[v2] force transport encryption for WebUI logins

  Force the usage of SSL when accessing protected locations.

Queries to the plain text interface on port 81 will be answered
with a 301 ("Moved permanently") status.

All authentication directives on port 81 are disabled to prevent
data leakage.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
  

Hi Peter,

I did the following:

Stopped Apache on my testmachine (192.168.100.251), patched files,
started apache, accesses made with FF 55.0.3.

1. Accessing "http://192.168.100.251:444":

"Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache Server at ipfiretest.localdomain Port 444"

2. Accessing "https://192.168.100.251:444"

"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: “IPFire - Restricted”"
=> username / password

3. Browser-Restart, reopening page, same result as 2., "Authentication
Required..."

4. Accessing "http://192.168.100.251:81":

"Authentication Required...https://192.168.100.251:444 is requesting
your username and password. The site says: “IPFire - Restricted”"
=> username / password

5. Accessing "https://192.168.100.251:81":

"Secure Connection Failed

An error occurred during a connection to 192.168.100.251:81. SSL
received a record that exceeded the maximum permissible length. Error
code: SSL_ERROR_RX_RECORD_TOO_LONG"

Any anything else I could do?

Best,
Matthias

On 24.09.2017 09:06, Peter Müller wrote:
> Force the usage of SSL when accessing protected locations.
> 
> Queries to the plain text interface on port 81 will be answered
> with a 301 ("Moved permanently") status.
> 
> All authentication directives on port 81 are disabled to prevent
> data leakage.
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 6f353962e..bec0d580b 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,7 +23,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> @@ -32,7 +35,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>          <Files chpasswd.cgi>
>              Require all granted
>          </Files>
> @@ -40,7 +46,10 @@
>              Require all granted
>          </Files>
>          <Files dial.cgi>
> -            Require user admin
> +		<RequireAll>
> +			Require user admin
> +			Require ssl
> +		</RequireAll>
>          </Files>
>      </Directory>
>      <Directory /srv/web/ipfire/cgi-bin/dial>
> @@ -49,7 +58,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
> +	<RequireAll>
> +		Require user dial admin
> +		Require ssl
> +	</RequireAll>
>      </Directory>
>      <Files ~ "\.(cgi|shtml?)$">
>  	SSLOptions +StdEnvVars
> @@ -85,6 +97,9 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +		Require user admin
> +		Require ssl
> +	</RequireAll>
>      </Directory>
>  </VirtualHost>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index 619f90fcc..a0537b392 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,36 +12,25 @@
>          Require all granted
>      </Directory>
>      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
>          AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> -         <Files chpasswd.cgi>
> -            Require all granted
> -        </Files>
> -        <Files webaccess.cgi>
> -            Require all granted
> -        </Files>
> -        <Files dial.cgi>
> -            Require user admin
> -        </Files>
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </Directory>
>      <Directory /srv/web/ipfire/cgi-bin/dial>
>          AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
> +		Options SymLinksIfOwnerMatch
> +		RewriteEngine on
> +		RewriteCond %{HTTPS} off
> +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </Directory>
>      Alias /updatecache/ /var/updatecache/
>  	<Directory /var/updatecache>
>
  

Hello Matthias,

thanks for testing. Please see my comments below...

> Hi Peter,
> 
> I did the following:
> 
> Stopped Apache on my testmachine (192.168.100.251), patched files,
> started apache, accesses made with FF 55.0.3.
> 
> 1. Accessing "http://192.168.100.251:444":
> 
> "Bad Request
> 
> Your browser sent a request that this server could not understand.
> Reason: You're speaking plain HTTP to an SSL-enabled server port.
> Instead use the HTTPS scheme to access this URL, please.
> Apache Server at ipfiretest.localdomain Port 444"
That is normal and also appears without my patch.
> 
> 2. Accessing "https://192.168.100.251:444"
> 
> "Authentication Required...https://192.168.100.251:444 is requesting
> your username and password. The site says: “IPFire - Restricted”"
> => username / password  
This is normal, too.
> 
> 3. Browser-Restart, reopening page, same result as 2., "Authentication
> Required..."
OK.
> 
> 4. Accessing "http://192.168.100.251:81":
> 
> "Authentication Required...https://192.168.100.251:444 is requesting
> your username and password. The site says: “IPFire - Restricted”"
> => username / password  
Yep, here is the change: The browser is being redirected to the secure
version.
> 
> 5. Accessing "https://192.168.100.251:81":
> 
> "Secure Connection Failed
> 
> An error occurred during a connection to 192.168.100.251:81. SSL
> received a record that exceeded the maximum permissible length. Error
> code: SSL_ERROR_RX_RECORD_TOO_LONG"
This is because there is no SSL engine running on port 81. Apache
returns a "Bad Request" answer, which is surprisingly not understood
by the browser.
> 
> Any anything else I could do?
Not directly.

