From: Peter Müller <peter.mueller@link38.eu>
Date: Tue, 17 Oct 2017 17:49:07 +0000 (+0200)
Subject: redirect to TLS WebUI if authorisation required
X-Git-Tag: v2.19-core115~5
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=6c6c1e3f043b7c4e99fabb6e92fce226089392af;ds=sidebyside

redirect to TLS WebUI if authorisation required

Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 27fd25a95a..be15cd041c 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -12,25 +12,17 @@
         Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Require all granted
-        </Files>
-        <Files webaccess.cgi>
-            Require all granted
-        </Files>
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
     Alias /updatecache/ /var/updatecache/
 	<Directory /var/updatecache>