redirect to TLS WebUI if authorisation required
authorPeter Müller <peter.mueller@link38.eu>
Tue, 17 Oct 2017 17:49:07 +0000 (19:49 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 18 Oct 2017 14:57:57 +0000 (15:57 +0100)
Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/httpd/vhosts.d/ipfire-interface.conf

index 27fd25a..be15cd0 100644 (file)
         Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Require all granted
-        </Files>
-        <Files webaccess.cgi>
-            Require all granted
-        </Files>
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     Alias /updatecache/ /var/updatecache/
        <Directory /var/updatecache>