* [PATCH v2] redirect to TLS WebUI if authorisation required @ 2017-10-11 13:55 Peter Müller 2017-10-11 13:56 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2017-10-11 13:55 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1607 bytes --] Do not allow credentials being submitted in plaintext to Apache. Instead, redirect the user with a 301 to the TLS version of IPFire's web interface. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - </Directory> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] redirect to TLS WebUI if authorisation required 2017-10-11 13:55 [PATCH v2] redirect to TLS WebUI if authorisation required Peter Müller @ 2017-10-11 13:56 ` Michael Tremer 2017-10-11 14:52 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Michael Tremer @ 2017-10-11 13:56 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2344 bytes --] Nope. [root(a)rice-oxley ipfire-2.x]# pwclient git-am -s 1460 Applying patch #1460 using 'git am -s' Description: [v2] redirect to TLS WebUI if authorisation required Applying: redirect to TLS WebUI if authorisation required error: corrupt patch at line 41 Patch failed at 0001 redirect to TLS WebUI if authorisation required The copy of the patch that failed is found in: .git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". 'git am' failed with exit status 128 On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > Do not allow credentials being submitted in plaintext to Apache. > Instead, redirect the user with a 301 to the TLS version of IPFire's > web interface. > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> > --- > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > b/config/httpd/vhosts.d/ipfire-interface.conf > index 619f90fcc..41d10c874 100644 > --- a/config/httpd/vhosts.d/ipfire-interface.conf > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > @@ -12,36 +12,17 @@ > Require all granted > </Directory> > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > - AuthName "IPFire - Restricted" > - AuthType Basic > - AuthUserFile /var/ipfire/auth/users > - Require user admin > + Options SymLinksIfOwnerMatch > + RewriteEngine on > + RewriteCond %{HTTPS} off > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > </DirectoryMatch> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > <Directory /srv/web/ipfire/cgi-bin> > - AllowOverride None > - Options None > - AuthName "IPFire - Restricted" > - AuthType Basic > - AuthUserFile /var/ipfire/auth/users > - Require user admin > - <Files chpasswd.cgi> > - Require all granted > - </Files> > - <Files webaccess.cgi> > - Require all granted > - </Files> > - </Directory> > + Options SymLinksIfOwnerMatch > + RewriteEngine on > + RewriteCond %{HTTPS} off > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > </Directory> > Alias /updatecache/ /var/updatecache/ > <Directory /var/updatecache> [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] redirect to TLS WebUI if authorisation required 2017-10-11 13:56 ` Michael Tremer @ 2017-10-11 14:52 ` Peter Müller 2017-10-11 20:05 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2017-10-11 14:52 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2517 bytes --] Well, I hope the third try is working now... > Nope. > > [root(a)rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > Applying patch #1460 using 'git am -s' > Description: [v2] redirect to TLS WebUI if authorisation required > Applying: redirect to TLS WebUI if authorisation required > error: corrupt patch at line 41 > Patch failed at 0001 redirect to TLS WebUI if authorisation required > The copy of the patch that failed is found in: .git/rebase-apply/patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > 'git am' failed with exit status 128 > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > Do not allow credentials being submitted in plaintext to Apache. > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > web interface. > > > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> > > --- > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > b/config/httpd/vhosts.d/ipfire-interface.conf > > index 619f90fcc..41d10c874 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > @@ -12,36 +12,17 @@ > > Require all granted > > </Directory> > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > </DirectoryMatch> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > <Directory /srv/web/ipfire/cgi-bin> > > - AllowOverride None > > - Options None > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > - <Files chpasswd.cgi> > > - Require all granted > > - </Files> > > - <Files webaccess.cgi> > > - Require all granted > > - </Files> > > - </Directory> > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > </Directory> > > Alias /updatecache/ /var/updatecache/ > > <Directory /var/updatecache> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] redirect to TLS WebUI if authorisation required 2017-10-11 14:52 ` Peter Müller @ 2017-10-11 20:05 ` Michael Tremer 2017-10-11 20:12 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Michael Tremer @ 2017-10-11 20:05 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2746 bytes --] It was. What did you change? -Michael On Wed, 2017-10-11 at 16:52 +0200, Peter Müller wrote: > Well, I hope the third try is working now... > > > Nope. > > > > [root(a)rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > > Applying patch #1460 using 'git am -s' > > Description: [v2] redirect to TLS WebUI if authorisation required > > Applying: redirect to TLS WebUI if authorisation required > > error: corrupt patch at line 41 > > Patch failed at 0001 redirect to TLS WebUI if authorisation required > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > When you have resolved this problem, run "git am --continue". > > If you prefer to skip this patch, run "git am --skip" instead. > > To restore the original branch and stop patching, run "git am --abort". > > 'git am' failed with exit status 128 > > > > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > > Do not allow credentials being submitted in plaintext to Apache. > > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > > web interface. > > > > > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> > > > --- > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > index 619f90fcc..41d10c874 100644 > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > @@ -12,36 +12,17 @@ > > > Require all granted > > > </Directory> > > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > > - AuthName "IPFire - Restricted" > > > - AuthType Basic > > > - AuthUserFile /var/ipfire/auth/users > > > - Require user admin > > > + Options SymLinksIfOwnerMatch > > > + RewriteEngine on > > > + RewriteCond %{HTTPS} off > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > </DirectoryMatch> > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > <Directory /srv/web/ipfire/cgi-bin> > > > - AllowOverride None > > > - Options None > > > - AuthName "IPFire - Restricted" > > > - AuthType Basic > > > - AuthUserFile /var/ipfire/auth/users > > > - Require user admin > > > - <Files chpasswd.cgi> > > > - Require all granted > > > - </Files> > > > - <Files webaccess.cgi> > > > - Require all granted > > > - </Files> > > > - </Directory> > > > + Options SymLinksIfOwnerMatch > > > + RewriteEngine on > > > + RewriteCond %{HTTPS} off > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > </Directory> > > > Alias /updatecache/ /var/updatecache/ > > > <Directory /var/updatecache> > > [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] redirect to TLS WebUI if authorisation required 2017-10-11 20:05 ` Michael Tremer @ 2017-10-11 20:12 ` Peter Müller 0 siblings, 0 replies; 5+ messages in thread From: Peter Müller @ 2017-10-11 20:12 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3471 bytes --] Hello Michael, well, actually I used spaces instead of tabs. Second, git format-patch crashed before, and some global configuration options (mail address, ...) needed to be set. Quite strange, but well. I never really used these git functions before, just ran git diff [changed file] > patch and pasted the content with Signed-off-by in my MUA. Now, I take the output of git format-patch, remove all those mail headers, and paste the content in my MUA... As Einstein said: "Make things as easy as you can - but not easier." Quite right... Best regards, Peter Müller > It was. What did you change? > > -Michael > > On Wed, 2017-10-11 at 16:52 +0200, Peter Müller wrote: > > Well, I hope the third try is working now... > > > > > Nope. > > > > > > [root(a)rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > > > Applying patch #1460 using 'git am -s' > > > Description: [v2] redirect to TLS WebUI if authorisation required > > > Applying: redirect to TLS WebUI if authorisation required > > > error: corrupt patch at line 41 > > > Patch failed at 0001 redirect to TLS WebUI if authorisation required > > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > > When you have resolved this problem, run "git am --continue". > > > If you prefer to skip this patch, run "git am --skip" instead. > > > To restore the original branch and stop patching, run "git am --abort". > > > 'git am' failed with exit status 128 > > > > > > > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > > > Do not allow credentials being submitted in plaintext to Apache. > > > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > > > web interface. > > > > > > > > Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> > > > > --- > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > > index 619f90fcc..41d10c874 100644 > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > > @@ -12,36 +12,17 @@ > > > > Require all granted > > > > </Directory> > > > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > </DirectoryMatch> > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > <Directory /srv/web/ipfire/cgi-bin> > > > > - AllowOverride None > > > > - Options None > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > - <Files chpasswd.cgi> > > > > - Require all granted > > > > - </Files> > > > > - <Files webaccess.cgi> > > > > - Require all granted > > > > - </Files> > > > > - </Directory> > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > </Directory> > > > > Alias /updatecache/ /var/updatecache/ > > > > <Directory /var/updatecache> > > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-10-11 20:12 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-10-11 13:55 [PATCH v2] redirect to TLS WebUI if authorisation required Peter Müller 2017-10-11 13:56 ` Michael Tremer 2017-10-11 14:52 ` Peter Müller 2017-10-11 20:05 ` Michael Tremer 2017-10-11 20:12 ` Peter Müller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox