Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
1. Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
2. Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
3. Browser-Restart, reopening page, same result as 2., "Authentication Required..."
4. Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
5. Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
Any anything else I could do?
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>Require user adminRequire ssl</RequireAll> </Files></Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial adminRequire ssl</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>