remove unused directories in Apache vhosts and force TLS for logins
Commit Message
- remove unused dial.cgi stuff
- redirect to TLS version for directories requiring an authentication
- force TLS for directories requiring an authentication
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Hi,
it would indeed be better to split this patch into two to three.
Could you please do this and resubmit?
-Michael
On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
> - remove unused dial.cgi stuff
> - redirect to TLS version for directories requiring an authentication
> - force TLS for directories requiring an authentication
>
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 6f353962e..433103fdc 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,7 +23,10 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> </DirectoryMatch>
> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> <Directory /srv/web/ipfire/cgi-bin>
> @@ -32,24 +35,16 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> <Files chpasswd.cgi>
> Require all granted
> </Files>
> <Files webaccess.cgi>
> Require all granted
> </Files>
> - <Files dial.cgi>
> - Require user admin
> - </Files>
> - </Directory>
> - <Directory /srv/web/ipfire/cgi-bin/dial>
> - AllowOverride None
> - Options None
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user dial admin
> </Directory>
> <Files ~ "\.(cgi|shtml?)$">
> SSLOptions +StdEnvVars
> @@ -85,6 +80,9 @@
> AuthName "IPFire - Restricted"
> AuthType Basic
> AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + <RequireAll>
> + Require user admin
> + Require ssl
> + </RequireAll>
> </Directory>
> </VirtualHost>
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> b/config/httpd/vhosts.d/ipfire-interface.conf
> index 619f90fcc..41d10c874 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,36 +12,17 @@
> Require all granted
> </Directory>
> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user admin
> + Options SymLinksIfOwnerMatch
> + RewriteEngine on
> + RewriteCond %{HTTPS} off
> + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> </DirectoryMatch>
> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> <Directory /srv/web/ipfire/cgi-bin>
> - AllowOverride None
> - Options None
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user admin
> - <Files chpasswd.cgi>
> - Require all granted
> - </Files>
> - <Files webaccess.cgi>
> - Require all granted
> - </Files>
> - <Files dial.cgi>
> - Require user admin
> - </Files>
> - </Directory>
> - <Directory /srv/web/ipfire/cgi-bin/dial>
> - AllowOverride None
> - Options None
> - AuthName "IPFire - Restricted"
> - AuthType Basic
> - AuthUserFile /var/ipfire/auth/users
> - Require user dial admin
> + Options SymLinksIfOwnerMatch
> + RewriteEngine on
> + RewriteCond %{HTTPS} off
> + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> </Directory>
> Alias /updatecache/ /var/updatecache/
> <Directory /var/updatecache>
Hello Michael,
okay, thanks, I did so.
Now everything should be fine. :-)
Best regards,
Peter Müller
> Hi,
>
> it would indeed be better to split this patch into two to three.
>
> Could you please do this and resubmit?
>
> -Michael
>
> On Mon, 2017-10-09 at 22:21 +0200, Peter Müller wrote:
> > - remove unused dial.cgi stuff
> > - redirect to TLS version for directories requiring an authentication
> > - force TLS for directories requiring an authentication
> >
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > index 6f353962e..433103fdc 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > @@ -23,7 +23,10 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > </DirectoryMatch>
> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > <Directory /srv/web/ipfire/cgi-bin>
> > @@ -32,24 +35,16 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > <Files chpasswd.cgi>
> > Require all granted
> > </Files>
> > <Files webaccess.cgi>
> > Require all granted
> > </Files>
> > - <Files dial.cgi>
> > - Require user admin
> > - </Files>
> > - </Directory>
> > - <Directory /srv/web/ipfire/cgi-bin/dial>
> > - AllowOverride None
> > - Options None
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user dial admin
> > </Directory>
> > <Files ~ "\.(cgi|shtml?)$">
> > SSLOptions +StdEnvVars
> > @@ -85,6 +80,9 @@
> > AuthName "IPFire - Restricted"
> > AuthType Basic
> > AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + <RequireAll>
> > + Require user admin
> > + Require ssl
> > + </RequireAll>
> > </Directory>
> > </VirtualHost>
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 619f90fcc..41d10c874 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -12,36 +12,17 @@
> > Require all granted
> > </Directory>
> > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > + Options SymLinksIfOwnerMatch
> > + RewriteEngine on
> > + RewriteCond %{HTTPS} off
> > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > </DirectoryMatch>
> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > <Directory /srv/web/ipfire/cgi-bin>
> > - AllowOverride None
> > - Options None
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user admin
> > - <Files chpasswd.cgi>
> > - Require all granted
> > - </Files>
> > - <Files webaccess.cgi>
> > - Require all granted
> > - </Files>
> > - <Files dial.cgi>
> > - Require user admin
> > - </Files>
> > - </Directory>
> > - <Directory /srv/web/ipfire/cgi-bin/dial>
> > - AllowOverride None
> > - Options None
> > - AuthName "IPFire - Restricted"
> > - AuthType Basic
> > - AuthUserFile /var/ipfire/auth/users
> > - Require user dial admin
> > + Options SymLinksIfOwnerMatch
> > + RewriteEngine on
> > + RewriteCond %{HTTPS} off
> > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> > </Directory>
> > Alias /updatecache/ /var/updatecache/
> > <Directory /var/updatecache>
@@ -23,7 +23,10 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</DirectoryMatch>
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
<Directory /srv/web/ipfire/cgi-bin>
@@ -32,24 +35,16 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
<Files chpasswd.cgi>
Require all granted
</Files>
<Files webaccess.cgi>
Require all granted
</Files>
- <Files dial.cgi>
- Require user admin
- </Files>
- </Directory>
- <Directory /srv/web/ipfire/cgi-bin/dial>
- AllowOverride None
- Options None
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user dial admin
</Directory>
<Files ~ "\.(cgi|shtml?)$">
SSLOptions +StdEnvVars
@@ -85,6 +80,9 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</Directory>
</VirtualHost>
@@ -12,36 +12,17 @@
Require all granted
</Directory>
<DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user admin
+ Options SymLinksIfOwnerMatch
+ RewriteEngine on
+ RewriteCond %{HTTPS} off
+ RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
</DirectoryMatch>
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
<Directory /srv/web/ipfire/cgi-bin>
- AllowOverride None
- Options None
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user admin
- <Files chpasswd.cgi>
- Require all granted
- </Files>
- <Files webaccess.cgi>
- Require all granted
- </Files>
- <Files dial.cgi>
- Require user admin
- </Files>
- </Directory>
- <Directory /srv/web/ipfire/cgi-bin/dial>
- AllowOverride None
- Options None
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user dial admin
+ Options SymLinksIfOwnerMatch
+ RewriteEngine on
+ RewriteCond %{HTTPS} off
+ RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
</Directory>
Alias /updatecache/ /var/updatecache/
<Directory /var/updatecache>