* Wed Sep 24 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-117.sme
- set correctly X-Forwarded-Proto for TKT auth [SME: 13175] updated CSP for smanager
This commit is contained in:
@@ -3,16 +3,14 @@
|
||||
|
||||
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
|
||||
$plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
|
||||
$plainPort = ${'httpd-e-smith'}{TCPPort} || '80';
|
||||
$adminPort2 = ${'smanager'}{TCPPort} || '982';
|
||||
$adminAccess = ${'smanager'}{access} || 'private';
|
||||
$sslPort = ${modSSL}{TCPPort} || '443';
|
||||
|
||||
$OUT = '';
|
||||
|
||||
foreach $place ('smanager')
|
||||
{
|
||||
if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
|
||||
if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
|
||||
{
|
||||
$OUT .= ' RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
|
||||
$OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n";
|
||||
@@ -24,14 +22,18 @@
|
||||
$OUT .= " ProxyPreserveHost On\n";
|
||||
$OUT .= " ProxyPass /$place http://127.0.0.1:$adminPort2 keepalive=On\n";
|
||||
$OUT .= " ProxyPassReverse /$place http://127.0.0.1:$adminPort2\n";
|
||||
$OUT .= " RequestHeader set X-Forwarded-Proto 'http'\n";
|
||||
if ($port eq $httpsPort)
|
||||
{
|
||||
# mod_auth_tkt needs to know the protocol to write 307 redirection
|
||||
$OUT .= " RequestHeader set X-Forwarded-Proto \"https\"\n";
|
||||
}
|
||||
|
||||
$OUT .= " <Location '/$place'>\n";
|
||||
if ($port eq $plainPort)
|
||||
if ($port eq $httpPort)
|
||||
{
|
||||
$OUT .= ' Require ip 127.0.0.1' . "\n";
|
||||
}
|
||||
elsif (($haveSSL eq 'yes') && ($port eq $sslPort) && ($adminAccess eq 'public'))
|
||||
elsif (($haveSSL eq 'yes') && ($port eq $httpsPort) && ($adminAccess eq 'public'))
|
||||
{
|
||||
$OUT .= "# public access requested in conf db\n";
|
||||
$OUT .= " Require all granted\n";
|
||||
@@ -40,15 +42,25 @@
|
||||
$OUT .= " Require ip $localAccess $externalSSLAccess\n";
|
||||
}
|
||||
# any smanager script or style added in line should be hashed and added here to run in a modern browser
|
||||
$OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' "
|
||||
." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' ; "
|
||||
$OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' "
|
||||
# list of hashes for script-src we accept and reference to find them
|
||||
." 'sha256-T5nv1LP9Xxdv7I1tsdTYprjvwoZyVEvfe8Y4TLx59pk='" # $(document).ready(function() \{ $('#tognav').click(function()
|
||||
." 'sha256-TxVHbw3t1mXreukND/yBI+H+CscZDpyxPoNoBrRhmSE=' " # (function($) \{ $.fn.swapClass = function(class1, class2)
|
||||
." 'sha256-30Xxu25YbRvjbQ2ngJ8EyneSz0No788PqjM9XbQh+qM=' " # ...const togglePassword...
|
||||
." 'sha256-5PrS/6zSCY/wROLKhAm4ymOuYsfvvScrC9Vp8FtOpxU=' " # nutups:316 window.onload = function() \{ SelectInput();
|
||||
." 'sha256-pxCVW6zyLaFSTIpOP2p4ULot8y+QsEmSEjKE54zDTWQ=' " # nutups:317 window.onload = function() \{ SelectInput();
|
||||
#." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' " #need valiation if still needed
|
||||
." ; "
|
||||
." style-src 'self' 'unsafe-hashes' "
|
||||
#'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' #h2l1
|
||||
#'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' #busy-indicator
|
||||
#'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' _footer.html.ep style="position:relative;"
|
||||
#'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' _usr_list style="min-width:35em"
|
||||
#'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' groups style="min-width:15em"
|
||||
." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' ;"
|
||||
# list of hashes for style-src we accept and reference to find them
|
||||
." 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' " #h2l1
|
||||
." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' " # busy-indicator
|
||||
." 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' " # _footer.html.ep style="position:relative;"
|
||||
." 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' " # _usr_list style="min-width:35em"
|
||||
." 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' " # groups style="min-width:15em"
|
||||
." 'sha256-0Mf27W7YqYYDBxV28E9yUhPk/SHgCYEyL73kR5dJkDM=' " # useraccounts:410 useraccounts:506 and useraccounts:602 style = background:pink;
|
||||
." 'sha256-65hozXHuXYaN7oOyWz8cFCjqLsPmy6O7++aP2PECi5M=' " # legacypanel:306 style="width:99%;height:1784px;
|
||||
." ;"
|
||||
." \"\n";
|
||||
$OUT .= " </Location>\n";
|
||||
# prevent caching of manager files in browser
|
||||
|
@@ -2,7 +2,7 @@ Summary: Sme Server Configuration : Manager 2
|
||||
%define name smeserver-manager
|
||||
Name: %{name}
|
||||
%define version 11.0.0
|
||||
%define release 116
|
||||
%define release 117
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
License: GPL
|
||||
@@ -147,6 +147,10 @@ true
|
||||
%defattr(-,root,root)
|
||||
|
||||
%changelog
|
||||
* Wed Sep 24 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-117.sme
|
||||
- set correctly X-Forwarded-Proto for TKT auth [SME: 13175]
|
||||
updated CSP for smanager
|
||||
|
||||
* Mon Sep 15 2025 Brian Read <brianr@koozali.org> 11.0.0-116.sme
|
||||
- Fix other buttons in lists for elinks [SME: 13113]
|
||||
|
||||
|
Reference in New Issue
Block a user