Project

General

Profile

Actions

action #66610

open

Prevent misleading login failing over http on https-enabled instances, e.g. disable non-SSL in production openQA instances using OpenID (OSD, o3) at least for login attempts

Added by mkittler over 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
-
Target version:
Start date:
2020-05-05
Due date:
% Done:

0%

Estimated time:

Description

The OpenID login does not work with plain HTTP anymore openID login can fail on https enabled openQA instances so at least the /login route should redirect to HTTPS . Besides, without HTTPS the session is likely not secure at all (e.g. a man in the middle could inject JavaScript and for instance do arbitrary AJAX calls to openQA's API).

notes

Take care that the workers can still connect. I'm not sure whether they will use HTTPS automatically so it might be required to use HOST = http://... in workers.ini (at least if enforcing SSL for everything and not just the /login route).

Actions

Also available in: Atom PDF