action #66610
openPrevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts
0%
Description
The OpenID login does not work with plain HTTP anymore openID login can fail on https enabled openQA instances so at least the /login
route should redirect to HTTPS . Besides, without HTTPS the session is likely not secure at all (e.g. a man in the middle could inject JavaScript and for instance do arbitrary AJAX calls to openQA's API).
notes¶
Take care that the workers can still connect. I'm not sure whether they will use HTTPS automatically so it might be required to use HOST = http://...
in workers.ini
(at least if enforcing SSL for everything and not just the /login
route).
Updated by okurz over 4 years ago
- Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) to Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts
- Description updated (diff)
Not sure if you maybe missed my comment in rocket chat where I wrote "I just checked again, from an openQA instance on http://localhost using openID I can login flawlessly and I am redirected to http://localhost when I enabled "httpsonly = 0" in /etc/openqa/openqa.ini as is described in the documentation. If you want to try out openid+http go to http://okurz-vm.qa.suse.de
I updated the description to reflect that this concerns https-enabled instances, not the generic case. Ok like this?
I would trust that any recent browser that supports javascript is automatically redirecting to the available https routes as available. So the problem might concern only /login redirection while we can still keep read-only access without enforcing https.
Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?
Updated by okurz over 4 years ago
- Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts to Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts
Updated by mkittler over 4 years ago
Not sure if you maybe missed my comment in rocket chat […]
Yes, I've missed that and it works on your instance indeed.
Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?
That is generally possible as well. I'm not sure how much knowledge the "Perl code" needs/has about the reverse proxy setup to make it work, though.
Updated by okurz over 4 years ago
- Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts to Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts