From: Michael Tremer Date: Tue, 8 Jan 2019 14:37:00 +0000 (+0100) Subject: proxy: Remove AUTH_IPCACHE_TTL X-Git-Tag: v2.21-core127~55 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=dc637f087fe07ab26ae1dee00133da69bab5e6a1 proxy: Remove AUTH_IPCACHE_TTL This is potentially dangerous to set larger than zero. Authentication is perfomed on basis of IP addresses which is not a good idea at all. Signed-off-by: Michael Tremer --- diff --git a/doc/language_issues.de b/doc/language_issues.de index a9df98caf5..3f6accc5eb 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -46,6 +46,7 @@ WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password WARNING: translation string unused: adsl settings WARNING: translation string unused: advproxy AUTH method ntlm +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -68,6 +69,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.en b/doc/language_issues.en index 3f43a85bfe..348ca2c3d7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -126,7 +126,6 @@ WARNING: untranslated string: advproxy AUTH method radius = RADIUS WARNING: untranslated string: advproxy AUTH no auth = Domains without authentication (one per line) WARNING: untranslated string: advproxy AUTH number of auth processes = Number of authentication processes WARNING: untranslated string: advproxy AUTH realm = Authentication realm prompt -WARNING: untranslated string: advproxy AUTH user IP cache TTL = User/IP cache TTL (in minutes) WARNING: untranslated string: advproxy IDENT authorized users = Authorized users (one per line) WARNING: untranslated string: advproxy IDENT aware hosts = Ident aware hosts (one per line) WARNING: untranslated string: advproxy IDENT identd settings = Common identd settings @@ -208,7 +207,6 @@ WARNING: untranslated string: advproxy errmsg acl cannot be empty = Access contr WARNING: untranslated string: advproxy errmsg auth cache ttl = Invalid value for authentication cache TTL WARNING: untranslated string: advproxy errmsg auth children = Invalid number of authentication processes WARNING: untranslated string: advproxy errmsg auth ipcache may not be null = Authentication cache TTL may not be 0 when using IP address limits -WARNING: untranslated string: advproxy errmsg auth ipcache ttl = Invalid value for user/IP cache TTL WARNING: untranslated string: advproxy errmsg cache = The RAM cache size is greater than the harddisk cache size: WARNING: untranslated string: advproxy errmsg hdd cache size = Invalid value for harddisk cache size (min 10 MB required) WARNING: untranslated string: advproxy errmsg ident timeout = Invalid ident timeout diff --git a/doc/language_issues.es b/doc/language_issues.es index 60a3b40c30..f702b2a1f7 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -22,6 +22,7 @@ WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -44,6 +45,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 5f3d06c142..5fd9877610 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -46,6 +46,7 @@ WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password WARNING: translation string unused: adsl settings WARNING: translation string unused: advproxy AUTH method ntlm +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -68,6 +69,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.it b/doc/language_issues.it index f04a1dadba..d80d124547 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -24,6 +24,7 @@ WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password WARNING: translation string unused: advproxy AUTH method ntlm +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -46,6 +47,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 8bfd52737a..c8bf1c49ff 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -23,6 +23,7 @@ WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -45,6 +46,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 60a3b40c30..f702b2a1f7 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -22,6 +22,7 @@ WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -44,6 +45,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 900532c56f..0500b0e199 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -23,6 +23,7 @@ WARNING: translation string unused: add xtaccess WARNING: translation string unused: add-route WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -45,6 +46,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/doc/language_issues.tr b/doc/language_issues.tr index d172ed0e79..8d0ae25e1c 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -46,6 +46,7 @@ WARNING: translation string unused: admin user password has been changed WARNING: translation string unused: administrator user password WARNING: translation string unused: adsl settings WARNING: translation string unused: advproxy AUTH method ntlm +WARNING: translation string unused: advproxy AUTH user IP cache TTL WARNING: translation string unused: advproxy LDAP auth WARNING: translation string unused: advproxy NTLM BDC hostname WARNING: translation string unused: advproxy NTLM PDC hostname @@ -68,6 +69,7 @@ WARNING: translation string unused: advproxy chgwebpwd new password WARNING: translation string unused: advproxy chgwebpwd new password confirm WARNING: translation string unused: advproxy chgwebpwd old password WARNING: translation string unused: advproxy chgwebpwd username +WARNING: translation string unused: advproxy errmsg auth ipcache ttl WARNING: translation string unused: advproxy errmsg change fail WARNING: translation string unused: advproxy errmsg change success WARNING: translation string unused: advproxy errmsg invalid bdc diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 3139e51729..a3fb0a8550 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -250,7 +250,6 @@ $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; $proxysettings{'AUTH_MAX_USERIP'} = ''; $proxysettings{'AUTH_CACHE_TTL'} = '60'; -$proxysettings{'AUTH_IPCACHE_TTL'} = '0'; $proxysettings{'AUTH_CHILDREN'} = '5'; $proxysettings{'NCSA_MIN_PASS_LEN'} = '6'; $proxysettings{'NCSA_BYPASS_REDIR'} = 'off'; @@ -472,23 +471,18 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} } } } - if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && - ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255))) - { - $errormessage = $Lang::tr{'advproxy errmsg max userip'}; - goto ERROR; - } if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/)) { $errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'}; goto ERROR; } - if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/)) + if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && + ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255))) { - $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'}; + $errormessage = $Lang::tr{'advproxy errmsg max userip'}; goto ERROR; } - if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) + if (!($proxysettings{'AUTH_MAX_USERIP'} eq '')) { $errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'}; goto ERROR; @@ -1746,10 +1740,6 @@ print <$Lang::tr{'advproxy AUTH limit of IP addresses'}: - - $Lang::tr{'advproxy AUTH user IP cache TTL'}: - - $Lang::tr{'advproxy AUTH always required'}: @@ -2046,7 +2036,6 @@ print < - @@ -2058,7 +2047,6 @@ print < - END ; } @@ -3180,6 +3168,11 @@ END } print FILE "\n"; + # If we use authentication, users must always authenticate + unless ($proxysettings{"AUTH_METHOD"} eq "") { + print FILE "authenticate_ip_ttl 0\n\n"; + } + if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident'))) { if ($proxysettings{'AUTH_METHOD'} eq 'ncsa') @@ -3188,7 +3181,6 @@ END print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n"; print FILE "auth_param basic realm $authrealm\n"; print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n"; - if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; } } if ($proxysettings{'AUTH_METHOD'} eq 'ldap') @@ -3233,7 +3225,6 @@ END print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n"; print FILE "auth_param basic realm $authrealm\n"; print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n"; - if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; } } if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') @@ -3273,7 +3264,6 @@ END print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n"; print FILE "auth_param basic realm $authrealm\n"; print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n"; - if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; } } print FILE "\n";