I'd really like see SSL enforced for interfaces like aegir, sqlbuddy, chive, cgp etc. I acknowledge that SSL is enabled by default and does save a considerable amount of time but I also note that it is not forced on a default installation leaving your server open to non encrypted logins for example.

Any advice around this would be very much appreciated.

Comments

omega8cc’s picture

Status: Active » Needs work
Issue tags: +BOA-todo

We don't enforce HTTPS for anything but Hostmaster site, by design currently.

Barracuda can't assume it should force HTTPS for sqlbuddy or chive (there is no point in forcing SSL for cgp), because it always checks if there is already SSL (native in Aegir) enabled and then doesn't install its SSL proxy at all (on upgrade) and doesn't force HTTPS connections also for Hostmaster site, to avoid conflicts when you prefer to use Aegir built-in SSL feature.

We can't change that to stay compatible with pre-SSL-proxy installs, to support expected upgrade path, but maybe we could do that on new installs, as we are forcing SSL for Hostmaster sites by default anyway.

Of course *we could* add forced SSL mode to sqlbuddy and chive conditionally after checking if it is SSL proxy listening on the port 443 or rather built-in Aegir SSL has been enabled, so I'm marking this as todo.

snlnz’s picture

I was particularly targeting sqlbuddy as we never install cgp anyway but sounds like we're on the same page.
On fresh install would be quite handy.

Thanks for your response!

snlnz’s picture

Sorry I should have added this, what is best practice to force sqlbuddy to redirect non encrypted traffic to ssl?
should this be done at the vhost file or sqlbuddy config.

Be good to know if I make the change now will it stick through upgrades and am I doing it right?

mikhail’s picture

Hi,
I have an opposite question: How can i disable enforce HTTPS on hostmaster?

For example my hostname is server.example.com, and my front is example.com. I don`t want the redirection from http://example.com to httpS://example.com.
Or maby there is a way to make default self (barracuda?) sertificate trusted by all browsers? (sec_error_untrusted_issuer)

Is it a correct way to change this

if (preg_match("/hostmaster/", $conf['install_profile']) && isset($_SERVER['HTTP_USER_AGENT'])) {
  $request_type = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 'SSL' : 'NONSSL';
  if ($request_type != "SSL" && !preg_match("/cron\.php/", $_SERVER['REQUEST_URI'])) { // we force secure connection here
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
  }

in global.inc?
p.s.
Thank you for perfect barracuda/octopus!

omega8cc’s picture

Yes, just replace your global.inc with this version: http://drupalcode.org/project/barracuda.git/blob/HEAD:/aegir/conf/global...

It is the same as http://drupalcode.org/project/barracuda.git/blob/HEAD:/aegir/conf/global... minus:

  $request_type = ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ? 'SSL' : 'NONSSL';
  if ($request_type != "SSL" && !preg_match("/cron\.php/", $_SERVER['REQUEST_URI'])) { // we force secure connection here
    header("HTTP/1.1 301 Moved Permanently");
    header("Location: https://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
  }
omega8cc’s picture

Of course you could simply replace the self-signed cert and key generated on Barracuda install with valid cert and key for your domain.

mikhail’s picture

Thank you for answer!

Of course you could simply replace the self-signed cert and key generated on Barracuda install with valid cert and key for your domain.

Do you know the way to have valid cert for my domain without buying public trusted cert (like rapidssl). I mean that all my issue is to make hostmaster site work proper for the end user in http and if i will find the way in https, but without security issues from browsers.

omega8cc’s picture

You need some real cert to avoid warnings. There is no workaround. You may want to consider to transfer your domain to Gandi.net, as they offer SSL certificate free for every domain you have registered with them.

netdreamer’s picture

Today I found two different use cases that conflict with this way of handling https.

I know that it is easy to fix it by replacing or altering the redirect in global.inc as stated in #1236438-5: SSL enforced from install script but your open mind could imagine something better and let it survive to Barracuda upgrades :-)...

We have some groups of servers behind a reverse proxy (haproxy for load balancing, failover, maintenance splashpages and ... lack of public IPs).
Incoming traffic is routed to different internal servers
- if HTTP, based on URLs
- if HTTPS, based on port (use case 1)
- if HTTPS, sometimes, it is also decrypted on the proxy (with stunnel) and forwarded in plain HTTP to internal servers (use case 2)

For use case 1, global.inc patch fails because it redirects to a fixed port, the standard https 443.

For use case 2, global.inc patch fails because requests arrive to internal server always in HTTP, so condition $request_type != "SSL" is always satisfied and we start an infinite redirect loop

Maybe it is possible to put a couple of parameters somewhere (SSLPort: None or PortNumber, SSLCertificate filename)...

This leads to a question: is it the only place where https is enforced? We need to be sure that nothing else will be broken with this setup...

Thanks again for the good job!

omega8cc’s picture

It is the only place where HTTPS is enforced - only for Aegir control panel.

We could add a simple switch there with control file, so it could skip the redirect if the file is present and then you don't need to modify/patch anything on upgrade, just make sure your control file is in place.

omega8cc’s picture

netdreamer’s picture

That's perfect... so why not optimize it a little bit more? :-)

I admit that it's a very specific use case, but why don't add an "else" statement that INCLUDES the control file if available, so everyone can completely override the https logic and create a custom one (e.g., set a different https port, as per our use case 1)

if (!file_exists('/data/conf/no-https-aegir.inc')) {
 ...
} else {
 include('/data/conf/no-https-aegir.inc');
}
omega8cc’s picture

Feel free to submit a patch for review :)

omega8cc’s picture

Component: User interface » Code
Status: Needs work » Closed (works as designed)
omega8cc’s picture

Version: » 6.x-2.x-dev

Note that we now force SSL/HTTPS also for Chive and SQL Buddy by default. It is not possible to conditionally un-force it, unless you will edit respective vhosts.

Also, if you need things like different ports, this can't be done on the fly by any switch, you have to edit respective vhosts.