Univention Bugzilla – Bug 38016
ability to force SSL for ucs-overview and umc
Last modified: 2015-07-03 14:06:02 CEST
In a default installation it is possible to connect to /ucs-overview and /univention-management-console with plain http. Further links accessed from here will usually not switch to a secure connection. Even is the "insecure connection warning" appears when /univention-management-console is accessed with http it is still possible that users are simply ignoring this warning and continue. It should be possible to force https by using UCRV.
Added UCRV "apache2/force_https" to redirect *all* <http://> requests to <https://>. Use the Apache rewrite engine, as "Redirect permanent / https:///" does not yet work with apache2.2 as used in UCS-4. This solution is not optimal and might be problematic in several cases: - An App can only register a non-http variable, which would get re-directed anyway. - Automatically downloading the .crt and .crl file might fail because of the missing root certificate. - The initial connection will trigger the browser to show its certificate warning. Possible options: [ ] only force the re-direct for /univention-management-console/ [ ] only force a re-dedirect for /ucs-overview/ [ ] only force some links to use https: ucr search --brief --non-empty '^ucs/web/overview/entries/[^/]+/[^/]+/link$' | sed 's,link: .*,port_https=443,' | xargs ucr set r60990 | Bug #38016 Apache: Enable redirect to <https://> r60988 | Bug #38016 Apache: Remove old files r60987 | Bug #38391: Copyright 2015 Package: univention-apache Version: 7.0.16-10.232.201506021257 Branch: ucs_4.0-0 Scope: errata4.0-2 r60992 | Bug #38391, Bug #38016: apache,uss overview YAML 2015-06-02-univention-apache.yaml
svn r60988 removed ucs-4.0-2/services/univention-apache/debian/univention-apache.dirs. This breaks the ucs-overview. Before: /var/www/ucs-overview/ After: /var/ucs-overview/
(In reply to Florian Best from comment #2) > svn r60988 removed ucs-4.0-2/services/univention-apache/debian/univention-apache.dirs. This breaks the ucs-overview. > > Before: > /var/www/ucs-overview/ > After: > /var/ucs-overview/ r61171 | Bug #38016 Apache: Fix overview page Package: univention-apache Version: 7.0.16-11.233.201506101926 Branch: ucs_4.0-0 Scope: errata4.0-2 r61172 | Bug #38016 Apache: Fix overview page YAML 2015-06-02-univention-apache.yaml FYI: univention-apache/Makefile:37 looks wrong: there is no "umc/" directory in univention-apache/. Prints an error message every time: > find: "umc": Datei oder Verzeichnis nicht gefunden ... > /usr/bin/dh-umc-translate -p univention-apache -l de -o js/ucs
r61176 | Bug #38016 Apache: Cleanup old stuff Package: univention-apache Version: 7.0.16-12.234.201506111025 Branch: ucs_4.0-0 Scope: errata4.0-2 r61177 | Bug #38016 Apache: Cleanup old stuff YAML 2015-06-02-univention-apache.yaml
*** Bug 25647 has been marked as a duplicate of this bug. ***
typo: kryctografischen → kryptografischen typo: Weiterleitugn → Weiterleitung Why is the sed dependency removed? The makefile uses sed. In theory "RewriteEngine on" must be present in the added block in ssl.conf. YAML: OK I am currently not sure about svn r60988.
(In reply to Florian Best from comment #6) > typo: kryctografischen → kryptografischen > typo: Weiterleitugn → Weiterleitung FIXED > Why is the sed dependency removed? The makefile uses sed. # apt-cache show sed | grep Ess Essential: yes <https://www.debian.org/doc/debian-policy/ch-binary.html#s-dependencies> <https://www.debian.org/doc/debian-policy/footnotes.html#f10> > In theory "RewriteEngine on" must be present in the added block in ssl.conf. Added: UMC does is already, but it doesn hurt to do it again. > YAML: OK r61583 | Bug #38016 Apache: Enable redirect to <https://>. > I am currently not sure about svn r60988. $ for e in 1 2; do dpkg -c ucs_4.0-0-errata4.0-$e/all/univention-apache_*_all.deb | awk '{print $1,$2,$6}' | sort -k3 >$TMPDIR/$e; done ; diff $TMPDIR/[12] 4d3 < drwxr-xr-x root/root ./etc/univention/apache/ → not used 38d36 < drwxr-xr-x root/root ./usr/sbin/ → empty default directory 45,46d42 < drwxr-xr-x root/root ./var/lib/ < drwxr-xr-x root/root ./var/lib/univention-apache/ → not used 658a655 > -rw-r--r-- root/root ./var/www/ucs-overview/js/dijit/ProgressBar.js.orig → Bug of some dojo/UMC build script? unrelated to the change. # debdiff ucs_4.0-0-errata4.0-[12]/all/univention-apache_*_all.deb [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first ------------------------------------- -rw-r--r-- root/root /var/www/ucs-overview/js/dijit/ProgressBar.js.orig Control files: lines which differ (wdiff format) ------------------------------------------------ Installed-Size: [-28365-] {+28355+} Version: [-7.0.16-9.231.201503101333-] {+7.0.16-14.236.201506301757+} Package: univention-apache Version: 7.0.16-14.236.201506301757 Branch: ucs_4.0-0 Scope: errata4.0-2 r61584 | Bug #38016 Apache: Enable redirect to <https://> YAML 2015-06-02-univention-apache.yaml
OK
<http://errata.univention.de/ucs/4.0/218.html>