Project

General

Profile

Actions

action #66610

open

Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Added by mkittler over 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
-
Target version:
Start date:
2020-05-05
Due date:
% Done:

0%

Estimated time:

Description

The OpenID login does not work with plain HTTP anymore openID login can fail on https enabled openQA instances so at least the /login route should redirect to HTTPS . Besides, without HTTPS the session is likely not secure at all (e.g. a man in the middle could inject JavaScript and for instance do arbitrary AJAX calls to openQA's API).

notes

Take care that the workers can still connect. I'm not sure whether they will use HTTPS automatically so it might be required to use HOST = http://... in workers.ini (at least if enforcing SSL for everything and not just the /login route).

Actions #1

Updated by okurz over 4 years ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) to Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts
  • Description updated (diff)

Not sure if you maybe missed my comment in rocket chat where I wrote "I just checked again, from an openQA instance on http://localhost using openID I can login flawlessly and I am redirected to http://localhost when I enabled "httpsonly = 0" in /etc/openqa/openqa.ini as is described in the documentation. If you want to try out openid+http go to http://okurz-vm.qa.suse.de

I updated the description to reflect that this concerns https-enabled instances, not the generic case. Ok like this?

I would trust that any recent browser that supports javascript is automatically redirecting to the available https routes as available. So the problem might concern only /login redirection while we can still keep read-only access without enforcing https.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

Actions #2

Updated by okurz over 4 years ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) for login attempts to Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts
Actions #3

Updated by mkittler over 4 years ago

Not sure if you maybe missed my comment in rocket chat […]

Yes, I've missed that and it works on your instance indeed.

Can we find a solution within perl code that redirects to /login over https if available if "httpsonly=1" so that we do not need an "apache-specific" solution?

That is generally possible as well. I'm not sure how much knowledge the "Perl code" needs/has about the reverse proxy setup to make it work, though.

Actions #4

Updated by okurz over 4 years ago

  • Subject changed from Disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts to Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts
Actions #5

Updated by okurz over 4 years ago

  • Priority changed from Normal to Low
Actions #6

Updated by okurz about 4 years ago

  • Target version set to Ready
Actions #7

Updated by okurz about 4 years ago

  • Target version changed from Ready to future
Actions

Also available in: Atom PDF