Hello Michael, > Hi, > > On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote: > > Do not allow credentials being submitted in plaintext to Apache. > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > web interface. > > > > Not sure if this has been merged (and is working) yet... :-) > > Why do you doubt that this is working? This patch does not appear in the public git repository. So I assume something was wrong with it. Best regards, Peter Müller > > -Michael > > > > > Signed-off-by: Peter Müller > > --- > > config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++---------------- > > 1 file changed, 8 insertions(+), 16 deletions(-) > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > b/config/httpd/vhosts.d/ipfire-interface.conf > > index 27fd25a95..be15cd041 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > @@ -12,25 +12,17 @@ > > Require all granted > > > > > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > - AllowOverride None > > - Options None > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > - > > - Require all granted > > - > > - > > - Require all granted > > - > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > Alias /updatecache/ /var/updatecache/ > >