- remove unused dial.cgi stuff - redirect to TLS version for directories requiring an authentication - force TLS for directories requiring an authentication
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..433103fdc 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,24 +35,16 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> <Files webaccess.cgi> Require all granted </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin </Directory> <Files ~ ".(cgi|shtml?)$"> SSLOptions +StdEnvVars @@ -85,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%%7BSERVER_NAME%7D:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%%7BSERVER_NAME%7D:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hi,
it would indeed be better to split this patch into two to three.
Could you please do this and resubmit?
-Michael
On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
- remove unused dial.cgi stuff
- redirect to TLS version for directories requiring an authentication
- force TLS for directories requiring an authentication
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..433103fdc 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,24 +35,16 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> <Files chpasswd.cgi> Require all granted </Files> <Files webaccess.cgi> Require all granted </Files>
<Files dial.cgi>Require user admin</Files></Directory>
- <Directory /srv/web/ipfire/cgi-bin/dial>
AllowOverride NoneOptions NoneAuthName "IPFire - Restricted"AuthType BasicAuthUserFile /var/ipfire/auth/usersRequire user dial admin</Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hello Michael,
okay, thanks, I did so.
Now everything should be fine. :-)
Best regards, Peter Müller
Hi,
it would indeed be better to split this patch into two to three.
Could you please do this and resubmit?
-Michael
On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
- remove unused dial.cgi stuff
- redirect to TLS version for directories requiring an authentication
- force TLS for directories requiring an authentication
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..433103fdc 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,24 +35,16 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> <Files chpasswd.cgi> Require all granted </Files> <Files webaccess.cgi> Require all granted </Files>
<Files dial.cgi>Require user admin</Files></Directory>
- <Directory /srv/web/ipfire/cgi-bin/dial>
AllowOverride NoneOptions NoneAuthName "IPFire - Restricted"AuthType BasicAuthUserFile /var/ipfire/auth/usersRequire user dial admin</Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +80,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user adminRequire ssl</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> - </Directory> - <Directory /srv/web/ipfire/cgi-bin/dial> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
-
Michael Tremer -
Peter Müller