It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
(perhaps in a school's network) could test this patch too, since these
CGIs are not accessible via plaintext anymore.

Both are not working here. "webaccess.cgi" redirects to SSL itself and
says "disabled by administrator", while "chpasswd.cgi" just returns
a 500 "Internal Server Error". Interesting.

But since that is a special use case, I assume the patch works fine.

Best regards and thanks again,
Peter Müller
> 
> Best,
> Matthias
> 
> On 24.09.2017 09:06, Peter Müller wrote:
> > Force the usage of SSL when accessing protected locations.
> > 
> > Queries to the plain text interface on port 81 will be answered
> > with a 301 ("Moved permanently") status.
> > 
> > All authentication directives on port 81 are disabled to prevent
> > data leakage.
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index 6f353962e..bec0d580b 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -23,7 +23,10 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +		Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > @@ -32,7 +35,10 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +		Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >          <Files chpasswd.cgi>
> >              Require all granted
> >          </Files>
> > @@ -40,7 +46,10 @@
> >              Require all granted
> >          </Files>
> >          <Files dial.cgi>
> > -            Require user admin
> > +		<RequireAll>
> > +			Require user admin
> > +			Require ssl
> > +		</RequireAll>
> >          </Files>
> >      </Directory>
> >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > @@ -49,7 +58,10 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user dial admin
> > +	<RequireAll>
> > +		Require user dial admin
> > +		Require ssl
> > +	</RequireAll>
> >      </Directory>
> >      <Files ~ "\.(cgi|shtml?)$">
> >  	SSLOptions +StdEnvVars
> > @@ -85,6 +97,9 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +		Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >      </Directory>
> >  </VirtualHost>
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 619f90fcc..a0537b392 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -12,36 +12,25 @@
> >          Require all granted
> >      </Directory>
> >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +		Options SymLinksIfOwnerMatch
> > +		RewriteEngine on
> > +		RewriteCond %{HTTPS} off
> > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> >          AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > -         <Files chpasswd.cgi>
> > -            Require all granted
> > -        </Files>
> > -        <Files webaccess.cgi>
> > -            Require all granted
> > -        </Files>
> > -        <Files dial.cgi>
> > -            Require user admin
> > -        </Files>
> > +		Options SymLinksIfOwnerMatch
> > +		RewriteEngine on
> > +		RewriteCond %{HTTPS} off
> > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </Directory>
> >      <Directory /srv/web/ipfire/cgi-bin/dial>
> >          AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user dial admin
> > +		Options SymLinksIfOwnerMatch
> > +		RewriteEngine on
> > +		RewriteCond %{HTTPS} off
> > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </Directory>
> >      Alias /updatecache/ /var/updatecache/
> >  	<Directory /var/updatecache>
> >   
>
  

Hi all,
first of all thanks for this great update and your work on this. Have installed Core 114 from testing tree and i wanted to deliver you also some feedback.

- After the update the WUI was not reachable and shows an 503, do not panic ;-) this has happened cause of some of my vhost configurations where the old directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log did not display some problems cause after the update but also after an reboot Apache has not been started again. By the usage of the initscript the problem occurs with an

-> /etc/init.d/apache restart
Restarting Apache daemon...
AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf:
Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configu[ FAIL ]

Since 'mod_access_compat' is not provided (which is a good thing), the access control do not accept the old directives. The fix was not that complicated, instead of using e.g.

Order deny,allow
Deny from all

now 

Require all denied

needs to be used. I am currently not sure if IPFire provides vhost configurations which might have problems with this, the Cacti vhost configuration seems to work even the login appears only in HTTP also there are a lot of PHP warnings but i think this is out of the scope in here.


> It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> (perhaps in a school's network) could test this patch too, since these
> CGIs are not accessible via plaintext anymore.
> 
> Both are not working here. "webaccess.cgi" redirects to SSL itself and

Have tested webaccess.cgi and it works here fine but i think my version differs to the default one. I use this version--> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed it longer time ago but i think it may be forgotten? 

> says "disabled by administrator", while "chpasswd.cgi" just returns
> a 500 "Internal Server Error". Interesting.

chpasswd.cgi appears here but if i change the PWD and add 'admin' as current user i get an "Fehler: Benutzername existiert nicht" have currently not found log messages which points out anything of this problem.

Some even small feedback from here.

Greetings,

Erik
  

Hi,

On Sun, 2017-09-24 at 18:55 +0200, ummeegge wrote:
> Hi all,
> first of all thanks for this great update and your work on this. Have
> installed Core 114 from testing tree and i wanted to deliver you also some
> feedback.
> 
> - After the update the WUI was not reachable and shows an 503, do not panic ;-
> ) this has happened cause of some of my vhost configurations where the old
> directives 'Order', 'Allow', 'Deny, 'Satisfy' has been set. Apaches error_log
> did not display some problems cause after the update but also after an reboot
> Apache has not been started again. By the usage of the initscript the problem
> occurs with an

yes, this is a problem that we need to point out in the change log.

Since we are updating to Apache 2.4, we had to update all configuration files.
We also did that for all add-ons that we support. But we cannot update anything
else.

So what the updater does is the following:

1) Remove all add-on configuration files (that we support) in the vhosts
directory.

2) Stop apache

3) Install the update

4) Restart apache but without any add-ons

5) After the core update is finished, all add-on configuration files will be
reinstalled.

If the user has installed some other vhosts, apache won't restart at 4) and they
are on their own.

> 
> -> /etc/init.d/apache restart
> Restarting Apache daemon...
> AH00526: Syntax error on line 17 of /etc/httpd/conf/vhosts.d/nfsen.conf:
> Invalid command 'Order', perhaps misspelled or defined by a module not
> included in the server configu[ FAIL ]
> 
> Since 'mod_access_compat' is not provided (which is a good thing), the access
> control do not accept the old directives. The fix was not that complicated,
> instead of using e.g.
> 
> Order deny,allow
> Deny from all
> 
> now 
> 
> Require all denied
> 
> needs to be used. I am currently not sure if IPFire provides vhost
> configurations which might have problems with this, the Cacti vhost
> configuration seems to work even the login appears only in HTTP also there are
> a lot of PHP warnings but i think this is out of the scope in here.
> 
> 
> > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> > (perhaps in a school's network) could test this patch too, since these
> > CGIs are not accessible via plaintext anymore.
> > 
> > Both are not working here. "webaccess.cgi" redirects to SSL itself and
> 
> Have tested webaccess.cgi and it works here fine but i think my version
> differs to the default one. I use this version--> http://git.ipfire.org/?p=peo
> ple/ummeegge/ipfire-
> 2.x.git;a=commit;h=8fd29195bc9a7dabfab6ef4e3251cb449b7628de have pushed it
> longer time ago but i think it may be forgotten? 
> 
> > says "disabled by administrator", while "chpasswd.cgi" just returns
> > a 500 "Internal Server Error". Interesting.
> 
> chpasswd.cgi appears here but if i change the PWD and add 'admin' as current
> user i get an "Fehler: Benutzername existiert nicht" have currently not found
> log messages which points out anything of this problem.
> 
> Some even small feedback from here.
> 
> Greetings,
> 
> Erik
> 
>
  

Hi,

good testing guys.

I think the patch looks fine, but I think while we are at it, we should also
clean up the vhost configuration files. They are messy. Really really messy.

There is sections for the dial user which never existed in IPFire. There is also
directory directives for the dial user. These can all be removed I think.

I have no idea what is using that access to the graphs directories. I think that
can also be removed.

Then we have multiple CGI files that redirect to SSL themselves. I think we can
let Apache do that, if that isn't even caught automatically by redirecting
everything that isn't the update cache or proxy.pac to SSL.

Anyone wants to work on this?

-Michael

On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
> Hello Matthias,
> 
> thanks for testing. Please see my comments below...
> 
> > Hi Peter,
> > 
> > I did the following:
> > 
> > Stopped Apache on my testmachine (192.168.100.251), patched files,
> > started apache, accesses made with FF 55.0.3.
> > 
> > 1. Accessing "http://192.168.100.251:444":
> > 
> > "Bad Request
> > 
> > Your browser sent a request that this server could not understand.
> > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > Instead use the HTTPS scheme to access this URL, please.
> > Apache Server at ipfiretest.localdomain Port 444"
> 
> That is normal and also appears without my patch.
> > 
> > 2. Accessing "https://192.168.100.251:444"
> > 
> > "Authentication Required...https://192.168.100.251:444 is requesting
> > your username and password. The site says: “IPFire - Restricted”"
> > => username / password  
> 
> This is normal, too.
> > 
> > 3. Browser-Restart, reopening page, same result as 2., "Authentication
> > Required..."
> 
> OK.
> > 
> > 4. Accessing "http://192.168.100.251:81":
> > 
> > "Authentication Required...https://192.168.100.251:444 is requesting
> > your username and password. The site says: “IPFire - Restricted”"
> > => username / password  
> 
> Yep, here is the change: The browser is being redirected to the secure
> version.
> > 
> > 5. Accessing "https://192.168.100.251:81":
> > 
> > "Secure Connection Failed
> > 
> > An error occurred during a connection to 192.168.100.251:81. SSL
> > received a record that exceeded the maximum permissible length. Error
> > code: SSL_ERROR_RX_RECORD_TOO_LONG"
> 
> This is because there is no SSL engine running on port 81. Apache
> returns a "Bad Request" answer, which is surprisingly not understood
> by the browser.
> > 
> > Any anything else I could do?
> 
> Not directly.
> 
> It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> (perhaps in a school's network) could test this patch too, since these
> CGIs are not accessible via plaintext anymore.
> 
> Both are not working here. "webaccess.cgi" redirects to SSL itself and
> says "disabled by administrator", while "chpasswd.cgi" just returns
> a 500 "Internal Server Error". Interesting.
> 
> But since that is a special use case, I assume the patch works fine.
> 
> Best regards and thanks again,
> Peter Müller
> > 
> > Best,
> > Matthias
> > 
> > On 24.09.2017 09:06, Peter Müller wrote:
> > > Force the usage of SSL when accessing protected locations.
> > > 
> > > Queries to the plain text interface on port 81 will be answered
> > > with a 301 ("Moved permanently") status.
> > > 
> > > All authentication directives on port 81 are disabled to prevent
> > > data leakage.
> > > 
> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > ---
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > index 6f353962e..bec0d580b 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > @@ -23,7 +23,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </DirectoryMatch>
> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > >      <Directory /srv/web/ipfire/cgi-bin>
> > > @@ -32,7 +35,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >          <Files chpasswd.cgi>
> > >              Require all granted
> > >          </Files>
> > > @@ -40,7 +46,10 @@
> > >              Require all granted
> > >          </Files>
> > >          <Files dial.cgi>
> > > -            Require user admin
> > > +		<RequireAll>
> > > +			Require user admin
> > > +			Require ssl
> > > +		</RequireAll>
> > >          </Files>
> > >      </Directory>
> > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > @@ -49,7 +58,10 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user dial admin
> > > +	<RequireAll>
> > > +		Require user dial admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </Directory>
> > >      <Files ~ "\.(cgi|shtml?)$">
> > >  	SSLOptions +StdEnvVars
> > > @@ -85,6 +97,9 @@
> > >          AuthName "IPFire - Restricted"
> > >          AuthType Basic
> > >          AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +	<RequireAll>
> > > +		Require user admin
> > > +		Require ssl
> > > +	</RequireAll>
> > >      </Directory>
> > >  </VirtualHost>
> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > index 619f90fcc..a0537b392 100644
> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > @@ -12,36 +12,25 @@
> > >          Require all granted
> > >      </Directory>
> > >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > >      </DirectoryMatch>
> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > >      <Directory /srv/web/ipfire/cgi-bin>
> > >          AllowOverride None
> > > -        Options None
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user admin
> > > -         <Files chpasswd.cgi>
> > > -            Require all granted
> > > -        </Files>
> > > -        <Files webaccess.cgi>
> > > -            Require all granted
> > > -        </Files>
> > > -        <Files dial.cgi>
> > > -            Require user admin
> > > -        </Files>
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > >      </Directory>
> > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > >          AllowOverride None
> > > -        Options None
> > > -        AuthName "IPFire - Restricted"
> > > -        AuthType Basic
> > > -        AuthUserFile /var/ipfire/auth/users
> > > -        Require user dial admin
> > > +		Options SymLinksIfOwnerMatch
> > > +		RewriteEngine on
> > > +		RewriteCond %{HTTPS} off
> > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > >      </Directory>
> > >      Alias /updatecache/ /var/updatecache/
> > >  	<Directory /var/updatecache>
> > >   
> 
>
  

Hello Michael,

> Hi,
> 
> good testing guys.
Thanks.
> 
> I think the patch looks fine, but I think while we are at it, we should also
> clean up the vhost configuration files. They are messy. Really really messy.
Yes, indeed.
> 
> There is sections for the dial user which never existed in IPFire. There is also
> directory directives for the dial user. These can all be removed I think.
> 
> I have no idea what is using that access to the graphs directories. I think that
> can also be removed.
> 
> Then we have multiple CGI files that redirect to SSL themselves. I think we can
> let Apache do that, if that isn't even caught automatically by redirecting
> everything that isn't the update cache or proxy.pac to SSL.
> 
> Anyone wants to work on this?
I can have a look at the vhost config files within this week. The CGIs are perhaps
too difficult for me, since I am not familiar with Perl at the moment.

Does this make the patch sent in obsolete/should I work on top of it?

