diff mbox series

remove unused directories in Apache vhosts and force TLS for logins

Message ID 20171009222103.5b23665a.peter.mueller@link38.eu
State Superseded
Headers
Series remove unused directories in Apache vhosts and force TLS for logins |

Commit Message

Peter Müller Oct. 10, 2017, 7:21 a.m. UTC 
  - remove unused dial.cgi stuff
- redirect to TLS version for directories requiring an authentication
- force TLS for directories requiring an authentication

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---

Comments

Michael Tremer Oct. 10, 2017, 10:24 p.m. UTC | #1 
Hi,

it would indeed be better to split this patch into two to three.

Could you please do this and resubmit?

-Michael

On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
> - remove unused dial.cgi stuff
> - redirect to TLS version for directories requiring an authentication
> - force TLS for directories requiring an authentication
> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 6f353962e..433103fdc 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,7 +23,10 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +	        Require user admin
> +		Require ssl
> +	</RequireAll>
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> @@ -32,24 +35,16 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +	        Require user admin
> +		Require ssl
> +	</RequireAll>
>          <Files chpasswd.cgi>
>              Require all granted
>          </Files>
>          <Files webaccess.cgi>
>              Require all granted
>          </Files>
> -        <Files dial.cgi>
> -            Require user admin
> -        </Files>
> -    </Directory>
> -    <Directory /srv/web/ipfire/cgi-bin/dial>
> -        AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
>      </Directory>
>      <Files ~ "\.(cgi|shtml?)$">
>  	SSLOptions +StdEnvVars
> @@ -85,6 +80,9 @@
>          AuthName "IPFire - Restricted"
>          AuthType Basic
>          AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	<RequireAll>
> +	        Require user admin
> +		Require ssl
> +	</RequireAll>
>      </Directory>
>  </VirtualHost>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> b/config/httpd/vhosts.d/ipfire-interface.conf
> index 619f90fcc..41d10c874 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,36 +12,17 @@
>          Require all granted
>      </Directory>
>      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +	Options SymLinksIfOwnerMatch
> +	RewriteEngine on
> +	RewriteCond %{HTTPS} off
> +	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> -        AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> -         <Files chpasswd.cgi>
> -            Require all granted
> -        </Files>
> -        <Files webaccess.cgi>
> -            Require all granted
> -        </Files>
> -        <Files dial.cgi>
> -            Require user admin
> -        </Files>
> -    </Directory>
> -    <Directory /srv/web/ipfire/cgi-bin/dial>
> -        AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user dial admin
> +	Options SymLinksIfOwnerMatch
> +	RewriteEngine on
> +	RewriteCond %{HTTPS} off
> +	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </Directory>
>      Alias /updatecache/ /var/updatecache/
>  	<Directory /var/updatecache>
Peter Müller Oct. 11, 2017, 12:40 a.m. UTC | #2 
Hello Michael,

okay, thanks, I did so.

Now everything should be fine. :-)

Best regards,
Peter Müller

> Hi,
> 
> it would indeed be better to split this patch into two to three.
> 
> Could you please do this and resubmit?
> 
> -Michael
> 
> On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
> > - remove unused dial.cgi stuff
> > - redirect to TLS version for directories requiring an authentication
> > - force TLS for directories requiring an authentication
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index 6f353962e..433103fdc 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -23,7 +23,10 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +	        Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > @@ -32,24 +35,16 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +	        Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >          <Files chpasswd.cgi>
> >              Require all granted
> >          </Files>
> >          <Files webaccess.cgi>
> >              Require all granted
> >          </Files>
> > -        <Files dial.cgi>
> > -            Require user admin
> > -        </Files>
> > -    </Directory>
> > -    <Directory /srv/web/ipfire/cgi-bin/dial>
> > -        AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user dial admin
> >      </Directory>
> >      <Files ~ "\.(cgi|shtml?)$">
> >  	SSLOptions +StdEnvVars
> > @@ -85,6 +80,9 @@
> >          AuthName "IPFire - Restricted"
> >          AuthType Basic
> >          AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	<RequireAll>
> > +	        Require user admin
> > +		Require ssl
> > +	</RequireAll>
> >      </Directory>
> >  </VirtualHost>
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 619f90fcc..41d10c874 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -12,36 +12,17 @@
> >          Require all granted
> >      </Directory>
> >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +	Options SymLinksIfOwnerMatch
> > +	RewriteEngine on
> > +	RewriteCond %{HTTPS} off
> > +	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > -        AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > -         <Files chpasswd.cgi>
> > -            Require all granted
> > -        </Files>
> > -        <Files webaccess.cgi>
> > -            Require all granted
> > -        </Files>
> > -        <Files dial.cgi>
> > -            Require user admin
> > -        </Files>
> > -    </Directory>
> > -    <Directory /srv/web/ipfire/cgi-bin/dial>
> > -        AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user dial admin
> > +	Options SymLinksIfOwnerMatch
> > +	RewriteEngine on
> > +	RewriteCond %{HTTPS} off
> > +	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </Directory>
> >      Alias /updatecache/ /var/updatecache/
> >  	<Directory /var/updatecache>
diff mbox series

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 6f353962e..433103fdc 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -23,7 +23,10 @@ 
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+	        Require user admin
+		Require ssl
+	</RequireAll>
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -32,24 +35,16 @@ 
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+	        Require user admin
+		Require ssl
+	</RequireAll>
         <Files chpasswd.cgi>
             Require all granted
         </Files>
         <Files webaccess.cgi>
             Require all granted
         </Files>
-        <Files dial.cgi>
-            Require user admin
-        </Files>
-    </Directory>
-    <Directory /srv/web/ipfire/cgi-bin/dial>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
     </Directory>
     <Files ~ "\.(cgi|shtml?)$">
 	SSLOptions +StdEnvVars
@@ -85,6 +80,9 @@ 
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+	        Require user admin
+		Require ssl
+	</RequireAll>
     </Directory>
 </VirtualHost>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 619f90fcc..41d10c874 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -12,36 +12,17 @@ 
         Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	Options SymLinksIfOwnerMatch
+	RewriteEngine on
+	RewriteCond %{HTTPS} off
+	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Require all granted
-        </Files>
-        <Files webaccess.cgi>
-            Require all granted
-        </Files>
-        <Files dial.cgi>
-            Require user admin
-        </Files>
-    </Directory>
-    <Directory /srv/web/ipfire/cgi-bin/dial>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
+	Options SymLinksIfOwnerMatch
+	RewriteEngine on
+	RewriteCond %{HTTPS} off
+	RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     Alias /updatecache/ /var/updatecache/
 	<Directory /var/updatecache>