- This allows overriding these headers in individual pages easily instead of
relaxing global policy.
- Drop the obsolete CSP directive "block-all-mixed-content" and avoid a console
warning in Firefox.
Tests:
- Load a page and notice in the browser developer tools that the three headers
referrer-policy, content-security-policy, and x-content-type-options are set as
before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes#2256.
Based on a suggestion by Andrew Betts on the mailing list.
https://alioth-lists.debian.net/pipermail/freedombox-discuss/2022-August/009553.html
Sunil:
- Consolidate changes from various apps into a centralized place in
freedombox.conf applicable for all directory listings.
Tests:
- In Sharing, TiddlyWiki and FeatherWiki apps, directory listing when viewed
with Firefox Developer Tools Mobile view set to a Galaxy S20+ looks reasonable.
Without the patch the page is very zoomed out.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Don't redirect to '/index.html' when Apache Default is set as the home page.
This allows having other files such as 'index.php' as index file in
/var/www/html/.
- If the home page is currently set to 'Apache Default' upgrade the
configuration.
Tests:
- With Home page set to 'Apache Default' apply the patches. Config setup is
re-run. The configuration file becomes empty but is still present. Correctly
value is shown in the UI. /var/www/html/index.html is still shown as the home
page.
- With Home page set to 'Bepasty' apply the patches. Config setup is re-reun.
The configuration file is not modified. Bepasty is still shown as the home page.
Correctly value is shown in the UI.
- With Home page not modified apply the patches. Config setup is re-reun. The
configuration file is created. FreedomBox is the home page. Correctly value is
shown in the UI.
- On fresh machine with patches applied, perform first run. The configuration
file is not created. FreedomBox is the home page. Correctly value is shown in
the UI.
- Changing home page to Bepasty or 'Apache Default' works. Changing back to
'FreedomBox Service (Plinth)' also works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Needed for many inline SVG images included by Bootstrap 5 using data: URLs.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Without this change when opening popups, Firefox throws the error 'Blocked
Page' under certain conditions.
- Complete a comment that was seemingly left unfinished.
Tests:
- With the changes installed with 'make build install', opening popups with
<a target="_blank"></a> works without 'Blocked page' error.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Redirect with separate identifiers so that they can retrieved separately.
- Enable virtual host log format that include name of the domain accessed so
that that information is preserved.
- There is no need to increment the apache app's version number as it has been
incremented earlier in the patch series (for this release).
Tests:
- In a fresh container, setup succeeds. Default apache sites 000-default.conf
and default-ssl.conf are disabled. freedombox-default.conf is enabled. Apache
access logs and error logs are sent to systemd journal.
- Without the patch applied, create a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s default and
a2query -s 000-default show that sites are not enabled. a2query -s
freedombox-default shows that site is enabled. Apache access logs and error logs
are sent to systemd journal.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is useful mostly for future when we may switch from /plinth to /freedombox.
Tests:
- Accessing /freedombox/app/transmission works. Although redirects generated by
the FreedomBox web service still redirect to /plinth. For example, redirection
after logout and auto-redirection to login page.
- Accessing pages of FreedomBox works as usual on /plinth and /freedombox.
Content-Security-Policy is set.
- Accessing /foo/plinth/app/transmission throws 404.
- Accessing http:// redirects to https:// for /plinth and /freedombox.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.
- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.
- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.
Tests:
- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.
- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2174.
When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.
Tests:
- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.
- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.
- The patch works when tested with .onion and .ONION hosts.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests performed:
- Fonts Lato is properly and displayed.
- No <frame>, <iframe>, <video>, <audio>, <track>, <embed>, <object>, <applet>
tags are used in FreedomBox source code.
- Checked that there are no images referring to external URLs. Most of the
common images such as apps lists, system list, networks and manual show images
properly.
- Styles specified in main.css work as well as page specific styles such as in
networks. Firefox developer console shows inline styles loaded.
- JSXC is able to make XHR requests to ejabberd.
- Able to launch <a> links with _target='blank' such as in /help/support/.
- When visiting external websites, such as in donate page, Referer header is not
sent. When visiting page within FreedomBox interface, Referer header is sent
with path.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- SVG is not one of the formats for which compress is turned on automatically by
Apache configuration.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
The changes made to freedombox.conf in moving the apache homepage configuration
to an external file freedombox-apache-homepage.conf will cause a conffile prompt
when upgrading to freedombox 19.2. Reverting changes in freedombox.conf to avoid
this.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Move the file editing code to actions/config since it must be executed by a
super user.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
