From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] force transport encryption for WebUI logins
Date: Sun, 24 Sep 2017 22:15:22 +0200 [thread overview]
Message-ID: <20170924221522.761c0436.peter.mueller@link38.eu> (raw)
In-Reply-To: <1506279368.18494.81.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8843 bytes --]
Hello Michael,
> Hi,
>
> good testing guys.
Thanks.
>
> I think the patch looks fine, but I think while we are at it, we should also
> clean up the vhost configuration files. They are messy. Really really messy.
Yes, indeed.
>
> There is sections for the dial user which never existed in IPFire. There is also
> directory directives for the dial user. These can all be removed I think.
>
> I have no idea what is using that access to the graphs directories. I think that
> can also be removed.
>
> Then we have multiple CGI files that redirect to SSL themselves. I think we can
> let Apache do that, if that isn't even caught automatically by redirecting
> everything that isn't the update cache or proxy.pac to SSL.
>
> Anyone wants to work on this?
I can have a look at the vhost config files within this week. The CGIs are perhaps
too difficult for me, since I am not familiar with Perl at the moment.
Does this make the patch sent in obsolete/should I work on top of it?
Best regards,
Peter Müller
>
> -Michael
>
> On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
> > Hello Matthias,
> >
> > thanks for testing. Please see my comments below...
> >
> > > Hi Peter,
> > >
> > > I did the following:
> > >
> > > Stopped Apache on my testmachine (192.168.100.251), patched files,
> > > started apache, accesses made with FF 55.0.3.
> > >
> > > 1. Accessing "http://192.168.100.251:444":
> > >
> > > "Bad Request
> > >
> > > Your browser sent a request that this server could not understand.
> > > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > > Instead use the HTTPS scheme to access this URL, please.
> > > Apache Server at ipfiretest.localdomain Port 444"
> >
> > That is normal and also appears without my patch.
> > >
> > > 2. Accessing "https://192.168.100.251:444"
> > >
> > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > your username and password. The site says: “IPFire - Restricted”"
> > > => username / password
> >
> > This is normal, too.
> > >
> > > 3. Browser-Restart, reopening page, same result as 2., "Authentication
> > > Required..."
> >
> > OK.
> > >
> > > 4. Accessing "http://192.168.100.251:81":
> > >
> > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > your username and password. The site says: “IPFire - Restricted”"
> > > => username / password
> >
> > Yep, here is the change: The browser is being redirected to the secure
> > version.
> > >
> > > 5. Accessing "https://192.168.100.251:81":
> > >
> > > "Secure Connection Failed
> > >
> > > An error occurred during a connection to 192.168.100.251:81. SSL
> > > received a record that exceeded the maximum permissible length. Error
> > > code: SSL_ERROR_RX_RECORD_TOO_LONG"
> >
> > This is because there is no SSL engine running on port 81. Apache
> > returns a "Bad Request" answer, which is surprisingly not understood
> > by the browser.
> > >
> > > Any anything else I could do?
> >
> > Not directly.
> >
> > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> > (perhaps in a school's network) could test this patch too, since these
> > CGIs are not accessible via plaintext anymore.
> >
> > Both are not working here. "webaccess.cgi" redirects to SSL itself and
> > says "disabled by administrator", while "chpasswd.cgi" just returns
> > a 500 "Internal Server Error". Interesting.
> >
> > But since that is a special use case, I assume the patch works fine.
> >
> > Best regards and thanks again,
> > Peter Müller
> > >
> > > Best,
> > > Matthias
> > >
> > > On 24.09.2017 09:06, Peter Müller wrote:
> > > > Force the usage of SSL when accessing protected locations.
> > > >
> > > > Queries to the plain text interface on port 81 will be answered
> > > > with a 301 ("Moved permanently") status.
> > > >
> > > > All authentication directives on port 81 are disabled to prevent
> > > > data leakage.
