Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu --- diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> @@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> <Files chpasswd.cgi> Require all granted </Files> @@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi> - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Files> </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> @@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user dial admin + <RequireAll> + Require user dial admin + Require ssl + </RequireAll> </Directory> <Files ~ ".(cgi|shtml?)$"> SSLOptions +StdEnvVars @@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users - Require user admin + <RequireAll> + Require user admin + Require ssl + </RequireAll> </Directory> </VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%%7BSERVER_NAME%7D:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%%7BSERVER_NAME%7D:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%%7BSERVER_NAME%7D:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
1. Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
2. Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
3. Browser-Restart, reopening page, same result as 2., "Authentication Required..."
4. Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
5. Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
Any anything else I could do?
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hi all, first of all thanks for this great update and your work on this. Have installed Core 114 from testing tree and i wanted to deliver you also some feedback.
- After the update the WUI was not reachable and shows an 503, do not panic ;-) this has happened cause of some of my vhost configurations where the old directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log did not display some problems cause after the update but also after an reboot Apache has not been started again. By the usage of the initscript the problem occurs with an
-> /etc/init.d/apache restart Restarting Apache daemon... AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configu[ FAIL ]
Since 'mod_access_compat' is not provided (which is a good thing), the access control do not accept the old directives. The fix was not that complicated, instead of using e.g.
Order deny,allow Deny from all
now
Require all denied
needs to be used. I am currently not sure if IPFire provides vhost configurations which might have problems with this, the Cacti vhost configuration seems to work even the login appears only in HTTP also there are a lot of PHP warnings but i think this is out of the scope in here.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and
Have tested webaccess.cgi and it works here fine but i think my version differs to the default one. I use this version--> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=8fd29195b... have pushed it longer time ago but i think it may be forgotten?
says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
chpasswd.cgi appears here but if i change the PWD and add 'admin' as current user i get an "Fehler: Benutzername existiert nicht" have currently not found log messages which points out anything of this problem.
Some even small feedback from here.
Greetings,
Erik
Hi,
On Sun, 2017-09-24 at 18:55 +0200, ummeegge wrote:
Hi all, first of all thanks for this great update and your work on this. Have installed Core 114 from testing tree and i wanted to deliver you also some feedback.
- After the update the WUI was not reachable and shows an 503, do not panic ;-
) this has happened cause of some of my vhost configurations where the old directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log did not display some problems cause after the update but also after an reboot Apache has not been started again. By the usage of the initscript the problem occurs with an
yes, this is a problem that we need to point out in the change log.
Since we are updating to Apache 2.4, we had to update all configuration files. We also did that for all add-ons that we support. But we cannot update anything else.
So what the updater does is the following:
1) Remove all add-on configuration files (that we support) in the vhosts directory.
2) Stop apache
3) Install the update
4) Restart apache but without any add-ons
5) After the core update is finished, all add-on configuration files will be reinstalled.
If the user has installed some other vhosts, apache won't restart at 4) and they are on their own.
-> /etc/init.d/apache restart Restarting Apache daemon... AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configu[ FAIL ]
Since 'mod_access_compat' is not provided (which is a good thing), the access control do not accept the old directives. The fix was not that complicated, instead of using e.g.
Order deny,allow Deny from all
now
Require all denied
needs to be used. I am currently not sure if IPFire provides vhost configurations which might have problems with this, the Cacti vhost configuration seems to work even the login appears only in HTTP also there are a lot of PHP warnings but i think this is out of the scope in here.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and
Have tested webaccess.cgi and it works here fine but i think my version differs to the default one. I use this version--> http://git.ipfire.org/?p=peo ple/ummeegge/ipfire- 2.x.git;a=commit;h=8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed it longer time ago but i think it may be forgotten?
says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
chpasswd.cgi appears here but if i change the PWD and add 'admin' as current user i get an "Fehler: Benutzername existiert nicht" have currently not found log messages which points out anything of this problem.
