Project

General

Profile

action #66610

Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Added by mkittler 11 months ago. Updated 6 months ago.

Status:
New
Priority:
Low
Assignee:
-
Target version:
Start date:
2020-05-05
Due date:
% Done:

0%

Estimated time:

Description

The OpenID login does not work with plain HTTP anymore openID login can fail on https enabled openQA instances so at least the /login route should redirect to HTTPS . Besides, without HTTPS the session is likely not secure at all (e.g. a man in the middle could inject JavaScript and for instance do arbitrary AJAX calls to openQA's API).

notes

Take care that the workers can still connect. I'm not sure whether they will use HTTPS automatically so it might be required to use HOST = http://... in workers.ini (at least if enforcing SSL for everything and not just the /login route).

History

#1 Updated by okurz 11 months ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) to Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts
  • Description updated (diff)

Not sure if you maybe missed my comment in rocket chat where I wrote "I just checked again, from an openQA instance on http://localhost using openID I can login flawlessly and I am redirected to http://localhost when I enabled "httpsonly = 0" in /etc/openqa/openqa.ini as is described in the documentation. If you want to try out openid+http go to http://okurz-vm.qa.suse.de

I updated the description to reflect that this concerns https-enabled instances, not the generic case. Ok like this?

I would trust that any recent browser that supports javascript is automatically redirecting to the available https routes as available. So the problem might concern only /login redirection while we can still keep read-only access without enforcing https.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

#2 Updated by okurz 11 months ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts to Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

#3 Updated by mkittler 11 months ago

Not sure if you maybe missed my comment in rocket chat […]

Yes, I've missed that and it works on your instance indeed.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

That is generally possible as well. I'm not sure how much knowledge the "Perl code" needs/has about the reverse proxy setup to make it work, though.

#4 Updated by okurz 10 months ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts to Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

#5 Updated by okurz 9 months ago

  • Priority changed from Normal to Low

#6 Updated by okurz 6 months ago

  • Target version set to Ready

#7 Updated by okurz 6 months ago

  • Target version changed from Ready to future

Also available in: Atom PDF