Best regards,
Peter Müller
> 
> -Michael
> 
> On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
> > Hello Matthias,
> > 
> > thanks for testing. Please see my comments below...
> >   
> > > Hi Peter,
> > > 
> > > I did the following:
> > > 
> > > Stopped Apache on my testmachine (192.168.100.251), patched files,
> > > started apache, accesses made with FF 55.0.3.
> > > 
> > > 1. Accessing "http://192.168.100.251:444":
> > > 
> > > "Bad Request
> > > 
> > > Your browser sent a request that this server could not understand.
> > > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > > Instead use the HTTPS scheme to access this URL, please.
> > > Apache Server at ipfiretest.localdomain Port 444"  
> > 
> > That is normal and also appears without my patch.  
> > > 
> > > 2. Accessing "https://192.168.100.251:444"
> > > 
> > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > your username and password. The site says: “IPFire - Restricted”"  
> > > => username / password    
> > 
> > This is normal, too.  
> > > 
> > > 3. Browser-Restart, reopening page, same result as 2., "Authentication
> > > Required..."  
> > 
> > OK.  
> > > 
> > > 4. Accessing "http://192.168.100.251:81":
> > > 
> > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > your username and password. The site says: “IPFire - Restricted”"  
> > > => username / password    
> > 
> > Yep, here is the change: The browser is being redirected to the secure
> > version.  
> > > 
> > > 5. Accessing "https://192.168.100.251:81":
> > > 
> > > "Secure Connection Failed
> > > 
> > > An error occurred during a connection to 192.168.100.251:81. SSL
> > > received a record that exceeded the maximum permissible length. Error
> > > code: SSL_ERROR_RX_RECORD_TOO_LONG"  
> > 
> > This is because there is no SSL engine running on port 81. Apache
> > returns a "Bad Request" answer, which is surprisingly not understood
> > by the browser.  
> > > 
> > > Any anything else I could do?  
> > 
> > Not directly.
> > 
> > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> > (perhaps in a school's network) could test this patch too, since these
> > CGIs are not accessible via plaintext anymore.
> > 
> > Both are not working here. "webaccess.cgi" redirects to SSL itself and
> > says "disabled by administrator", while "chpasswd.cgi" just returns
> > a 500 "Internal Server Error". Interesting.
> > 
> > But since that is a special use case, I assume the patch works fine.
> > 
> > Best regards and thanks again,
> > Peter Müller  
> > > 
> > > Best,
> > > Matthias
> > > 
> > > On 24.09.2017 09:06, Peter Müller wrote:  
> > > > Force the usage of SSL when accessing protected locations.
> > > > 
> > > > Queries to the plain text interface on port 81 will be answered
> > > > with a 301 ("Moved permanently") status.
> > > > 
> > > > All authentication directives on port 81 are disabled to prevent
> > > > data leakage.
> > > > 
> > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > > ---
> > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > index 6f353962e..bec0d580b 100644
> > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > @@ -23,7 +23,10 @@
> > > >          AuthName "IPFire - Restricted"
> > > >          AuthType Basic
> > > >          AuthUserFile /var/ipfire/auth/users
> > > > -        Require user admin
> > > > +	<RequireAll>
> > > > +		Require user admin
> > > > +		Require ssl
> > > > +	</RequireAll>
> > > >      </DirectoryMatch>
> > > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > >      <Directory /srv/web/ipfire/cgi-bin>
> > > > @@ -32,7 +35,10 @@
> > > >          AuthName "IPFire - Restricted"
> > > >          AuthType Basic
> > > >          AuthUserFile /var/ipfire/auth/users
> > > > -        Require user admin
> > > > +	<RequireAll>
> > > > +		Require user admin
> > > > +		Require ssl
> > > > +	</RequireAll>
> > > >          <Files chpasswd.cgi>
> > > >              Require all granted
> > > >          </Files>
> > > > @@ -40,7 +46,10 @@
> > > >              Require all granted
> > > >          </Files>
> > > >          <Files dial.cgi>
> > > > -            Require user admin
> > > > +		<RequireAll>
> > > > +			Require user admin
> > > > +			Require ssl
> > > > +		</RequireAll>
> > > >          </Files>
> > > >      </Directory>
> > > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > > @@ -49,7 +58,10 @@
> > > >          AuthName "IPFire - Restricted"
> > > >          AuthType Basic
> > > >          AuthUserFile /var/ipfire/auth/users
> > > > -        Require user dial admin
> > > > +	<RequireAll>
> > > > +		Require user dial admin
> > > > +		Require ssl
> > > > +	</RequireAll>
> > > >      </Directory>
> > > >      <Files ~ "\.(cgi|shtml?)$">
> > > >  	SSLOptions +StdEnvVars
> > > > @@ -85,6 +97,9 @@
> > > >          AuthName "IPFire - Restricted"
> > > >          AuthType Basic
> > > >          AuthUserFile /var/ipfire/auth/users
> > > > -        Require user admin
> > > > +	<RequireAll>
> > > > +		Require user admin
> > > > +		Require ssl
> > > > +	</RequireAll>
> > > >      </Directory>
> > > >  </VirtualHost>
> > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > index 619f90fcc..a0537b392 100644
> > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > @@ -12,36 +12,25 @@
> > > >          Require all granted
> > > >      </Directory>
> > > >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > > > -        AuthName "IPFire - Restricted"
> > > > -        AuthType Basic
> > > > -        AuthUserFile /var/ipfire/auth/users
> > > > -        Require user admin
> > > > +		Options SymLinksIfOwnerMatch
> > > > +		RewriteEngine on
> > > > +		RewriteCond %{HTTPS} off
> > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > >      </DirectoryMatch>
> > > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > >      <Directory /srv/web/ipfire/cgi-bin>
> > > >          AllowOverride None
> > > > -        Options None
> > > > -        AuthName "IPFire - Restricted"
> > > > -        AuthType Basic
> > > > -        AuthUserFile /var/ipfire/auth/users
> > > > -        Require user admin
> > > > -         <Files chpasswd.cgi>
> > > > -            Require all granted
> > > > -        </Files>
> > > > -        <Files webaccess.cgi>
> > > > -            Require all granted
> > > > -        </Files>
> > > > -        <Files dial.cgi>
> > > > -            Require user admin
> > > > -        </Files>
> > > > +		Options SymLinksIfOwnerMatch
> > > > +		RewriteEngine on
> > > > +		RewriteCond %{HTTPS} off
> > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > >      </Directory>
> > > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > >          AllowOverride None
> > > > -        Options None
> > > > -        AuthName "IPFire - Restricted"
> > > > -        AuthType Basic
> > > > -        AuthUserFile /var/ipfire/auth/users
> > > > -        Require user dial admin
> > > > +		Options SymLinksIfOwnerMatch
> > > > +		RewriteEngine on
> > > > +		RewriteCond %{HTTPS} off
> > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > >      </Directory>
> > > >      Alias /updatecache/ /var/updatecache/
> > > >  	<Directory /var/updatecache>
> > > >     
> > 
> >
  

