Fixes: #2174.
When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.
Tests:
- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.
- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.
- The patch works when tested with .onion and .ONION hosts.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Without the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https happens.
- Without the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
- With the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https does not happen.
- With the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
[sunil: Perform case insensitive match]
[sunil: Remove capture of domain name match]
[sunil: Strictly check that domain ends with .onion]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We have switched to mod_ssl long time ago and are no longer using mod_gnutls.
- It is additional effort configure and test mod_gnutls.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/
- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1
- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests performed:
- Fonts Lato is properly and displayed.
- No <frame>, <iframe>, <video>, <audio>, <track>, <embed>, <object>, <applet>
tags are used in FreedomBox source code.
- Checked that there are no images referring to external URLs. Most of the
common images such as apps lists, system list, networks and manual show images
properly.
- Styles specified in main.css work as well as page specific styles such as in
networks. Firefox developer console shows inline styles loaded.
- JSXC is able to make XHR requests to ejabberd.
- Able to launch <a> links with _target='blank' such as in /help/support/.
- When visiting external websites, such as in donate page, Referer header is not
sent. When visiting page within FreedomBox interface, Referer header is sent
with path.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- SVG is not one of the formats for which compress is turned on automatically by
Apache configuration.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
The changes made to freedombox.conf in moving the apache homepage configuration
to an external file freedombox-apache-homepage.conf will cause a conffile prompt
when upgrading to freedombox 19.2. Reverting changes in freedombox.conf to avoid
this.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Depending on which module is enabled, different configuration is used.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't set log level explicitly. Fallback to value set in global Apache
configuration.
- Don't set directory options already set in global configuration.
- Remove /cgi-bin/. Only ikiwiki uses cgi and it is served from a different path
than /usr/lib/cgi-bin.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Update description to simply and talk about multiple protocols supported.
- Don't diagnose on IPv6 as mldonkey does not listen there.
- Run yapf and isort.
- Minor styling fixes.
- Update functional tests to check for service running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Radicale 1 needs to have /radicale/.well-known/*dav to the URLs where as
Radicale 2 needs to have /radicale to be the URLs. Hence have two separate
apache configuration files.
- Use expr= when setting X-REMOTE-USER header to set the authenticated user name
properly. Without this all users are using a single user '(null)' data.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Makes it trivial to alter site configuration for all domains at once. Also
possible to easily switch to TLS modules other than mod_gnutls.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Avoid Satisfy and Allow which are deprecated.
- Make sure the redirection rule applies only to the URL intended.
- Fix issue with Proxy matching of URLs.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Also try to automatically work for future versions of PHP.
Fixes#1413Fixes#1258
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
In ejabberd 18.09-1, the default BOSH port is changed from 5280 to
5443. Update ejabberd diagnostics and the jwchat-plinth apache conf,
which is used by JSXC.
Fixes#1398.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
- Increment version number
- Functional test for uploading files
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Move the file editing code to actions/config since it must be executed by a
super user.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Newer versions of Django axes have newly way to get the IP address of a client
using ipware library. This has multiple security issues
https://github.com/jazzband/django-axes/issues/286 . Workaround them by
controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by
limiting the headers that ipware uses.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Adds the basic application framework
- Adds the sharing page for index and adding share
- Adds the action for sharing for adding and listing shares
Signed-off-by: Prachi Srivastava <prachisr@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
- Use 32-bit key for HMAC-256
- Use secrets library instead of os.urandom
- uwsgi enable/disable along with webserver enable/disable
- Text changes
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Add settings in Service View
- Fixes for maximum file setting
- Don't allow negative values for max. file size in UI
- Minor text changes to django messages
- Minor correction to maximum file size calculation
- Rename apache conf file to coquelicot-freedombox.conf
- Remove all hacks to adjust file size.
- Fix permissions issues for settings file
- Show status block in UI
- try-restart on settings change instead of restart
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- More user-friendly treatment of groups and their permissions
Closes#690
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
django-simple-captcha's /refresh url's regex was matching anything that ends
with the word "refresh". This was clashing with sso/refresh. Changed the regex
for captcha's url to captcha/refresh.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Change sso refresh url to refresh-pubtkt since refresh was conflicting with
captcha's image refresh url.
- Fix datetime.timedelta calculation for refresh interval. Now validity of
ticket is 30 seconds as it was intended to be. It was wrongly set to 30 days
earlier.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Disabled login using username and password.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