Some even small feedback from here.
Greetings,
Erik
Hi,
good testing guys.
I think the patch looks fine, but I think while we are at it, we should also clean up the vhost configuration files. They are messy. Really really messy.
There is sections for the dial user which never existed in IPFire. There is also directory directives for the dial user. These can all be removed I think.
I have no idea what is using that access to the graphs directories. I think that can also be removed.
Then we have multiple CGI files that redirect to SSL themselves. I think we can let Apache do that, if that isn't even caught automatically by redirecting everything that isn't the update cache or proxy.pac to SSL.
Anyone wants to work on this?
-Michael
On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hello Michael,
Hi,
good testing guys.
Thanks.
I think the patch looks fine, but I think while we are at it, we should also clean up the vhost configuration files. They are messy. Really really messy.
Yes, indeed.
There is sections for the dial user which never existed in IPFire. There is also directory directives for the dial user. These can all be removed I think.
I have no idea what is using that access to the graphs directories. I think that can also be removed.
Then we have multiple CGI files that redirect to SSL themselves. I think we can let Apache do that, if that isn't even caught automatically by redirecting everything that isn't the update cache or proxy.pac to SSL.
Anyone wants to work on this?
I can have a look at the vhost config files within this week. The CGIs are perhaps too difficult for me, since I am not familiar with Perl at the moment.
Does this make the patch sent in obsolete/should I work on top of it?
Best regards, Peter Müller
-Michael
On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
On Sun, 2017-09-24 at 22:15 +0200, Peter Müller wrote:
Hello Michael,
Hi,
good testing guys.
Thanks.
I think the patch looks fine, but I think while we are at it, we should also clean up the vhost configuration files. They are messy. Really really messy.
Yes, indeed.
There is sections for the dial user which never existed in IPFire. There is also directory directives for the dial user. These can all be removed I think.
I have no idea what is using that access to the graphs directories. I think that can also be removed.
Then we have multiple CGI files that redirect to SSL themselves. I think we can let Apache do that, if that isn't even caught automatically by redirecting everything that isn't the update cache or proxy.pac to SSL.
Anyone wants to work on this?
I can have a look at the vhost config files within this week. The CGIs are perhaps too difficult for me, since I am not familiar with Perl at the moment.
Does this make the patch sent in obsolete/should I work on top of it?
Please work on top of it.
I will merge this shortly.
Best, -Michael
Best regards, Peter Müller
-Michael
On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
Hello Matthias,
thanks for testing. Please see my comments below...
Hi Peter,
I did the following:
Stopped Apache on my testmachine (192.168.100.251), patched files, started apache, accesses made with FF 55.0.3.
- Accessing "http://192.168.100.251:444":
"Bad Request
Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
- Accessing "https://192.168.100.251:444"
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
This is normal, too.
- Browser-Restart, reopening page, same result as 2., "Authentication
Required..."
OK.
- Accessing "http://192.168.100.251:81":
"Authentication Required...https://192.168.100.251:444 is requesting your username and password. The site says: “IPFire - Restricted”" => username / password
Yep, here is the change: The browser is being redirected to the secure version.
- Accessing "https://192.168.100.251:81":
"Secure Connection Failed
An error occurred during a connection to 192.168.100.251:81. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache returns a "Bad Request" answer, which is surprisingly not understood by the browser.
Any anything else I could do?
Not directly.
It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi" (perhaps in a school's network) could test this patch too, since these CGIs are not accessible via plaintext anymore.
Both are not working here. "webaccess.cgi" redirects to SSL itself and says "disabled by administrator", while "chpasswd.cgi" just returns a 500 "Internal Server Error". Interesting.
But since that is a special use case, I assume the patch works fine.
Best regards and thanks again, Peter Müller
Best, Matthias
On 24.09.2017 09:06, Peter Müller wrote:
Force the usage of SSL when accessing protected locations.
