Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>