force transport encryption for WebUI logins

Message ID 20170908191953.7531e069.peter.mueller@link38.eu
State New
Headers show
Series
  • force transport encryption for WebUI logins
Related show

Commit Message

Peter Müller Sept. 8, 2017, 5:19 p.m.
Force SSL/TLS for any WebUI directory which requires an authentication.
This prevents credentials from being transmitted in plaintext, which is
an information leak.

Scenario: A MITM attacker might block all encrypted traffic to the
firewall's web interface, making the administrator using an unencrypted
connection (i.e. via port 81). Username and password can be easily
logged in transit then.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 6f353962e..5ceaa1f32 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -24,6 +26,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -33,6 +36,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
         <Files chpasswd.cgi>
             Require all granted
         </Files>
@@ -50,6 +54,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user dial admin
+        Require ssl
     </Directory>
     <Files ~ "\.(cgi|shtml?)$">
 	SSLOptions +StdEnvVars
@@ -86,5 +91,6 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
     </Directory>
 </VirtualHost>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 619f90fcc..58d1b54cd 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -16,6 +16,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -25,6 +26,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
+        Require ssl
          <Files chpasswd.cgi>
             Require all granted
         </Files>
@@ -42,6 +44,7 @@ 
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user dial admin
+        Require ssl
     </Directory>
     Alias /updatecache/ /var/updatecache/
 	<Directory /var/updatecache>