Queries to the plain text interface on port 81 will be answered with a 301 ("Moved permanently") status.
All authentication directives on port 81 are disabled to prevent data leakage.
Signed-off-by: Peter Müller peter.mueller@link38.eu
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf index 6f353962e..bec0d580b 100644 --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf @@ -23,7 +23,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> <Files chpasswd.cgi> Require all granted </Files>
@@ -40,7 +46,10 @@ Require all granted </Files> <Files dial.cgi>
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Files>
</Directory> <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user dial admin
<RequireAll>
Require user dial admin
Require ssl
</RequireAll> </Directory> <Files ~ "\.(cgi|shtml?)$"> SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@ AuthName "IPFire - Restricted" AuthType Basic AuthUserFile /var/ipfire/auth/users
Require user admin
<RequireAll>
Require user admin
Require ssl
</RequireAll> </Directory>
</VirtualHost> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..a0537b392 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,25 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - <Files dial.cgi> - Require user admin - </Files> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> <Directory /srv/web/ipfire/cgi-bin/dial> AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user dial admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>
Hi,
On 24.09.2017 22:15, Peter Müller wrote:
I have no idea what is using that access to the graphs directories. I think that can also be removed.
For the records:
For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by 'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.
See: http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6...
This addon was once used by IPCop... ;-) [I found by chance that the corresponding translation-strings still existed in IPFire, so I thought "Why not?"]
It would need some polishing, but works without any seen problems here.
Have mercy... ;-)
Best, Matthias
Well, let's bring that back then :)
On Sun, 2017-09-24 at 23:23 +0200, Matthias Fischer wrote:
Hi,
On 24.09.2017 22:15, Peter Müller wrote:
I have no idea what is using that access to the graphs directories. I think that can also be removed.
For the records:
For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by 'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.
See: http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6...
This addon was once used by IPCop... ;-) [I found by chance that the corresponding translation-strings still existed in IPFire, so I thought "Why not?"]
It would need some polishing, but works without any seen problems here.
Have mercy... ;-)
Best, Matthias
Tell me again what it can do...
On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
On 24.09.2017 23:25, Michael Tremer wrote:
Well, let's bring that back then
Ok, I'll go for it again.
Best, Matthias
Hi,
Source comes from here: http://squid-graph.sourceforge.net/
"Squid Graph is a free, simple, yet powerful Squid v2 native logfile analysis tool that generates reports with graphical representation of the proxy server's traffic." (see attachment) No more, no less. Simple.
As I wrote, my original patch (19 months ago) needs some polishing, but works without any problems.
Best, Matthias
On 24.09.2017 23:33, Michael Tremer wrote:
Tell me again what it can do...
On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
On 24.09.2017 23:25, Michael Tremer wrote:
Well, let's bring that back then
Ok, I'll go for it again.
Best, Matthias
Hi,
On 24.09.2017 23:33, Michael Tremer wrote:
Tell me again what it can do...
On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
On 24.09.2017 23:25, Michael Tremer wrote:
Well, let's bring that back then
...
As you can see here...:
https://sourceforge.net/projects/squid-graph/
...it just builds a "graphical representation of the proxy server's [http]traffic". Enough for a quick view.
I built a "V2" - the old commit had some silly errors - I hope, it is better now. Testinstallation was ok. http://patchwork.ipfire.org/patch/1430/
Best, Matthias
Hello,
okay, I assume we still need the "/srv/web/ipfire/html/(graphs|sgraph)" then?
Best regards, Peter Müller
Hi,
On 24.09.2017 22:15, Peter Müller wrote:
I have no idea what is using that access to the graphs directories. I think that can also be removed.
For the records:
For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by 'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.
See: http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6...
This addon was once used by IPCop... ;-) [I found by chance that the corresponding translation-strings still existed in IPFire, so I thought "Why not?"]
It would need some polishing, but works without any seen problems here.
Have mercy... ;-)
Best, Matthias