From c6f8378881f38cc2bf641be3fd6e3b58d84c474c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Wed, 24 Sep 2025 15:11:06 -0400 Subject: [PATCH] * Wed Sep 24 2025 Jean-Philippe Pialasse 11.0.0-117.sme - set correctly X-Forwarded-Proto for TKT auth [SME: 13175] updated CSP for smanager --- .../VirtualHosts/27SManagerProxyPass | 40 ++++++++++++------- smeserver-manager.spec | 6 ++- 2 files changed, 31 insertions(+), 15 deletions(-) diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass index 687a994..4183480 100644 --- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass @@ -3,16 +3,14 @@ $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no'; - $plainPort = ${'httpd-e-smith'}{TCPPort} || '80'; $adminPort2 = ${'smanager'}{TCPPort} || '982'; $adminAccess = ${'smanager'}{access} || 'private'; - $sslPort = ${modSSL}{TCPPort} || '443'; $OUT = ''; foreach $place ('smanager') { - if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes')) + if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes')) { $OUT .= ' RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n"; $OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n"; @@ -24,14 +22,18 @@ $OUT .= " ProxyPreserveHost On\n"; $OUT .= " ProxyPass /$place http://127.0.0.1:$adminPort2 keepalive=On\n"; $OUT .= " ProxyPassReverse /$place http://127.0.0.1:$adminPort2\n"; - $OUT .= " RequestHeader set X-Forwarded-Proto 'http'\n"; + if ($port eq $httpsPort) + { + # mod_auth_tkt needs to know the protocol to write 307 redirection + $OUT .= " RequestHeader set X-Forwarded-Proto \"https\"\n"; + } $OUT .= " \n"; - if ($port eq $plainPort) + if ($port eq $httpPort) { $OUT .= ' Require ip 127.0.0.1' . "\n"; } - elsif (($haveSSL eq 'yes') && ($port eq $sslPort) && ($adminAccess eq 'public')) + elsif (($haveSSL eq 'yes') && ($port eq $httpsPort) && ($adminAccess eq 'public')) { $OUT .= "# public access requested in conf db\n"; $OUT .= " Require all granted\n"; @@ -40,15 +42,25 @@ $OUT .= " Require ip $localAccess $externalSSLAccess\n"; } # any smanager script or style added in line should be hashed and added here to run in a modern browser - $OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' " - ." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' ; " + $OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' " + # list of hashes for script-src we accept and reference to find them + ." 'sha256-T5nv1LP9Xxdv7I1tsdTYprjvwoZyVEvfe8Y4TLx59pk='" # $(document).ready(function() \{ $('#tognav').click(function() + ." 'sha256-TxVHbw3t1mXreukND/yBI+H+CscZDpyxPoNoBrRhmSE=' " # (function($) \{ $.fn.swapClass = function(class1, class2) + ." 'sha256-30Xxu25YbRvjbQ2ngJ8EyneSz0No788PqjM9XbQh+qM=' " # ...const togglePassword... + ." 'sha256-5PrS/6zSCY/wROLKhAm4ymOuYsfvvScrC9Vp8FtOpxU=' " # nutups:316 window.onload = function() \{ SelectInput(); + ." 'sha256-pxCVW6zyLaFSTIpOP2p4ULot8y+QsEmSEjKE54zDTWQ=' " # nutups:317 window.onload = function() \{ SelectInput(); + #." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' " #need valiation if still needed + ." ; " ." style-src 'self' 'unsafe-hashes' " - #'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' #h2l1 - #'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' #busy-indicator - #'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' _footer.html.ep style="position:relative;" - #'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' _usr_list style="min-width:35em" - #'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' groups style="min-width:15em" - ." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' ;" + # list of hashes for style-src we accept and reference to find them + ." 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' " #h2l1 + ." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' " # busy-indicator + ." 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' " # _footer.html.ep style="position:relative;" + ." 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' " # _usr_list style="min-width:35em" + ." 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' " # groups style="min-width:15em" + ." 'sha256-0Mf27W7YqYYDBxV28E9yUhPk/SHgCYEyL73kR5dJkDM=' " # useraccounts:410 useraccounts:506 and useraccounts:602 style = background:pink; + ." 'sha256-65hozXHuXYaN7oOyWz8cFCjqLsPmy6O7++aP2PECi5M=' " # legacypanel:306 style="width:99%;height:1784px; + ." ;" ." \"\n"; $OUT .= " \n"; # prevent caching of manager files in browser diff --git a/smeserver-manager.spec b/smeserver-manager.spec index 673ff64..bd7f745 100644 --- a/smeserver-manager.spec +++ b/smeserver-manager.spec @@ -2,7 +2,7 @@ Summary: Sme Server Configuration : Manager 2 %define name smeserver-manager Name: %{name} %define version 11.0.0 -%define release 116 +%define release 117 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -147,6 +147,10 @@ true %defattr(-,root,root) %changelog +* Wed Sep 24 2025 Jean-Philippe Pialasse 11.0.0-117.sme +- set correctly X-Forwarded-Proto for TKT auth [SME: 13175] + updated CSP for smanager + * Mon Sep 15 2025 Brian Read 11.0.0-116.sme - Fix other buttons in lists for elinks [SME: 13113]