On Sun, 2017-09-24 at 22:15 +0200, Peter Müller wrote:
> Hello Michael,
> 
> > Hi,
> > 
> > good testing guys.
> 
> Thanks.
> > 
> > I think the patch looks fine, but I think while we are at it, we should also
> > clean up the vhost configuration files. They are messy. Really really messy.
> 
> Yes, indeed.
> > 
> > There is sections for the dial user which never existed in IPFire. There is also
> > directory directives for the dial user. These can all be removed I think.
> > 
> > I have no idea what is using that access to the graphs directories. I think that
> > can also be removed.
> > 
> > Then we have multiple CGI files that redirect to SSL themselves. I think we can
> > let Apache do that, if that isn't even caught automatically by redirecting
> > everything that isn't the update cache or proxy.pac to SSL.
> > 
> > Anyone wants to work on this?
> 
> I can have a look at the vhost config files within this week. The CGIs are perhaps
> too difficult for me, since I am not familiar with Perl at the moment.
> 
> Does this make the patch sent in obsolete/should I work on top of it?

Please work on top of it.

I will merge this shortly.

Best,
-Michael

> 
> Best regards,
> Peter Müller
> > 
> > -Michael
> > 
> > On Sun, 2017-09-24 at 13:04 +0200, Peter Müller wrote:
> > > Hello Matthias,
> > > 
> > > thanks for testing. Please see my comments below...
> > >   
> > > > Hi Peter,
> > > > 
> > > > I did the following:
> > > > 
> > > > Stopped Apache on my testmachine (192.168.100.251), patched files,
> > > > started apache, accesses made with FF 55.0.3.
> > > > 
> > > > 1. Accessing "http://192.168.100.251:444":
> > > > 
> > > > "Bad Request
> > > > 
> > > > Your browser sent a request that this server could not understand.
> > > > Reason: You're speaking plain HTTP to an SSL-enabled server port.
> > > > Instead use the HTTPS scheme to access this URL, please.
> > > > Apache Server at ipfiretest.localdomain Port 444"  
> > > 
> > > That is normal and also appears without my patch.  
> > > > 
> > > > 2. Accessing "https://192.168.100.251:444"
> > > > 
> > > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > > your username and password. The site says: “IPFire - Restricted”"  
> > > > => username / password    
> > > 
> > > This is normal, too.  
> > > > 
> > > > 3. Browser-Restart, reopening page, same result as 2., "Authentication
> > > > Required..."  
> > > 
> > > OK.  
> > > > 
> > > > 4. Accessing "http://192.168.100.251:81":
> > > > 
> > > > "Authentication Required...https://192.168.100.251:444 is requesting
> > > > your username and password. The site says: “IPFire - Restricted”"  
> > > > => username / password    
> > > 
> > > Yep, here is the change: The browser is being redirected to the secure
> > > version.  
> > > > 
> > > > 5. Accessing "https://192.168.100.251:81":
> > > > 
> > > > "Secure Connection Failed
> > > > 
> > > > An error occurred during a connection to 192.168.100.251:81. SSL
> > > > received a record that exceeded the maximum permissible length. Error
> > > > code: SSL_ERROR_RX_RECORD_TOO_LONG"  
> > > 
> > > This is because there is no SSL engine running on port 81. Apache
> > > returns a "Bad Request" answer, which is surprisingly not understood
> > > by the browser.  
> > > > 
> > > > Any anything else I could do?  
> > > 
> > > Not directly.
> > > 
> > > It would be nice if anybody who uses "chpasswd.cgi" and "webaccess.cgi"
> > > (perhaps in a school's network) could test this patch too, since these
> > > CGIs are not accessible via plaintext anymore.
> > > 
> > > Both are not working here. "webaccess.cgi" redirects to SSL itself and
> > > says "disabled by administrator", while "chpasswd.cgi" just returns
> > > a 500 "Internal Server Error". Interesting.
> > > 
> > > But since that is a special use case, I assume the patch works fine.
> > > 
> > > Best regards and thanks again,
> > > Peter Müller  
> > > > 
> > > > Best,
> > > > Matthias
> > > > 
> > > > On 24.09.2017 09:06, Peter Müller wrote:  
> > > > > Force the usage of SSL when accessing protected locations.
> > > > > 
> > > > > Queries to the plain text interface on port 81 will be answered
> > > > > with a 301 ("Moved permanently") status.
> > > > > 
> > > > > All authentication directives on port 81 are disabled to prevent
> > > > > data leakage.
> > > > > 
> > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > > > > ---
> > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > index 6f353962e..bec0d580b 100644
> > > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > @@ -23,7 +23,10 @@
> > > > >          AuthName "IPFire - Restricted"
> > > > >          AuthType Basic
> > > > >          AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user admin
> > > > > +	<RequireAll>
> > > > > +		Require user admin
> > > > > +		Require ssl
> > > > > +	</RequireAll>
> > > > >      </DirectoryMatch>
> > > > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > >      <Directory /srv/web/ipfire/cgi-bin>
> > > > > @@ -32,7 +35,10 @@
> > > > >          AuthName "IPFire - Restricted"
> > > > >          AuthType Basic
> > > > >          AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user admin
> > > > > +	<RequireAll>
> > > > > +		Require user admin
> > > > > +		Require ssl
> > > > > +	</RequireAll>
> > > > >          <Files chpasswd.cgi>
> > > > >              Require all granted
> > > > >          </Files>
> > > > > @@ -40,7 +46,10 @@
> > > > >              Require all granted
> > > > >          </Files>
> > > > >          <Files dial.cgi>
> > > > > -            Require user admin
> > > > > +		<RequireAll>
> > > > > +			Require user admin
> > > > > +			Require ssl
> > > > > +		</RequireAll>
> > > > >          </Files>
> > > > >      </Directory>
> > > > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > > > @@ -49,7 +58,10 @@
> > > > >          AuthName "IPFire - Restricted"
> > > > >          AuthType Basic
> > > > >          AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user dial admin
> > > > > +	<RequireAll>
> > > > > +		Require user dial admin
> > > > > +		Require ssl
> > > > > +	</RequireAll>
> > > > >      </Directory>
> > > > >      <Files ~ "\.(cgi|shtml?)$">
> > > > >  	SSLOptions +StdEnvVars
> > > > > @@ -85,6 +97,9 @@
> > > > >          AuthName "IPFire - Restricted"
> > > > >          AuthType Basic
> > > > >          AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user admin
> > > > > +	<RequireAll>
> > > > > +		Require user admin
> > > > > +		Require ssl
> > > > > +	</RequireAll>
> > > > >      </Directory>
> > > > >  </VirtualHost>
> > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > index 619f90fcc..a0537b392 100644
> > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > @@ -12,36 +12,25 @@
> > > > >          Require all granted
> > > > >      </Directory>
> > > > >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > > > > -        AuthName "IPFire - Restricted"
> > > > > -        AuthType Basic
> > > > > -        AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user admin
> > > > > +		Options SymLinksIfOwnerMatch
> > > > > +		RewriteEngine on
> > > > > +		RewriteCond %{HTTPS} off
> > > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > >      </DirectoryMatch>
> > > > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > >      <Directory /srv/web/ipfire/cgi-bin>
> > > > >          AllowOverride None
> > > > > -        Options None
> > > > > -        AuthName "IPFire - Restricted"
> > > > > -        AuthType Basic
> > > > > -        AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user admin
> > > > > -         <Files chpasswd.cgi>
> > > > > -            Require all granted
> > > > > -        </Files>
> > > > > -        <Files webaccess.cgi>
> > > > > -            Require all granted
> > > > > -        </Files>
> > > > > -        <Files dial.cgi>
> > > > > -            Require user admin
> > > > > -        </Files>
> > > > > +		Options SymLinksIfOwnerMatch
> > > > > +		RewriteEngine on
> > > > > +		RewriteCond %{HTTPS} off
> > > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > >      </Directory>
> > > > >      <Directory /srv/web/ipfire/cgi-bin/dial>
> > > > >          AllowOverride None
> > > > > -        Options None
> > > > > -        AuthName "IPFire - Restricted"
> > > > > -        AuthType Basic
> > > > > -        AuthUserFile /var/ipfire/auth/users
> > > > > -        Require user dial admin
> > > > > +		Options SymLinksIfOwnerMatch
> > > > > +		RewriteEngine on
> > > > > +		RewriteCond %{HTTPS} off
> > > > > +		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > > > >      </Directory>
> > > > >      Alias /updatecache/ /var/updatecache/
> > > > >  	<Directory /var/updatecache>
> > > > >     
> > > 
> > >   
> 
>
  

