Closed (works as designed)
Project:
Barracuda
Version:
6.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
2 Aug 2011 at 03:41 UTC
Updated:
16 Aug 2013 at 07:52 UTC
I'd really like see SSL enforced for interfaces like aegir, sqlbuddy, chive, cgp etc. I acknowledge that SSL is enabled by default and does save a considerable amount of time but I also note that it is not forced on a default installation leaving your server open to non encrypted logins for example.
Any advice around this would be very much appreciated.
Comments
Comment #1
omega8cc commentedWe don't enforce HTTPS for anything but Hostmaster site, by design currently.
Barracuda can't assume it should force HTTPS for sqlbuddy or chive (there is no point in forcing SSL for cgp), because it always checks if there is already SSL (native in Aegir) enabled and then doesn't install its SSL proxy at all (on upgrade) and doesn't force HTTPS connections also for Hostmaster site, to avoid conflicts when you prefer to use Aegir built-in SSL feature.
We can't change that to stay compatible with pre-SSL-proxy installs, to support expected upgrade path, but maybe we could do that on new installs, as we are forcing SSL for Hostmaster sites by default anyway.
Of course *we could* add forced SSL mode to sqlbuddy and chive conditionally after checking if it is SSL proxy listening on the port 443 or rather built-in Aegir SSL has been enabled, so I'm marking this as todo.
Comment #2
snlnz commentedI was particularly targeting sqlbuddy as we never install cgp anyway but sounds like we're on the same page.
On fresh install would be quite handy.
Thanks for your response!
Comment #3
snlnz commentedSorry I should have added this, what is best practice to force sqlbuddy to redirect non encrypted traffic to ssl?
should this be done at the vhost file or sqlbuddy config.
Be good to know if I make the change now will it stick through upgrades and am I doing it right?
Comment #4
mikhail commentedHi,
I have an opposite question: How can i disable enforce HTTPS on hostmaster?
For example my hostname is server.example.com, and my front is example.com. I don`t want the redirection from http://example.com to httpS://example.com.
Or maby there is a way to make default self (barracuda?) sertificate trusted by all browsers? (sec_error_untrusted_issuer)
Is it a correct way to change this
in global.inc?
p.s.
Thank you for perfect barracuda/octopus!
Comment #5
omega8cc commentedYes, just replace your global.inc with this version: http://drupalcode.org/project/barracuda.git/blob/HEAD:/aegir/conf/global...
It is the same as http://drupalcode.org/project/barracuda.git/blob/HEAD:/aegir/conf/global... minus:
Comment #6
omega8cc commentedOf course you could simply replace the self-signed cert and key generated on Barracuda install with valid cert and key for your domain.
Comment #7
mikhail commentedThank you for answer!
Do you know the way to have valid cert for my domain without buying public trusted cert (like rapidssl). I mean that all my issue is to make hostmaster site work proper for the end user in http and if i will find the way in https, but without security issues from browsers.
Comment #8
omega8cc commentedYou need some real cert to avoid warnings. There is no workaround. You may want to consider to transfer your domain to Gandi.net, as they offer SSL certificate free for every domain you have registered with them.
Comment #9
netdreamer commentedToday I found two different use cases that conflict with this way of handling https.
I know that it is easy to fix it by replacing or altering the redirect in global.inc as stated in #1236438-5: SSL enforced from install script but your open mind could imagine something better and let it survive to Barracuda upgrades :-)...
We have some groups of servers behind a reverse proxy (haproxy for load balancing, failover, maintenance splashpages and ... lack of public IPs).
Incoming traffic is routed to different internal servers
- if HTTP, based on URLs
- if HTTPS, based on port (use case 1)
- if HTTPS, sometimes, it is also decrypted on the proxy (with stunnel) and forwarded in plain HTTP to internal servers (use case 2)
For use case 1, global.inc patch fails because it redirects to a fixed port, the standard https 443.
For use case 2, global.inc patch fails because requests arrive to internal server always in HTTP, so condition $request_type != "SSL" is always satisfied and we start an infinite redirect loop
Maybe it is possible to put a couple of parameters somewhere (SSLPort: None or PortNumber, SSLCertificate filename)...
This leads to a question: is it the only place where https is enforced? We need to be sure that nothing else will be broken with this setup...
Thanks again for the good job!
Comment #10
omega8cc commentedIt is the only place where HTTPS is enforced - only for Aegir control panel.
We could add a simple switch there with control file, so it could skip the redirect if the file is present and then you don't need to modify/patch anything on upgrade, just make sure your control file is in place.
Comment #11
omega8cc commentedFeature from #10 added in commit: http://drupalcode.org/project/barracuda.git/commit/02dfe68
Comment #12
netdreamer commentedThat's perfect... so why not optimize it a little bit more? :-)
I admit that it's a very specific use case, but why don't add an "else" statement that INCLUDES the control file if available, so everyone can completely override the https logic and create a custom one (e.g., set a different https port, as per our use case 1)
Comment #13
omega8cc commentedFeel free to submit a patch for review :)
Comment #14
omega8cc commentedComment #15
omega8cc commentedNote that we now force SSL/HTTPS also for Chive and SQL Buddy by default. It is not possible to conditionally un-force it, unless you will edit respective vhosts.
Also, if you need things like different ports, this can't be done on the fly by any switch, you have to edit respective vhosts.