From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] force transport encryption for WebUI logins
Date: Sun, 24 Sep 2017 11:28:28 +0200 [thread overview]
Message-ID: <77e3e42a-1f64-3be9-6f09-061a7c44b725@ipfire.org> (raw)
In-Reply-To: <20170924090625.48d4eea2.peter.mueller@link38.eu>
[-- Attachment #1: Type: text/plain, Size: 5572 bytes --]
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files,
started apache, accesses made with FF 55.0.3.
1. Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache Server at ipfiretest.localdomain Port 444"
2. Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: “IPFire - Restricted”"
=> username / password
3. Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
4. Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: “IPFire - Restricted”"
=> username / password
5. Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL
received a record that exceeded the maximum permissible length. Error
code: SSL_ERROR_RX_RECORD_TOO_LONG"
Any anything else I could do?
Best,
Matthias
On 24.09.2017 09:06, Peter Müller wrote:
> Force the usage of SSL when accessing protected locations.
>
> Queries to the plain text interface on port 81 will be answered
> with a 301 ("Moved permanently") status.
>
> All authentication directives on port 81 are disabled to prevent
> data leakage.
>
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 6f353962e..bec0d580b 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,7 +23,10 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> </DirectoryMatch>
> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> <Directory /srv/web/ipfire/cgi-bin>
> @@ -32,7 +35,10 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> <Files chpasswd.cgi>
> Require all granted
> </Files>
> @@ -40,7 +46,10 @@
> Require all granted
> </Files>
> <Files dial.cgi>
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> </Files>
> </Directory>
> <Directory /srv/web/ipfire/cgi-bin/dial>
> @@ -49,7 +58,10 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user dial admin
> + <RequireAll>
> + Require user dial admin
> + Require ssl
> + </RequireAll>
> </Directory>
> <Files ~ "\.(cgi|shtml?)$">
> SSLOptions +StdEnvVars
> @@ -85,6 +97,9 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> </Directory>
> </VirtualHost>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index 619f90fcc..a0537b392 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,36 +12,25 @@
> Require all granted
> </Directory>
> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + Options SymLinksIfOwnerMatch
> + RewriteEngine on
> + RewriteCond %{HTTPS} off
> + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> </DirectoryMatch>
> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> <Directory /srv/web/ipfire/cgi-bin>
> AllowOverride None
> - Options None
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user admin
> - <Files chpasswd.cgi>
> - Require all granted
> - </Files>
> - <Files webaccess.cgi>
> - Require all granted
> - </Files>
> - <Files dial.cgi>
> - Require user admin
> - </Files>
> + Options SymLinksIfOwnerMatch
> + RewriteEngine on
> + RewriteCond %{HTTPS} off
> + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> </Directory>
> <Directory /srv/web/ipfire/cgi-bin/dial>
> AllowOverride None
> - Options None
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user dial admin
> + Options SymLinksIfOwnerMatch
> + RewriteEngine on
> + RewriteCond %{HTTPS} off
> + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> </Directory>
> Alias /updatecache/ /var/updatecache/
> <Directory /var/updatecache>
>
next prev parent reply other threads:[~2017-09-24 9:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 7:06 Peter Müller
2017-09-24 9:28 ` Matthias Fischer [this message]
2017-09-24 11:04 ` Peter Müller
2017-09-24 16:55 ` ummeegge
2017-09-24 18:49 ` Michael Tremer
2017-09-24 18:56 ` Michael Tremer
2017-09-24 20:15 ` Peter Müller
2017-09-24 21:23 ` Michael Tremer
2017-09-24 21:23 ` Matthias Fischer
2017-09-24 21:25 ` Michael Tremer
2017-09-24 21:33 ` Matthias Fischer
2017-09-24 21:33 ` squid graphs, was: " Michael Tremer
2017-09-29 7:00 ` Matthias Fischer
2017-09-25 15:50 ` Peter Müller
2017-09-25 17:08 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77e3e42a-1f64-3be9-6f09-061a7c44b725@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox