smeserver/smeserver-manager
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Wed Sep 24 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-117.sme

Browse Source 
- set correctly X-Forwarded-Proto for TKT auth [SME: 13175]
  updated CSP for smanager
This commit is contained in:
Jean-Philippe Pialasse
2025-09-24 15:11:06 -04:00
parent d720304f1a
commit c6f8378881
2 changed files with 31 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27SManagerProxyPass
View File

@@ -3,16 +3,14 @@
$haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
$plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no'; $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
$plainPort = ${'httpd-e-smith'}{TCPPort} || '80';
$adminPort2 = ${'smanager'}{TCPPort} || '982'; $adminPort2 = ${'smanager'}{TCPPort} || '982';
$adminAccess = ${'smanager'}{access} || 'private'; $adminAccess = ${'smanager'}{access} || 'private';
$sslPort = ${modSSL}{TCPPort} || '443';
$OUT = ''; $OUT = '';
foreach $place ('smanager') foreach $place ('smanager')
{ {
if (($port eq $plainPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes')) if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
{ {
$OUT .= ' RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n"; $OUT .= ' RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$' . "\n";
$OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n"; $OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n";
@@ -24,14 +22,18 @@
$OUT .= " ProxyPreserveHost On\n"; $OUT .= " ProxyPreserveHost On\n";
$OUT .= " ProxyPass /$place http://127.0.0.1:$adminPort2 keepalive=On\n"; $OUT .= " ProxyPass /$place http://127.0.0.1:$adminPort2 keepalive=On\n";
$OUT .= " ProxyPassReverse /$place http://127.0.0.1:$adminPort2\n"; $OUT .= " ProxyPassReverse /$place http://127.0.0.1:$adminPort2\n";
$OUT .= " RequestHeader set X-Forwarded-Proto 'http'\n"; if ($port eq $httpsPort)
{
# mod_auth_tkt needs to know the protocol to write 307 redirection
$OUT .= " RequestHeader set X-Forwarded-Proto \"https\"\n";
}
$OUT .= " <Location '/$place'>\n"; $OUT .= " <Location '/$place'>\n";
if ($port eq $plainPort) if ($port eq $httpPort)
{ {
$OUT .= ' Require ip 127.0.0.1' . "\n"; $OUT .= ' Require ip 127.0.0.1' . "\n";
} }
elsif (($haveSSL eq 'yes') && ($port eq $sslPort) && ($adminAccess eq 'public')) elsif (($haveSSL eq 'yes') && ($port eq $httpsPort) && ($adminAccess eq 'public'))
{ {
$OUT .= "# public access requested in conf db\n"; $OUT .= "# public access requested in conf db\n";
$OUT .= " Require all granted\n"; $OUT .= " Require all granted\n";
@@ -40,15 +42,25 @@
$OUT .= " Require ip $localAccess $externalSSLAccess\n"; $OUT .= " Require ip $localAccess $externalSSLAccess\n";
} }
# any smanager script or style added in line should be hashed and added here to run in a modern browser # any smanager script or style added in line should be hashed and added here to run in a modern browser
$OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' " $OUT .= " Header set Content-Security-Policy \"script-src 'self' 'unsafe-eval' 'unsafe-hashes' "
." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' ; " # list of hashes for script-src we accept and reference to find them
." 'sha256-T5nv1LP9Xxdv7I1tsdTYprjvwoZyVEvfe8Y4TLx59pk='" # $(document).ready(function() \{ $('#tognav').click(function()
." 'sha256-TxVHbw3t1mXreukND/yBI+H+CscZDpyxPoNoBrRhmSE=' " # (function($) \{ $.fn.swapClass = function(class1, class2)
." 'sha256-30Xxu25YbRvjbQ2ngJ8EyneSz0No788PqjM9XbQh+qM=' " # ...const togglePassword...
." 'sha256-5PrS/6zSCY/wROLKhAm4ymOuYsfvvScrC9Vp8FtOpxU=' " # nutups:316 window.onload = function() \{ SelectInput();
." 'sha256-pxCVW6zyLaFSTIpOP2p4ULot8y+QsEmSEjKE54zDTWQ=' " # nutups:317 window.onload = function() \{ SelectInput();
#." 'sha256-X8Qwlk0M9iDTQZqFVpbVcThRjBqQXpwTOZCLX8I+Frk=' 'sha256-inQ04nmqTZI75Z5g/tAzjahedNugPFfrhxHyoFezFkM=' 'sha256-5IsIX+Vbow7wwy2RjR3+5X06R/0CQZPkw3OHj/228cM=' 'sha256-tfVskwioRaNsV75h89itf7FujMgIrodfs1Ea4UAJNpE=' 'sha256-P51OyslUh5bGkoWk9qY+o4Su4HuwNFoQcFCeNxF7Ms8=' " #need valiation if still needed
." ; "
." style-src 'self' 'unsafe-hashes' " ." style-src 'self' 'unsafe-hashes' "
#'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' #h2l1 # list of hashes for style-src we accept and reference to find them
#'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' #busy-indicator ." 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' " #h2l1
#'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' _footer.html.ep style="position:relative;" ." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' " # busy-indicator
#'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' _usr_list style="min-width:35em" ." 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' " # _footer.html.ep style="position:relative;"
#'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' groups style="min-width:15em" ." 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' " # _usr_list style="min-width:35em"
." 'sha256-msdEhWmYTu7vqzGaQHDfvy6lzlDsbKkouwvN2R6Co9E=' 'sha256-iYwYhiMcsGmXCUzLEpEzZNz5dINrlkqf1sLbLhEcqGM=' 'sha256-bOTFT8zacR4Rfja/WIKXgAQQXVaPyG3oBlvAhU4ga8g=' 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' 'sha256-EhT63KK1JBrsUM27H+5RMNifDFpVB+GXcTtavKXwCK8=' ;" ." 'sha256-CP93jJ1Y8nMwUoDzFbo1srdgsbADPasAc0Wjig1ahpY=' " # groups style="min-width:15em"
." 'sha256-0Mf27W7YqYYDBxV28E9yUhPk/SHgCYEyL73kR5dJkDM=' " # useraccounts:410 useraccounts:506 and useraccounts:602 style = background:pink;
." 'sha256-65hozXHuXYaN7oOyWz8cFCjqLsPmy6O7++aP2PECi5M=' " # legacypanel:306 style="width:99%;height:1784px;
." ;"
." \"\n"; ." \"\n";
$OUT .= " </Location>\n"; $OUT .= " </Location>\n";
# prevent caching of manager files in browser # prevent caching of manager files in browser

6
smeserver-manager.spec
View File

@@ -2,7 +2,7 @@ Summary: Sme Server Configuration : Manager 2
%define name smeserver-manager %define name smeserver-manager
Name: %{name} Name: %{name}
%define version 11.0.0 %define version 11.0.0
%define release 116 %define release 117
Version: %{version} Version: %{version}
Release: %{release}%{?dist} Release: %{release}%{?dist}
License: GPL License: GPL
@@ -147,6 +147,10 @@ true
%defattr(-,root,root) %defattr(-,root,root)
%changelog %changelog
* Wed Sep 24 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-117.sme
- set correctly X-Forwarded-Proto for TKT auth [SME: 13175]
updated CSP for smanager
* Mon Sep 15 2025 Brian Read <brianr@koozali.org> 11.0.0-116.sme * Mon Sep 15 2025 Brian Read <brianr@koozali.org> 11.0.0-116.sme
- Fix other buttons in lists for elinks [SME: 13113] - Fix other buttons in lists for elinks [SME: 13113]