fixed some ssl detection stuff
disabled 'help' plugin for now enabled some ownership checks in CryptoBoxRootActions documentation updates for proxy and ssl configurations
This commit is contained in:
parent
2aed13ae18
commit
87af175764
|
@ -1,6 +1,4 @@
|
||||||
include README
|
include README*
|
||||||
include README.samba
|
|
||||||
include README.davfs
|
|
||||||
include LICENSE
|
include LICENSE
|
||||||
include changelog
|
include changelog
|
||||||
include copyright
|
include copyright
|
||||||
|
|
27
README.proxy
27
README.proxy
|
@ -1,4 +1,10 @@
|
||||||
= apache in front of the cryptobox-server (cherrypy) =
|
Running the CryptoBox behind a proxy
|
||||||
|
|
||||||
|
This describes how to setup the CryptoBox webserver behind a apache or lighttpd
|
||||||
|
as proxy webservers.
|
||||||
|
|
||||||
|
|
||||||
|
-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||||
|
|
||||||
The following section describes how to configure an apache2 webserver for
|
The following section describes how to configure an apache2 webserver for
|
||||||
forwarding requests to the cherrypy server of the CryptoBox.
|
forwarding requests to the cherrypy server of the CryptoBox.
|
||||||
|
@ -37,29 +43,16 @@ forwarding requests to the cherrypy server of the CryptoBox.
|
||||||
|
|
||||||
-----
|
-----
|
||||||
|
|
||||||
= lighttpd in front of the cryptobox-server (cherrypy) =
|
-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||||
|
|
||||||
In this section we do the same as above, but with lighttpd.
|
In this section we do the same as above, but with lighttpd.
|
||||||
|
|
||||||
Your lighttpd config should contain something like this:
|
Your lighttpd config should contain something like this:
|
||||||
|
|
||||||
# default document-root
|
|
||||||
server.document-root = "/usr/share/cryptobox-server/www-data/"
|
|
||||||
|
|
||||||
# TCP port
|
|
||||||
server.port = 443
|
|
||||||
|
|
||||||
# selecting modules
|
# selecting modules
|
||||||
server.modules = ( "mod_access",
|
server.modules = ( "mod_scgi" )
|
||||||
"mod_scgi",
|
|
||||||
"mod_accesslog",
|
|
||||||
"mod_rewrite",
|
|
||||||
"mod_staticfile" )
|
|
||||||
|
|
||||||
ssl.engine = "enable"
|
scgi.server = ( "/cryptobox" =>
|
||||||
ssl.pemfile = "/etc/lighttpd/server.pem"
|
|
||||||
|
|
||||||
scgi.server = ( "/" =>
|
|
||||||
(( "host" => "127.0.0.1",
|
(( "host" => "127.0.0.1",
|
||||||
"port" => 8080,
|
"port" => 8080,
|
||||||
"check-local" => "disable"
|
"check-local" => "disable"
|
||||||
|
|
54
README.ssl
54
README.ssl
|
@ -1,13 +1,51 @@
|
||||||
= https for the CryptoBox =
|
Encrypting the communication with the CryptoBox webserver with SSL
|
||||||
|
|
||||||
To secure your http connection from the box to your browser,
|
This file describes how to encrypt your connection to the CryptoBox webserver.
|
||||||
you may use "stunnel".
|
This is highly recommended as the encryption password for your data could be
|
||||||
|
exposed to intruders in your local network otherwise.
|
||||||
|
|
||||||
Please take a look into the "start_stunnel.sh" script. You may use it
|
There are two ways for setting up a SSL connection:
|
||||||
to create a certificate and dig a tunnel.
|
- run the CryptoBox webserver behind an ssl-enabled webserver
|
||||||
|
- use stunnel to provide an SSL socket
|
||||||
|
|
||||||
In the case, that you already have a certificate just run this
|
|
||||||
command:
|
|
||||||
|
|
||||||
stunnel -p $YOUR_CERT -r localhost:80 -d 443
|
1) CryptoBox behind an ssl-enabled webserver
|
||||||
|
Read the documentation of your favourite webserver to learn how to enable
|
||||||
|
ssl encryption.
|
||||||
|
|
||||||
|
The CryptoBox webserver cannot detect whether the connection is encrypted
|
||||||
|
or not since it is behind the proxy webserver. Thus you have to tell the
|
||||||
|
CryptoBox whether the connection is encrypted or not.
|
||||||
|
|
||||||
|
for apache2:
|
||||||
|
1) enable the 'headers' module (for debian: "a2enmod headers")
|
||||||
|
2) add this line to your ssl-enabled virtualhost:
|
||||||
|
RequestHeader set X-SSL-Request 1
|
||||||
|
3) restart your webserver
|
||||||
|
|
||||||
|
for lighthttpd:
|
||||||
|
TODO
|
||||||
|
|
||||||
|
|
||||||
|
2) CryptoBox behind stunnel
|
||||||
|
If you do not have an ssl certificate yet, then you should create it first.
|
||||||
|
Please take a look into the "start_stunnel.sh" script. You may use it
|
||||||
|
to create a certificate and dig a tunnel.
|
||||||
|
|
||||||
|
In case, that you already have a certificate just run this command:
|
||||||
|
|
||||||
|
stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
|
||||||
|
|
||||||
|
Maybe you should add this to your bootup scripts.
|
||||||
|
|
||||||
|
|
||||||
|
3) Problems with SSL detection?
|
||||||
|
If the CryptoBox continues to complain about the unencrypted connection, even
|
||||||
|
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
|
||||||
|
one of the following things:
|
||||||
|
- set the request header value "X-SSL-Request" to "1" (one)
|
||||||
|
- set the environment setting "HTTPS" to a non-empty value during the
|
||||||
|
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
|
||||||
|
would be the right place for this.
|
||||||
|
- let the CryptoBox webserver listen to port 443
|
||||||
|
|
||||||
|
|
|
@ -55,8 +55,6 @@ EVENT_MARKER = '_event_scripts_'
|
||||||
|
|
||||||
def checkIfFileIsSafe(fname):
|
def checkIfFileIsSafe(fname):
|
||||||
"""check if the file and its parents are only writeable for root"""
|
"""check if the file and its parents are only writeable for root"""
|
||||||
#FIXME: for now we may skip this test - but users will not like it this way :)
|
|
||||||
return True
|
|
||||||
props = os.stat(fname)
|
props = os.stat(fname)
|
||||||
## check if it is owned by non-root
|
## check if it is owned by non-root
|
||||||
if props.st_uid != 0: return False
|
if props.st_uid != 0: return False
|
||||||
|
@ -74,15 +72,14 @@ def checkIfPluginIsValid(plugin):
|
||||||
import imp
|
import imp
|
||||||
try:
|
try:
|
||||||
x = imp.load_source("cbox_plugin",plugin)
|
x = imp.load_source("cbox_plugin",plugin)
|
||||||
#TODO: no wildcard catches, please!
