From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] force transport encryption for WebUI logins
Date: Sun, 24 Sep 2017 11:28:28 +0200
Message-ID: <77e3e42a-1f64-3be9-6f09-061a7c44b725@ipfire.org>
In-Reply-To: <20170924090625.48d4eea2.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3179510081387642430=="
List-Id: <development.lists.ipfire.org>

--===============3179510081387642430==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Peter,

I did the following:

Stopped Apache on my testmachine (192.168.100.251), patched files,
started apache, accesses made with FF 55.0.3.

1. Accessing "http://192.168.100.251:444":

"Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache Server at ipfiretest.localdomain Port 444"

2. Accessing "https://192.168.100.251:444"

"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: =E2=80=9CIPFire - Restricted=E2=80=
=9D"
=3D> username / password

3. Browser-Restart, reopening page, same result as 2., "Authentication
Required..."

4. Accessing "http://192.168.100.251:81":

"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: =E2=80=9CIPFire - Restricted=E2=80=
=9D"
=3D> username / password

5. Accessing "https://192.168.100.251:81":

"Secure Connection Failed

An error occurred during a connection to 192.168.100.251:81. SSL
received a record that exceeded the maximum permissible length. Error
code: SSL_ERROR_RX_RECORD_TOO_LONG"

Any anything else I could do?

Best,
Matthias

On 24.09.2017 09:06, Peter M=C3=BCller wrote:
> Force the usage of SSL when accessing protected locations.
>=20
> Queries to the plain text interface on port 81 will be answered
> with a 301 ("Moved permanently") status.
>=20
> All authentication directives on port 81 are disabled to prevent
> data leakage.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd=
/vhosts.d/ipfire-interface-ssl.conf
> index 6f353962e..bec0d580b 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,7 +23,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> @@ -32,7 +35,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>          <Files chpasswd.cgi>
>              Require all granted
>          </Files>
> @@ -40,7 +46,10 @@
>              Require all granted
>          </Files>
>          <Files dial.cgi>
> -            Require user admin
> +		<RequireAll>
> +			Require user admin
> +			Require ssl
> +		</RequireAll>
>          </Files>
>      </Directory>
>      <Directory /srv/web/ipfire/cgi-bin/dial>
> @@ -49,7 +58,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
> +	<RequireAll>
> +		Require user dial admin
> +		Require ssl
> +	</RequireAll>
>      </Directory>
>      <Files ~ "\.(cgi|shtml?)$">
>  	SSLOptions +StdEnvVars
> @@ -85,6 +97,9 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>      </Directory>
>  </VirtualHost>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vho=
sts.d/ipfire-interface.conf
> index 619f90fcc..a0537b392 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,36 +12,25 @@
>          Require all granted
>      </Directory>
>      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
>          AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> -         <Files chpasswd.cgi>
> -            Require all granted
> -        </Files>
> -        <Files webaccess.cgi>
> -            Require all granted
> -        </Files>
> -        <Files dial.cgi>
> -            Require user admin
> -        </Files>
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
>      </Directory>
>      <Directory /srv/web/ipfire/cgi-bin/dial>
>          AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=3D301,L]
>      </Directory>
>      Alias /updatecache/ /var/updatecache/
>  	<Directory /var/updatecache>
>=20


--===============3179510081387642430==--