Hi,

On 24.09.2017 22:15, Peter Müller wrote:
> I have no idea what is using that access to the graphs directories. I think that
> can also be removed.

For the records:

For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by
'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.

See:
http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6af6a43d0684c5a27f50f7f3a0160eba

This addon was once used by IPCop... ;-)
[I found by chance that the corresponding translation-strings still
existed in IPFire, so I thought "Why not?"]

It would need some polishing, but works without any seen problems here.

Have mercy... ;-)

Best,
Matthias
  

Well, let's bring that back then :)

On Sun, 2017-09-24 at 23:23 +0200, Matthias Fischer wrote:
> Hi,
> 
> On 24.09.2017 22:15, Peter Müller wrote:
> > I have no idea what is using that access to the graphs directories. I think that
> > can also be removed.
> 
> For the records:
> 
> For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by
> 'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.
> 
> See:
> http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6af6a43d0684c5a27f50f7f3a0160eba
> 
> This addon was once used by IPCop... ;-)
> [I found by chance that the corresponding translation-strings still
> existed in IPFire, so I thought "Why not?"]
> 
> It would need some polishing, but works without any seen problems here.
> 
> Have mercy... ;-)
> 
> Best,
> Matthias
  

On 24.09.2017 23:25, Michael Tremer wrote:
> Well, let's bring that back then

Ok, I'll go for it again.

Best,
Matthias
  

Tell me again what it can do...

On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
> On 24.09.2017 23:25, Michael Tremer wrote:
> > Well, let's bring that back then
> 
> Ok, I'll go for it again.
> 
> Best,
> Matthias
>
  

Hi,

Source comes from here:
http://squid-graph.sourceforge.net/

"Squid Graph is a free, simple, yet powerful Squid v2 native logfile
analysis tool that generates reports with graphical representation of
the proxy server's traffic." (see attachment)
No more, no less. Simple.

As I wrote, my original patch (19 months ago) needs some polishing, but
works without any problems.

Best,
Matthias

On 24.09.2017 23:33, Michael Tremer wrote:
> Tell me again what it can do...
> 
> On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
>> On 24.09.2017 23:25, Michael Tremer wrote:
>> > Well, let's bring that back then
>> 
>> Ok, I'll go for it again.
>> 
>> Best,
>> Matthias
>> 
>
  

Hello,

okay, I assume we still need the "/srv/web/ipfire/html/(graphs|sgraph)" then?

Best regards,
Peter Müller

> Hi,
> 
> On 24.09.2017 22:15, Peter Müller wrote:
> > I have no idea what is using that access to the graphs directories. I think that
> > can also be removed.  
> 
> For the records:
> 
> For what I know, '/srv/web/ipfire/html/(graphs|sgraph)' are used by
> 'vnstat' and the old squid-proxy-Graphs, which I rebuilt some time ago.
> 
> See:
> http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=9785e2fd6af6a43d0684c5a27f50f7f3a0160eba
> 
> This addon was once used by IPCop... ;-)
> [I found by chance that the corresponding translation-strings still
> existed in IPFire, so I thought "Why not?"]
> 
> It would need some polishing, but works without any seen problems here.
> 
> Have mercy... ;-)
> 
> Best,
> Matthias
  

Hi,

On 25.09.2017 17:50, Peter Müller wrote:
> okay, I assume we still need the "/srv/web/ipfire/html/(graphs|sgraph)" then?

Yes. ;-)

Best,
Matthias
  

Hi,

On 24.09.2017 23:33, Michael Tremer wrote:
> Tell me again what it can do...
> 
> On Sun, 2017-09-24 at 23:33 +0200, Matthias Fischer wrote:
>> On 24.09.2017 23:25, Michael Tremer wrote:
>> > Well, let's bring that back then
>> ...

As you can see here...:

https://sourceforge.net/projects/squid-graph/

...it just builds a "graphical representation of the proxy server's
[http]traffic". Enough for a quick view.

I built a "V2" - the old commit had some silly errors - I hope, it is
better now. Testinstallation was ok.
http://patchwork.ipfire.org/patch/1430/

Best,
Matthias