No I don’t think so.
Just merged it. Thanks.
On 18 Oct 2017, at 7:30 pm, Peter Müller peter.mueller@link38.eu wrote:
Hello Michael,
Hi,
On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote: Do not allow credentials being submitted in plaintext to Apache. Instead, redirect the user with a 301 to the TLS version of IPFire's web interface.
Not sure if this has been merged (and is working) yet... :-)
Why do you doubt that this is working?
This patch does not appear in the public git repository. So I assume something was wrong with it.
Best regards, Peter Müller
-Michael
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-)
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 27fd25a95..be15cd041 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,25 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
Require user admin
Options SymLinksIfOwnerMatch
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
</DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
AllowOverride None
Options None
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
Require user admin
<Files chpasswd.cgi>
Require all granted
</Files>
<Files webaccess.cgi>
Require all granted
</Files>
Options SymLinksIfOwnerMatch
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
</Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>