From patchwork Sun Sep 24 17:06:25 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1427
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id 0C2A46105A
	for <patchwork@ipfire.org>; Sun, 24 Sep 2017 09:06:40 +0200 (CEST)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id D426B2822;
	Sun, 24 Sep 2017 09:06:39 +0200 (CEST)
Received: from mx.link38.eu (mx.link38.eu [188.68.43.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPS id 65B26281F
	for <development@lists.ipfire.org>;
	Sun, 24 Sep 2017 09:06:35 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS id DAC1540AD8
	for <development@lists.ipfire.org>;
	Sun, 24 Sep 2017 09:06:26 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 386B69F230
	for <development@lists.ipfire.org>;
	Sun, 24 Sep 2017 09:06:26 +0200 (CEST)
Date: Sun, 24 Sep 2017 09:06:25 +0200
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: "development@lists.ipfire.org" <development@lists.ipfire.org>
Subject: [PATCH v2] force transport encryption for WebUI logins
Message-ID: <20170924090625.48d4eea2.peter.mueller@link38.eu>
Organization: Link38
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Force the usage of SSL when accessing protected locations.

Queries to the plain text interface on port 81 will be answered
with a 301 ("Moved permanently") status.

All authentication directives on port 81 are disabled to prevent
data leakage.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 6f353962e..bec0d580b 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -23,7 +23,10 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+		Require user admin
+		Require ssl
+	</RequireAll>
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
@@ -32,7 +35,10 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+		Require user admin
+		Require ssl
+	</RequireAll>
         <Files chpasswd.cgi>
             Require all granted
         </Files>
@@ -40,7 +46,10 @@
             Require all granted
         </Files>
         <Files dial.cgi>
-            Require user admin
+		<RequireAll>
+			Require user admin
+			Require ssl
+		</RequireAll>
         </Files>
     </Directory>
     <Directory /srv/web/ipfire/cgi-bin/dial>
@@ -49,7 +58,10 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
+	<RequireAll>
+		Require user dial admin
+		Require ssl
+	</RequireAll>
     </Directory>
     <Files ~ "\.(cgi|shtml?)$">
 	SSLOptions +StdEnvVars
@@ -85,6 +97,9 @@
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+	<RequireAll>
+		Require user admin
+		Require ssl
+	</RequireAll>
     </Directory>
 </VirtualHost>
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 619f90fcc..a0537b392 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -12,36 +12,25 @@
         Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+		Options SymLinksIfOwnerMatch
+		RewriteEngine on
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
         AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Require all granted
-        </Files>
-        <Files webaccess.cgi>
-            Require all granted
-        </Files>
-        <Files dial.cgi>
-            Require user admin
-        </Files>
+		Options SymLinksIfOwnerMatch
+		RewriteEngine on
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     <Directory /srv/web/ipfire/cgi-bin/dial>
         AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
+		Options SymLinksIfOwnerMatch
+		RewriteEngine on
+		RewriteCond %{HTTPS} off
+		RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     Alias /updatecache/ /var/updatecache/
 	<Directory /var/updatecache>