Hello Matthias,
thanks for the quick reply.
On 23.09.2017 20:19, Peter Müller wrote:
Hello Matthias,
your described scenario does not appear on my machine. :-(
Hm... Weird.
However, the "Require ssl" directive seems not to work with the 2.2.x branch, here, we still need the old "SSLRequireSSL". (On the other hand, it was intended to be used with the new version.)
Which version are you running?
Sorry, forgot. I'm using 2.4.27 from current 'next', built today, on Core 113.
Ah, I was still at 2.2.x (where the patch has no effect) and tested against a 2.4.x web server I had at hand.
Promise to test better next time.
I think the best solution for now is to disregard this patch. After the Core Update with 2.4.27 version was released, I'll give it another try.
See above... It won't work here: I just verified this behaviour on my test machine. *With* "Require ssl" I get instant (https-)access, *without* "Require ssl" I'm asked for username / password.
Well, according to the Apache docs (https://httpd.apache.org/docs/current/mod/mod_ssl.html#reqssl), one cannot assume that this breaks "Require valid-user". Looks somehow like a bug in Apache...
I think I will just replace the directories with HTTP 301 in the unencrypted file (as I mentioned in the other mail), but for the "ipfire-interface-ssl.conf" file, we can assume SSL is used, anyway.
We _can_ assume, but we are not sure. :-|
Will use a nightly build tomorrow and develop a better patch.
Best regards, Peter Müller
Best, Matthias
@All: Anybody against or in favor?
Best regards, Peter Müller
Hello Matthias,
tanks for reporting this. I am trying to reproduce here...
Best regards, Peter Müller
Hi Peter,
Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
During testing I found that every machine in my GREEN net was suddenly able to login through https://%5BIPFIRE_GREEN_ADDRESS%5D:%5B444].
No question for admin-username, no password authentification request, nothing.
It seems as as if the Authentication Header is missing(?).
Only when I remove the "Require ssl" lines (I did this in both files), a browser restart leads to the usual login procedure.
Best, Matthias
On 08.09.2017 19:19, Peter Müller wrote:
Force SSL/TLS for any WebUI directory which requires an authentication. This prevents credentials from being transmitted in plaintext, which is an information leak.
Scenario: A MITM attacker might block all encrypted traffic to the firewall's web interface, making the administrator using an unencrypted connection (i.e. via port 81). Username and password can be easily logged in transit then.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..5ceaa1f32 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -24,6 +26,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin
Require ssl</DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -33,6 +36,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin
Require ssl <Files chpasswd.cgi> Require all granted </Files>@@ -50,6 +54,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user dial admin
Require ssl</Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -86,5 +91,6 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin
Require ssl</Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..58d1b54cd 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -16,6 +16,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -25,6 +26,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user admin + Require ssl <Files chpasswd.cgi> Require all granted </Files> @@ -42,6 +44,7 @@ AuthType Basic AuthUserFile /var/ipfire/auth/users Require user dial admin + Require ssl </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>