diff mbox series

[v3] redirect to TLS WebUI if authorisation required

Message ID	20171017194907.42a8904f.peter.mueller@link38.eu
State	Accepted
Headers	Date: Tue, 17 Oct 2017 19:49:07 +0200 From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu> To: "development@lists.ipfire.org" <development@lists.ipfire.org> Subject: [PATCH v3] redirect to TLS WebUI if authorisation required Message-ID: <20171017194907.42a8904f.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	[v3] redirect to TLS WebUI if authorisation required \| [v3] redirect to TLS WebUI if authorisation required

Commit Message

Peter Müller Oct. 18, 2017, 4:49 a.m. UTC

  Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.

Not sure if this has been merged (and is working) yet... :-)

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

Comments

Michael Tremer Oct. 19, 2017, 1:58 a.m. UTC | #1

Hi,

On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote:
> Do not allow credentials being submitted in plaintext to Apache.
> Instead, redirect the user with a 301 to the TLS version of IPFire's
> web interface.
> 
> Not sure if this has been merged (and is working) yet... :-)

Why do you doubt that this is working?

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> ---
>  config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++----------------
>  1 file changed, 8 insertions(+), 16 deletions(-)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> b/config/httpd/vhosts.d/ipfire-interface.conf
> index 27fd25a95..be15cd041 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -12,25 +12,17 @@
>          Require all granted
>      </Directory>
>      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> +        Options SymLinksIfOwnerMatch
> +        RewriteEngine on
> +        RewriteCond %{HTTPS} off
> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </DirectoryMatch>
>      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>      <Directory /srv/web/ipfire/cgi-bin>
> -        AllowOverride None
> -        Options None
> -        AuthName "IPFire - Restricted"
> -        AuthType Basic
> -        AuthUserFile /var/ipfire/auth/users
> -        Require user admin
> -         <Files chpasswd.cgi>
> -            Require all granted
> -        </Files>
> -        <Files webaccess.cgi>
> -            Require all granted
> -        </Files>
> +        Options SymLinksIfOwnerMatch
> +        RewriteEngine on
> +        RewriteCond %{HTTPS} off
> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>      </Directory>
>      Alias /updatecache/ /var/updatecache/
>  	<Directory /var/updatecache>

Peter Müller Oct. 19, 2017, 5:30 a.m. UTC | #2

Hello Michael,

> Hi,
> 
> On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote:
> > Do not allow credentials being submitted in plaintext to Apache.
> > Instead, redirect the user with a 301 to the TLS version of IPFire's
> > web interface.
> > 
> > Not sure if this has been merged (and is working) yet... :-)  
> 
> Why do you doubt that this is working?
This patch does not appear in the public git repository. So I assume something
was wrong with it.

Best regards,
Peter Müller
> 
> -Michael
> 
> > 
> > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> > ---
> >  config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++----------------
> >  1 file changed, 8 insertions(+), 16 deletions(-)
> > 
> > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > b/config/httpd/vhosts.d/ipfire-interface.conf
> > index 27fd25a95..be15cd041 100644
> > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > @@ -12,25 +12,17 @@
> >          Require all granted
> >      </Directory>
> >      <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > +        Options SymLinksIfOwnerMatch
> > +        RewriteEngine on
> > +        RewriteCond %{HTTPS} off
> > +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </DirectoryMatch>
> >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >      <Directory /srv/web/ipfire/cgi-bin>
> > -        AllowOverride None
> > -        Options None
> > -        AuthName "IPFire - Restricted"
> > -        AuthType Basic
> > -        AuthUserFile /var/ipfire/auth/users
> > -        Require user admin
> > -         <Files chpasswd.cgi>
> > -            Require all granted
> > -        </Files>
> > -        <Files webaccess.cgi>
> > -            Require all granted
> > -        </Files>
> > +        Options SymLinksIfOwnerMatch
> > +        RewriteEngine on
> > +        RewriteCond %{HTTPS} off
> > +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
> >      </Directory>
> >      Alias /updatecache/ /var/updatecache/
> >  	<Directory /var/updatecache>

Michael Tremer Oct. 19, 2017, 7:15 a.m. UTC | #3

No I don’t think so.

Just merged it. Thanks.

> On 18 Oct 2017, at 7:30 pm, Peter Müller <peter.mueller@link38.eu> wrote:
> 
> Hello Michael,
> 
>> Hi,
>> 
>>> On Tue, 2017-10-17 at 19:49 +0200, Peter Müller wrote:
>>> Do not allow credentials being submitted in plaintext to Apache.
>>> Instead, redirect the user with a 301 to the TLS version of IPFire's
>>> web interface.
>>> 
>>> Not sure if this has been merged (and is working) yet... :-)  
>> 
>> Why do you doubt that this is working?
> This patch does not appear in the public git repository. So I assume something
> was wrong with it.
> 
> Best regards,
> Peter Müller
>> 
>> -Michael
>> 
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller@link38.eu>
>>> ---
>>> config/httpd/vhosts.d/ipfire-interface.conf | 24 ++++++++----------------
>>> 1 file changed, 8 insertions(+), 16 deletions(-)
>>> 
>>> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
>>> b/config/httpd/vhosts.d/ipfire-interface.conf
>>> index 27fd25a95..be15cd041 100644
>>> --- a/config/httpd/vhosts.d/ipfire-interface.conf
>>> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
>>> @@ -12,25 +12,17 @@
>>>         Require all granted
>>>     </Directory>
>>>     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
>>> -        AuthName "IPFire - Restricted"
>>> -        AuthType Basic
>>> -        AuthUserFile /var/ipfire/auth/users
>>> -        Require user admin
>>> +        Options SymLinksIfOwnerMatch
>>> +        RewriteEngine on
>>> +        RewriteCond %{HTTPS} off
>>> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>>>     </DirectoryMatch>
>>>     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
>>>     <Directory /srv/web/ipfire/cgi-bin>
>>> -        AllowOverride None
>>> -        Options None
>>> -        AuthName "IPFire - Restricted"
>>> -        AuthType Basic
>>> -        AuthUserFile /var/ipfire/auth/users
>>> -        Require user admin
>>> -         <Files chpasswd.cgi>
>>> -            Require all granted
>>> -        </Files>
>>> -        <Files webaccess.cgi>
>>> -            Require all granted
>>> -        </Files>
>>> +        Options SymLinksIfOwnerMatch
>>> +        RewriteEngine on
>>> +        RewriteCond %{HTTPS} off
>>> +        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
>>>     </Directory>
>>>     Alias /updatecache/ /var/updatecache/
>>>    <Directory /var/updatecache>  
>

diff mbox series

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 27fd25a95..be15cd041 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -12,25 +12,17 @@ 
         Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Require all granted
-        </Files>
-        <Files webaccess.cgi>
-            Require all granted
-        </Files>
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     Alias /updatecache/ /var/updatecache/
 	<Directory /var/updatecache>