| Message ID | 20171011155507.7cf76c99.peter.mueller@link38.eu |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 3234360C05 for <patchwork@ipfire.org>; Wed, 11 Oct 2017 15:55:19 +0200 (CEST) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 9A6512A11; Wed, 11 Oct 2017 15:55:18 +0200 (CEST) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id A33BD29F5 for <development@lists.ipfire.org>; Wed, 11 Oct 2017 15:55:14 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx.link38.eu Received: from mx-int.dmz.trikolon-de204 (mx-int.dmz.trikolon-de204 [10.51.204.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS for <development@lists.ipfire.org>; Wed, 11 Oct 2017 15:55:08 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-int.dmz.trikolon-de204 (Postfix) with ESMTPSA id 3A50E9F366 for <development@lists.ipfire.org>; Wed, 11 Oct 2017 15:55:08 +0200 (CEST) Date: Wed, 11 Oct 2017 15:55:07 +0200 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: "development@lists.ipfire.org" <development@lists.ipfire.org> Subject: [PATCH v2] redirect to TLS WebUI if authorisation required Message-ID: <20171011155507.7cf76c99.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
[v2] redirect to TLS WebUI if authorisation required
|
|
Commit Message
Peter Müller
Oct. 12, 2017, 12:55 a.m. UTC
Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
Comments
Nope. [root@rice-oxley ipfire-2.x]# pwclient git-am -s 1460 Applying patch #1460 using 'git am -s' Description: [v2] redirect to TLS WebUI if authorisation required Applying: redirect to TLS WebUI if authorisation required error: corrupt patch at line 41 Patch failed at 0001 redirect to TLS WebUI if authorisation required The copy of the patch that failed is found in: .git/rebase-apply/patch When you have resolved this problem, run "git am --continue". If you prefer to skip this patch, run "git am --skip" instead. To restore the original branch and stop patching, run "git am --abort". 'git am' failed with exit status 128 On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > Do not allow credentials being submitted in plaintext to Apache. > Instead, redirect the user with a 301 to the TLS version of IPFire's > web interface. > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > b/config/httpd/vhosts.d/ipfire-interface.conf > index 619f90fcc..41d10c874 100644 > --- a/config/httpd/vhosts.d/ipfire-interface.conf > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > @@ -12,36 +12,17 @@ > Require all granted > </Directory> > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > - AuthName "IPFire - Restricted" > - AuthType Basic > - AuthUserFile /var/ipfire/auth/users > - Require user admin > + Options SymLinksIfOwnerMatch > + RewriteEngine on > + RewriteCond %{HTTPS} off > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > </DirectoryMatch> > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > <Directory /srv/web/ipfire/cgi-bin> > - AllowOverride None > - Options None > - AuthName "IPFire - Restricted" > - AuthType Basic > - AuthUserFile /var/ipfire/auth/users > - Require user admin > - <Files chpasswd.cgi> > - Require all granted > - </Files> > - <Files webaccess.cgi> > - Require all granted > - </Files> > - </Directory> > + Options SymLinksIfOwnerMatch > + RewriteEngine on > + RewriteCond %{HTTPS} off > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > </Directory> > Alias /updatecache/ /var/updatecache/ > <Directory /var/updatecache>
Well, I hope the third try is working now... > Nope. > > [root@rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > Applying patch #1460 using 'git am -s' > Description: [v2] redirect to TLS WebUI if authorisation required > Applying: redirect to TLS WebUI if authorisation required > error: corrupt patch at line 41 > Patch failed at 0001 redirect to TLS WebUI if authorisation required > The copy of the patch that failed is found in: .git/rebase-apply/patch > When you have resolved this problem, run "git am --continue". > If you prefer to skip this patch, run "git am --skip" instead. > To restore the original branch and stop patching, run "git am --abort". > 'git am' failed with exit status 128 > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > Do not allow credentials being submitted in plaintext to Apache. > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > web interface. > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > --- > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > b/config/httpd/vhosts.d/ipfire-interface.conf > > index 619f90fcc..41d10c874 100644 > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > @@ -12,36 +12,17 @@ > > Require all granted > > </Directory> > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > </DirectoryMatch> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > <Directory /srv/web/ipfire/cgi-bin> > > - AllowOverride None > > - Options None > > - AuthName "IPFire - Restricted" > > - AuthType Basic > > - AuthUserFile /var/ipfire/auth/users > > - Require user admin > > - <Files chpasswd.cgi> > > - Require all granted > > - </Files> > > - <Files webaccess.cgi> > > - Require all granted > > - </Files> > > - </Directory> > > + Options SymLinksIfOwnerMatch > > + RewriteEngine on > > + RewriteCond %{HTTPS} off > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > </Directory> > > Alias /updatecache/ /var/updatecache/ > > <Directory /var/updatecache>