|
except (SyntaxError, IOError):
|
||||||
except Exception:
|
|
||||||
return False
|
return False
|
||||||
try:
|
try:
|
||||||
if getattr(x, "PLUGIN_TYPE") == "cryptobox":
|
if getattr(x, "PLUGIN_TYPE") == "cryptobox":
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
return False
|
return False
|
||||||
except Exception:
|
except AttributeError:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -39,3 +39,4 @@ rm "$TMP_FILE"
|
||||||
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
|
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
|
||||||
|
|
||||||
stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}
|
stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}
|
||||||
|
|
|
@ -1,3 +1,11 @@
|
||||||
|
cryptobox (0.2.57-1) unstable; urgency=low
|
||||||
|
|
||||||
|
* added some documentation
|
||||||
|
* fixed ssl issue
|
||||||
|
* turn on some ownership checks of CryptoBoxRootActions
|
||||||
|
|
||||||
|
-- Lars Kruse <devel@sumpfralle.de> Thu, 14 Dec 2006 00:36:26 +0100
|
||||||
|
|
||||||
cryptobox (0.2.56-1) unstable; urgency=low
|
cryptobox (0.2.56-1) unstable; urgency=low
|
||||||
|
|
||||||
* added inline help texts
|
* added inline help texts
|
||||||
|
|
|
@ -14,3 +14,7 @@ PORT=8080
|
||||||
# some more server options (rarely necessary)
|
# some more server options (rarely necessary)
|
||||||
#SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
|
#SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
|
||||||
|
|
||||||
|
# if the CryptoBox keeps complaining about a non-encrypted connection, then
|
||||||
|
# you can override this warning by uncommenting the following line:
|
||||||
|
#export HTTPS=1
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
README
|
README
|
||||||
README.samba
|
README.samba
|
||||||
README.davfs
|
README.davfs
|
||||||
|
README.ssl
|
||||||
|
README.proxy
|
||||||
copyright
|
copyright
|
||||||
changelog
|
changelog
|
||||||
doc/html
|
doc/html
|
||||||
|
|
|
@ -29,7 +29,9 @@ class help(cryptobox.plugins.base.CryptoBoxPlugin):
|
||||||
"""The help feature of the CryptoBox.
|
"""The help feature of the CryptoBox.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
plugin_capabilities = [ "system" ]
|
#plugin_capabilities = [ "system" ]
|
||||||
|
#TODO: enable this plugin as soon as the user documentation is ready again
|
||||||
|
plugin_capabilities = [ ]
|
||||||
plugin_visibility = [ "menu" ]
|
plugin_visibility = [ "menu" ]
|
||||||
request_auth = False
|
request_auth = False
|
||||||
rank = 80
|
rank = 80
|
||||||
|
|
|
@ -107,8 +107,8 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
|
||||||
<th></th>
|
<th></th>
|
||||||
<th></th>
|
<th></th>
|
||||||
</tr>
|
</tr>
|
||||||
<?cs # count non-volume plugins ?><?cs set: all_count = #0
|
<?cs # count system plugins ?><?cs set: all_count = #0
|
||||||
?><?cs each:x = Settings.PluginList ?><?cs if: !x.Types.volume ?><?cs
|
?><?cs each:x = Settings.PluginList ?><?cs if: x.Types.system ?><?cs
|
||||||
set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
|
set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
|
||||||
<tr>
|
<tr>
|
||||||
<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
|
<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
|
||||||
|
@ -119,7 +119,7 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
|
||||||
</tr>
|
</tr>
|
||||||
<?cs set:run_counter = 0 ?><?cs
|
<?cs set:run_counter = 0 ?><?cs
|
||||||
loop:index = #0, #100, #1 ?><?cs
|
loop:index = #0, #100, #1 ?><?cs
|
||||||
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && !x.Types.volume
|
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.system
|
||||||
?><?cs set: run_counter = run_counter + 1 ?><tr>
|
?><?cs set: run_counter = run_counter + 1 ?><tr>
|
||||||
<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
|
<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
|
||||||
<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>
|
<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>
|
||||||
|
|
|
@ -415,6 +415,8 @@ class WebInterfaceSites:
|
||||||
if cherrypy.request.headers.has_key("X-SSL-Request") \
|
if cherrypy.request.headers.has_key("X-SSL-Request") \
|
||||||
and (cherrypy.request.headers["X-SSL-Request"] == "1"):
|
and (cherrypy.request.headers["X-SSL-Request"] == "1"):
|
||||||
return True
|
return True
|
||||||
|
## plaintext connection
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
def __set_web_lang(self, value):
|
def __set_web_lang(self, value):
|
||||||
|
|
Loading…
Reference in New Issue