> 1. Accessing "http://192.168.100.251:444":
>
> "Bad Request
>
> Your browser sent a request that this server could not understand.
> Reason: You're speaking plain HTTP to an SSL-enabled server port.
> Instead use the HTTPS scheme to access this URL, please.
> Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
>
> 2. Accessing "https://192.168.100.251:444"
>
> "Authentication Required...https://192.168.100.251:444 is requesting
> your username and password. The site says: “IPFire - Restricted”"
> => username / password
This is normal, too.
>
> 3. Browser-Restart, reopening page, same result as 2., "Authentication
> Required..."
OK.
>
> 4. Accessing "http://192.168.100.251:81":
>
> "Authentication Required...https://192.168.100.251:444 is requesting
> your username and password. The site says: “IPFire - Restricted”"
> => username / password
Yep, here is the change: The browser is being redirected to the secure
version.
>
> 5. Accessing "https://192.168.100.251:81":
>
> "Secure Connection Failed
>
> An error occurred during a connection to 192.168.100.251:81. SSL
> received a record that exceeded the maximum permissible length. Error
> code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache
returns a "Bad Request" answer, which is surprisingly not understood
by the browser.
>
> Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
(perhaps in a school's network) could test this patch too, since these
CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and
says "disabled by administrator", while "chpasswd.cgi" just returns
a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again,
Peter Müller
>
> Best,
> Matthias
>
> On 24.09.2017 09:06, Peter Müller wrote:
> > Force the usage of SSL when accessing protected locations.
> >
> > Queries to the plain text interface on port 81 will be answered
> > with a 301 ("Moved permanently") status.
> >
> > All authentication directives on port 81 are disabled to prevent
> > data leakage.
> >
> > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > ---
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index 6f353962e..bec0d580b 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -23,7 +23,10 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > </DirectoryMatch>
> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > <Directory /srv/web/ipfire/cgi-bin>
> > @@ -32,7 +35,10 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > <Files chpasswd.cgi>
> > Require all granted
> > </Files>
> > @@ -40,7 +46,10 @@
> > Require all granted
> > </Files>
> > <Files dial.cgi>
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > </Files>
> > </Directory>
> > <Directory /srv/web/ipfire/cgi-bin/dial>
> > @@ -49,7 +58,10 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user dial admin
> > + <RequireAll>
> > + Require user dial admin
> > + Require ssl
> > + </RequireAll>
> > </Directory>
> > <Files ~ "\.(cgi|shtml?)$">
> > SSLOptions +StdEnvVars
> > @@ -85,6 +97,9 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > </Directory>
> > </VirtualHost>
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 619f90fcc..a0537b392 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -12,36 +12,25 @@
> > Require all granted
> > </Directory>
> > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + Options SymLinksIfOwnerMatch
> > + RewriteEngine on
> > + RewriteCond %{HTTPS} off
> > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > </DirectoryMatch>
> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > <Directory /srv/web/ipfire/cgi-bin>
> > AllowOverride None
> > - Options None
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > - <Files chpasswd.cgi>
> > - Require all granted
> > - </Files>
> > - <Files webaccess.cgi>
> > - Require all granted
> > - </Files>
> > - <Files dial.cgi>
> > - Require user admin
> > - </Files>
> > + Options SymLinksIfOwnerMatch
> > + RewriteEngine on
> > + RewriteCond %{HTTPS} off
> > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > </Directory>
> > <Directory /srv/web/ipfire/cgi-bin/dial>
> > AllowOverride None
> > - Options None
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user dial admin
> > + Options SymLinksIfOwnerMatch
> > + RewriteEngine on
> > + RewriteCond %{HTTPS} off
> > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > </Directory>
> > Alias /updatecache/ /var/updatecache/
> > <Directory /var/updatecache>
> >
>
next prev parent reply other threads:[~2017-09-24 11:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 7:06 Peter Müller
2017-09-24 9:28 ` Matthias Fischer
2017-09-24 11:04 ` Peter Müller [this message]
2017-09-24 16:55 ` ummeegge
2017-09-24 18:49 ` Michael Tremer
2017-09-24 18:56 ` Michael Tremer
2017-09-24 20:15 ` Peter Müller
2017-09-24 21:23 ` Michael Tremer
2017-09-24 21:23 ` Matthias Fischer
2017-09-24 21:25 ` Michael Tremer
2017-09-24 21:33 ` Matthias Fischer
2017-09-24 21:33 ` squid graphs, was: " Michael Tremer
2017-09-29 7:00 ` Matthias Fischer
2017-09-25 15:50 ` Peter Müller
2017-09-25 17:08 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170924130415.65717685.peter.mueller@link38.eu \
--to=peter.mueller@link38.eu \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox