Re: [PATCH v2] force transport encryption for WebUI logins

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2324 bytes --]

Hi all,
first of all thanks for this great update and your work on this. Have installed Core 114 from testing tree and i wanted to deliver you also some feedback.

- After the update the WUI was not reachable and shows an 503, do not panic ;-) this has happened cause of some of my vhost configurations where the old directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log did not display some problems cause after the update but also after an reboot Apache has not been started again. By the usage of the initscript the problem occurs with an

-> /etc/init.d/apache restart
Restarting Apache daemon...
AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf:
Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configu[ FAIL ]

Since 'mod_access_compat' is not provided (which is a good thing), the access control do not accept the old directives. The fix was not that complicated, instead of using e.g.

Order deny,allow
Deny from all

now 

Require all denied

needs to be used. I am currently not sure if IPFire provides vhost configurations which might have problems with this, the Cacti vhost configuration seems to work even the login appears only in HTTP also there are a lot of PHP warnings but i think this is out of the scope in here.


> It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> (perhaps in a school's network) could test this patch too, since these
> CGIs are not accessible via plaintext anymore.
> 
> Both are not working here. "webaccess.cgi" redirects to SSL itself and

Have tested webaccess.cgi and it works here fine but i think my version differs to the default one. I use this version--> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed it longer time ago but i think it may be forgotten? 

> says "disabled by administrator", while "chpasswd.cgi" just returns
> a 500 "Internal Server Error". Interesting.

chpasswd.cgi appears here but if i change the PWD and add 'admin' as current user i get an "Fehler: Benutzername existiert nicht" have currently not found log messages which points out anything of this problem.

Some even small feedback from here.

Greetings,

Erik