On Sun, 2017-09-24 at 22:15 +0200, Peter Müller wrote:
Hello Michael,
Hi,
good testing guys.
Thanks.
I think the patch looks fine, but I think while we are at it, we should also clean up the vhost configuration files. They are messy. Really really messy.
Yes, indeed.
There is sections for the dial user which never existed in IPFire. There is also directory directives for the dial user. These can all be removed I think.
I have no idea what is using that access to the graphs directories. I think that can also be removed.
Then we have multiple CGI files that redirect to SSL themselves. I think we can let Apache do that, if that isn't even caught automatically by redirecting everything that isn't the update cache or proxy.pac to SSL.
Anyone wants to work on this?
I can have a look at the vhost config files within this week. The CGIs are perhaps too difficult for me, since I am not familiar with Perl at the moment.
Does this make the patch sent in obsolete/should I work on top of it?
Please work on top of it.
I will merge this shortly.
Best, -Michael
Best regards, Peter Müller
-Michael
On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>Require user adminRequire ssl</RequireAll> </Files></Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial adminRequire ssl</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>