> > > >
> > > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> > > > ---
> > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > index 6f353962e..bec0d580b 100644
> > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > @@ -23,7 +23,10 @@
> > > > AuthName "IPFire - Restricted"
> > > > AuthType Basic
> > > > AuthUserFile /var/ipfire/auth/users
> > > > - Require user admin
> > > > + <RequireAll>
> > > > + Require user admin
> > > > + Require ssl
> > > > + </RequireAll>
> > > > </DirectoryMatch>
> > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > <Directory /srv/web/ipfire/cgi-bin>
> > > > @@ -32,7 +35,10 @@
> > > > AuthName "IPFire - Restricted"
> > > > AuthType Basic
> > > > AuthUserFile /var/ipfire/auth/users
> > > > - Require user admin
> > > > + <RequireAll>
> > > > + Require user admin
> > > > + Require ssl
> > > > + </RequireAll>
> > > > <Files chpasswd.cgi>
> > > > Require all granted
> > > > </Files>
> > > > @@ -40,7 +46,10 @@
> > > > Require all granted
> > > > </Files>
> > > > <Files dial.cgi>
> > > > - Require user admin
> > > > + <RequireAll>
> > > > + Require user admin
> > > > + Require ssl
> > > > + </RequireAll>
> > > > </Files>
> > > > </Directory>
> > > > <Directory /srv/web/ipfire/cgi-bin/dial>
> > > > @@ -49,7 +58,10 @@
> > > > AuthName "IPFire - Restricted"
> > > > AuthType Basic
> > > > AuthUserFile /var/ipfire/auth/users
> > > > - Require user dial admin
> > > > + <RequireAll>
> > > > + Require user dial admin
> > > > + Require ssl
> > > > + </RequireAll>
> > > > </Directory>
> > > > <Files ~ "\.(cgi|shtml?)$">
> > > > SSLOptions +StdEnvVars
> > > > @@ -85,6 +97,9 @@
> > > > AuthName "IPFire - Restricted"
> > > > AuthType Basic
> > > > AuthUserFile /var/ipfire/auth/users
> > > > - Require user admin
> > > > + <RequireAll>
> > > > + Require user admin
> > > > + Require ssl
> > > > + </RequireAll>
> > > > </Directory>
> > > > </VirtualHost>
> > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > index 619f90fcc..a0537b392 100644
> > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > @@ -12,36 +12,25 @@
> > > > Require all granted
> > > > </Directory>
> > > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > > > - AuthName "IPFire - Restricted"
> > > > - AuthType Basic
> > > > - AuthUserFile /var/ipfire/auth/users
> > > > - Require user admin
> > > > + Options SymLinksIfOwnerMatch
> > > > + RewriteEngine on
> > > > + RewriteCond %{HTTPS} off
> > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > </DirectoryMatch>
> > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > <Directory /srv/web/ipfire/cgi-bin>
> > > > AllowOverride None
> > > > - Options None
> > > > - AuthName "IPFire - Restricted"
> > > > - AuthType Basic
> > > > - AuthUserFile /var/ipfire/auth/users
> > > > - Require user admin
> > > > - <Files chpasswd.cgi>
> > > > - Require all granted
> > > > - </Files>
> > > > - <Files webaccess.cgi>
> > > > - Require all granted
> > > > - </Files>
> > > > - <Files dial.cgi>
> > > > - Require user admin
> > > > - </Files>
> > > > + Options SymLinksIfOwnerMatch
> > > > + RewriteEngine on
> > > > + RewriteCond %{HTTPS} off
> > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > </Directory>
> > > > <Directory /srv/web/ipfire/cgi-bin/dial>
> > > > AllowOverride None
> > > > - Options None
> > > > - AuthName "IPFire - Restricted"
> > > > - AuthType Basic
> > > > - AuthUserFile /var/ipfire/auth/users
> > > > - Require user dial admin
> > > > + Options SymLinksIfOwnerMatch
> > > > + RewriteEngine on
> > > > + RewriteCond %{HTTPS} off
> > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > </Directory>
> > > > Alias /updatecache/ /var/updatecache/
> > > > <Directory /var/updatecache>
> > > >
> >
> >
next prev parent reply other threads:[~2017-09-24 20:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 7:06 Peter Müller
2017-09-24 9:28 ` Matthias Fischer
2017-09-24 11:04 ` Peter Müller
2017-09-24 16:55 ` ummeegge
2017-09-24 18:49 ` Michael Tremer
2017-09-24 18:56 ` Michael Tremer
2017-09-24 20:15 ` Peter Müller [this message]
2017-09-24 21:23 ` Michael Tremer
2017-09-24 21:23 ` Matthias Fischer
2017-09-24 21:25 ` Michael Tremer
2017-09-24 21:33 ` Matthias Fischer
2017-09-24 21:33 ` squid graphs, was: " Michael Tremer
2017-09-29 7:00 ` Matthias Fischer
2017-09-25 15:50 ` Peter Müller
2017-09-25 17:08 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170924221522.761c0436.peter.mueller@link38.eu \
--to=peter.mueller@link38.eu \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox