Force SSL/TLS for any WebUI directory which requires an authentication. This prevents credentials from being transmitted in plaintext, which is an information leak.
Scenario: A MITM attacker might block all encrypted traffic to the firewall's web interface, making the administrator using an unencrypted connection (i.e. via port 81). Username and password can be easily logged in transit then.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..5ceaa1f32 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -24,6 +26,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -33,6 +36,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl <Files chpasswd.cgi> Require all granted </Files> @@ -50,6 +54,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user dial admin + Require ssl </Directory> <Files ~ ".(cgi|shtml?)$"> SSLOptions +StdEnvVars @@ -86,5 +91,6 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl </Directory> </VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..58d1b54cd 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -16,6 +16,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -25,6 +26,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl <Files chpasswd.cgi> Require all granted </Files> @@ -42,6 +44,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user dial admin + Require ssl </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>