From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v2] force transport encryption for WebUI logins Date: Sun, 24 Sep 2017 22:15:22 +0200 Message-ID: <20170924221522.761c0436.peter.mueller@link38.eu> In-Reply-To: <1506279368.18494.81.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1333693435675095072==" List-Id: --===============1333693435675095072== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hi, >=20 > good testing guys. Thanks. >=20 > I think the patch looks fine, but I think while we are at it, we should also > clean up the vhost configuration files. They are messy. Really really messy. Yes, indeed. >=20 > There is sections for the dial user which never existed in IPFire. There is= also > directory directives for the dial user. These can all be removed I think. >=20 > I have no idea what is using that access to the graphs directories. I think= that > can also be removed. >=20 > Then we have multiple CGI files that redirect to SSL themselves. I think we= can > let Apache do that, if that isn't even caught automatically by redirecting > everything that isn't the update cache or proxy.pac to SSL. >=20 > Anyone wants to work on this? I can have a look at the vhost config files within this week. The CGIs are pe= rhaps too difficult for me, since I am not familiar with Perl at the moment. Does this make the patch sent in obsolete/should I work on top of it? Best regards, Peter M=C3=BCller >=20 > -Michael >=20 > On Sun, 2017-09-24 at 13:04 +0200, Peter M=C3=BCller wrote: > > Hello Matthias, > >=20 > > thanks for testing. Please see my comments below... > > =20 > > > Hi Peter, > > >=20 > > > I did the following: > > >=20 > > > Stopped Apache on my testmachine (192.168.100.251), patched files, > > > started apache, accesses made with FF 55.0.3. > > >=20 > > > 1. Accessing "http://192.168.100.251:444": > > >=20 > > > "Bad Request > > >=20 > > > Your browser sent a request that this server could not understand. > > > Reason: You're speaking plain HTTP to an SSL-enabled server port. > > > Instead use the HTTPS scheme to access this URL, please. > > > Apache Server at ipfiretest.localdomain Port 444" =20 > >=20 > > That is normal and also appears without my patch. =20 > > >=20 > > > 2. Accessing "https://192.168.100.251:444" > > >=20 > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > your username and password. The site says: =E2=80=9CIPFire - Restricted= =E2=80=9D" =20 > > > =3D> username / password =20 > >=20 > > This is normal, too. =20 > > >=20 > > > 3. Browser-Restart, reopening page, same result as 2., "Authentication > > > Required..." =20 > >=20 > > OK. =20 > > >=20 > > > 4. Accessing "http://192.168.100.251:81": > > >=20 > > > "Authentication Required...https://192.168.100.251:444 is requesting > > > your username and password. The site says: =E2=80=9CIPFire - Restricted= =E2=80=9D" =20 > > > =3D> username / password =20 > >=20 > > Yep, here is the change: The browser is being redirected to the secure > > version. =20 > > >=20 > > > 5. Accessing "https://192.168.100.251:81": > > >=20 > > > "Secure Connection Failed > > >=20 > > > An error occurred during a connection to 192.168.100.251:81. SSL > > > received a record that exceeded the maximum permissible length. Error > > > code: SSL_ERROR_RX_RECORD_TOO_LONG" =20 > >=20 > > This is because there is no SSL engine running on port 81. Apache > > returns a "Bad Request" answer, which is surprisingly not understood > > by the browser. =20 > > >=20 > > > Any anything else I could do? =20 > >=20 > > Not directly. > >=20 > > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" > > (perhaps in a school's network) could test this patch too, since these > > CGIs are not accessible via plaintext anymore. > >=20 > > Both are not working here. "webaccess.cgi" redirects to SSL itself and > > says "disabled by administrator", while "chpasswd.cgi" just returns > > a 500 "Internal Server Error". Interesting. > >=20 > > But since that is a special use case, I assume the patch works fine. > >=20 > > Best regards and thanks again, > > Peter M=C3=BCller =20 > > >=20 > > > Best, > > > Matthias > > >=20 > > > On 24.09.2017 09:06, Peter M=C3=BCller wrote: =20 > > > > Force the usage of SSL when accessing protected locations. > > > >=20 > > > > Queries to the plain text interface on port 81 will be answered > > > > with a 301 ("Moved permanently") status. > > > >=20 > > > > All authentication directives on port 81 are disabled to prevent > > > > data leakage. > > > >=20 > > > > Signed-off-by: Peter M=C3=BCller > > > > --- > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > index 6f353962e..bec0d580b 100644 > > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > > > > @@ -23,7 +23,10 @@ > > > > AuthName "IPFire - Restricted" > > > > AuthType Basic > > > > AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + > > > > + Require user admin > > > > + Require ssl > > > > + > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > @@ -32,7 +35,10 @@ > > > > AuthName "IPFire - Restricted" > > > > AuthType Basic > > > > AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + > > > > + Require user admin > > > > + Require ssl > > > > + > > > > > > > > Require all granted > > > > > > > > @@ -40,7 +46,10 @@ > > > > Require all granted > > > > > > > > > > > > - Require user admin > > > > + > > > > + Require user admin > > > > + Require ssl > > > > + > > > > > > > > > > > > > > > > @@ -49,7 +58,10 @@ > > > > AuthName "IPFire - Restricted" > > > > AuthType Basic > > > > AuthUserFile /var/ipfire/auth/users > > > > - Require user dial admin > > > > + > > > > + Require user dial admin > > > > + Require ssl > > > > + > > > > > > > > > > > > SSLOptions +StdEnvVars > > > > @@ -85,6 +97,9 @@ > > > > AuthName "IPFire - Restricted" > > > > AuthType Basic > > > > AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + > > > > + Require user admin > > > > + Require ssl > > > > + > > > > > > > > > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > > index 619f90fcc..a0537b392 100644 > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > > @@ -12,36 +12,25 @@ > > > > Require all granted > > > > > > > > > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > > > > > AllowOverride None > > > > - Options None > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > - > > > > - Require all granted > > > > - > > > > - > > > > - Require all granted > > > > - > > > > - > > > > - Require user admin > > > > - > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > > > > > AllowOverride None > > > > - Options None > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user dial admin > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L] > > > > > > > > Alias /updatecache/ /var/updatecache/ > > > > > > > > =20 > >=20 > > =20 --===============1333693435675095072==--