It was. What did you change? -Michael On Wed, 2017-10-11 at 16:52 +0200, Peter Müller wrote: > Well, I hope the third try is working now... > > > Nope. > > > > [root@rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > > Applying patch #1460 using 'git am -s' > > Description: [v2] redirect to TLS WebUI if authorisation required > > Applying: redirect to TLS WebUI if authorisation required > > error: corrupt patch at line 41 > > Patch failed at 0001 redirect to TLS WebUI if authorisation required > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > When you have resolved this problem, run "git am --continue". > > If you prefer to skip this patch, run "git am --skip" instead. > > To restore the original branch and stop patching, run "git am --abort". > > 'git am' failed with exit status 128 > > > > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > > Do not allow credentials being submitted in plaintext to Apache. > > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > > web interface. > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > index 619f90fcc..41d10c874 100644 > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > @@ -12,36 +12,17 @@ > > > Require all granted > > > </Directory> > > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > > - AuthName "IPFire - Restricted" > > > - AuthType Basic > > > - AuthUserFile /var/ipfire/auth/users > > > - Require user admin > > > + Options SymLinksIfOwnerMatch > > > + RewriteEngine on > > > + RewriteCond %{HTTPS} off > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > </DirectoryMatch> > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > <Directory /srv/web/ipfire/cgi-bin> > > > - AllowOverride None > > > - Options None > > > - AuthName "IPFire - Restricted" > > > - AuthType Basic > > > - AuthUserFile /var/ipfire/auth/users > > > - Require user admin > > > - <Files chpasswd.cgi> > > > - Require all granted > > > - </Files> > > > - <Files webaccess.cgi> > > > - Require all granted > > > - </Files> > > > - </Directory> > > > + Options SymLinksIfOwnerMatch > > > + RewriteEngine on > > > + RewriteCond %{HTTPS} off > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > </Directory> > > > Alias /updatecache/ /var/updatecache/ > > > <Directory /var/updatecache> > >
Hello Michael, well, actually I used spaces instead of tabs. Second, git format-patch crashed before, and some global configuration options (mail address, ...) needed to be set. Quite strange, but well. I never really used these git functions before, just ran git diff [changed file] > patch and pasted the content with Signed-off-by in my MUA. Now, I take the output of git format-patch, remove all those mail headers, and paste the content in my MUA... As Einstein said: "Make things as easy as you can - but not easier." Quite right... Best regards, Peter Müller > It was. What did you change? > > -Michael > > On Wed, 2017-10-11 at 16:52 +0200, Peter Müller wrote: > > Well, I hope the third try is working now... > > > > > Nope. > > > > > > [root@rice-oxley ipfire-2.x]# pwclient git-am -s 1460 > > > Applying patch #1460 using 'git am -s' > > > Description: [v2] redirect to TLS WebUI if authorisation required > > > Applying: redirect to TLS WebUI if authorisation required > > > error: corrupt patch at line 41 > > > Patch failed at 0001 redirect to TLS WebUI if authorisation required > > > The copy of the patch that failed is found in: .git/rebase-apply/patch > > > When you have resolved this problem, run "git am --continue". > > > If you prefer to skip this patch, run "git am --skip" instead. > > > To restore the original branch and stop patching, run "git am --abort". > > > 'git am' failed with exit status 128 > > > > > > > > > On Wed, 2017-10-11 at 15:55 +0200, Peter Müller wrote: > > > > Do not allow credentials being submitted in plaintext to Apache. > > > > Instead, redirect the user with a 301 to the TLS version of IPFire's > > > > web interface. > > > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > > --- > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf > > > > b/config/httpd/vhosts.d/ipfire-interface.conf > > > > index 619f90fcc..41d10c874 100644 > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > > > > @@ -12,36 +12,17 @@ > > > > Require all granted > > > > </Directory> > > > > <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > </DirectoryMatch> > > > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > > > > <Directory /srv/web/ipfire/cgi-bin> > > > > - AllowOverride None > > > > - Options None > > > > - AuthName "IPFire - Restricted" > > > > - AuthType Basic > > > > - AuthUserFile /var/ipfire/auth/users > > > > - Require user admin > > > > - <Files chpasswd.cgi> > > > > - Require all granted > > > > - </Files> > > > > - <Files webaccess.cgi> > > > > - Require all granted > > > > - </Files> > > > > - </Directory> > > > > + Options SymLinksIfOwnerMatch > > > > + RewriteEngine on > > > > + RewriteCond %{HTTPS} off > > > > + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] > > > > </Directory> > > > > Alias /updatecache/ /var/updatecache/ > > > > <Directory /var/updatecache> > > > >
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf index 619f90fcc..41d10c874 100644 --- a/config/httpd/vhosts.d/ipfire-interface.conf +++ b/config/httpd/vhosts.d/ipfire-interface.conf @@ -12,36 +12,17 @@ Require all granted </Directory> <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)"> - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </DirectoryMatch> ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ <Directory /srv/web/ipfire/cgi-bin> - AllowOverride None - Options None - AuthName "IPFire - Restricted" - AuthType Basic - AuthUserFile /var/ipfire/auth/users - Require user admin - <Files chpasswd.cgi> - Require all granted - </Files> - <Files webaccess.cgi> - Require all granted - </Files> - </Directory> + Options SymLinksIfOwnerMatch + RewriteEngine on + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L] </Directory> Alias /updatecache/ /var/updatecache/ <Directory /var/updatecache>