Bug 38016
| Summary: | ability to force SSL for ucs-overview and umc | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Dirk Ahrnke <da> |
| Component: | Apache | Assignee: | Philipp Hahn <hahn> |
| Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
| Severity: | normal | ||
| Priority: | P5 | CC: | best, ebersbach, gohmann, grandjean, gulden, walkenhorst |
| Version: | UCS 4.0 | ||
| Target Milestone: | UCS 4.0-2-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: |
http://forge.univention.org/bugzilla/show_bug.cgi?id=25647 https://forge.univention.org/bugzilla/show_bug.cgi?id=38681 |
||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | External feedback | |
| Max CVSS v3 score: | |||
|
Description
Dirk Ahrnke
2015-03-12 09:42:54 CET
Added UCRV "apache2/force_https" to redirect *all* <http://> requests to <https://>. Use the Apache rewrite engine, as "Redirect permanent / https:///" does not yet work with apache2.2 as used in UCS-4. This solution is not optimal and might be problematic in several cases: - An App can only register a non-http variable, which would get re-directed anyway. - Automatically downloading the .crt and .crl file might fail because of the missing root certificate. - The initial connection will trigger the browser to show its certificate warning. Possible options: [ ] only force the re-direct for /univention-management-console/ [ ] only force a re-dedirect for /ucs-overview/ [ ] only force some links to use https: ucr search --brief --non-empty '^ucs/web/overview/entries/[^/]+/[^/]+/link$' | sed 's,link: .*,port_https=443,' | xargs ucr set r60990 | Bug #38016 Apache: Enable redirect to <https://> r60988 | Bug #38016 Apache: Remove old files r60987 | Bug #38391: Copyright 2015 Package: univention-apache Version: 7.0.16-10.232.201506021257 Branch: ucs_4.0-0 Scope: errata4.0-2 r60992 | Bug #38391, Bug #38016: apache,uss overview YAML 2015-06-02-univention-apache.yaml svn r60988 removed ucs-4.0-2/services/univention-apache/debian/univention-apache.dirs. This breaks the ucs-overview. Before: /var/www/ucs-overview/ After: /var/ucs-overview/ (In reply to Florian Best from comment #2) > svn r60988 removed ucs-4.0-2/services/univention-apache/debian/univention-apache.dirs. This breaks the ucs-overview. > > Before: > /var/www/ucs-overview/ > After: > /var/ucs-overview/ r61171 | Bug #38016 Apache: Fix overview page Package: univention-apache Version: 7.0.16-11.233.201506101926 Branch: ucs_4.0-0 Scope: errata4.0-2 r61172 | Bug #38016 Apache: Fix overview page YAML 2015-06-02-univention-apache.yaml FYI: univention-apache/Makefile:37 looks wrong: there is no "umc/" directory in univention-apache/. Prints an error message every time: > find: "umc": Datei oder Verzeichnis nicht gefunden ... > /usr/bin/dh-umc-translate -p univention-apache -l de -o js/ucs r61176 | Bug #38016 Apache: Cleanup old stuff Package: univention-apache Version: 7.0.16-12.234.201506111025 Branch: ucs_4.0-0 Scope: errata4.0-2 r61177 | Bug #38016 Apache: Cleanup old stuff YAML 2015-06-02-univention-apache.yaml *** Bug 25647 has been marked as a duplicate of this bug. *** typo: kryctografischen → kryptografischen typo: Weiterleitugn → Weiterleitung Why is the sed dependency removed? The makefile uses sed. In theory "RewriteEngine on" must be present in the added block in ssl.conf. YAML: OK I am currently not sure about svn r60988. (In reply to Florian Best from comment #6) > typo: kryctografischen → kryptografischen > typo: Weiterleitugn → Weiterleitung FIXED > Why is the sed dependency removed? The makefile uses sed. # apt-cache show sed | grep Ess Essential: yes <https://www.debian.org/doc/debian-policy/ch-binary.html#s-dependencies> <https://www.debian.org/doc/debian-policy/footnotes.html#f10> > In theory "RewriteEngine on" must be present in the added block in ssl.conf. Added: UMC does is already, but it doesn hurt to do it again. > YAML: OK r61583 | Bug #38016 Apache: Enable redirect to <https://>. > I am currently not sure about svn r60988. $ for e in 1 2; do dpkg -c ucs_4.0-0-errata4.0-$e/all/univention-apache_*_all.deb | awk '{print $1,$2,$6}' | sort -k3 >$TMPDIR/$e; done ; diff $TMPDIR/[12] 4d3 < drwxr-xr-x root/root ./etc/univention/apache/ → not used 38d36 < drwxr-xr-x root/root ./usr/sbin/ → empty default directory 45,46d42 < drwxr-xr-x root/root ./var/lib/ < drwxr-xr-x root/root ./var/lib/univention-apache/ → not used 658a655 > -rw-r--r-- root/root ./var/www/ucs-overview/js/dijit/ProgressBar.js.orig → Bug of some dojo/UMC build script? unrelated to the change. # debdiff ucs_4.0-0-errata4.0-[12]/all/univention-apache_*_all.deb [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first ------------------------------------- -rw-r--r-- root/root /var/www/ucs-overview/js/dijit/ProgressBar.js.orig Control files: lines which differ (wdiff format) ------------------------------------------------ Installed-Size: [-28365-] {+28355+} Version: [-7.0.16-9.231.201503101333-] {+7.0.16-14.236.201506301757+} Package: univention-apache Version: 7.0.16-14.236.201506301757 Branch: ucs_4.0-0 Scope: errata4.0-2 r61584 | Bug #38016 Apache: Enable redirect to <https://> YAML 2015-06-02-univention-apache.yaml OK |