fixed some ssl detection stuff

disabled 'help' plugin for now
enabled some ownership checks in CryptoBoxRootActions
documentation updates for proxy and ssl configurations
This commit is contained in:
lars 2006-12-14 00:23:10 +00:00
parent 2aed13ae18
commit 87af175764
11 changed files with 82 additions and 37 deletions

View File

@ -1,6 +1,4 @@
include README
include README.samba
include README.davfs
include README*
include LICENSE
include changelog
include copyright

View File

@ -1,4 +1,10 @@
= apache in front of the cryptobox-server (cherrypy) =
Running the CryptoBox behind a proxy
This describes how to setup the CryptoBox webserver behind a apache or lighttpd
as proxy webservers.
-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
The following section describes how to configure an apache2 webserver for
forwarding requests to the cherrypy server of the CryptoBox.
@ -37,29 +43,16 @@ forwarding requests to the cherrypy server of the CryptoBox.
-----
= lighttpd in front of the cryptobox-server (cherrypy) =
-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
In this section we do the same as above, but with lighttpd.
Your lighttpd config should contain something like this:
# default document-root
server.document-root = "/usr/share/cryptobox-server/www-data/"
# TCP port
server.port = 443
# selecting modules
server.modules = ( "mod_access",
"mod_scgi",
"mod_accesslog",
"mod_rewrite",
"mod_staticfile" )
server.modules = ( "mod_scgi" )
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
scgi.server = ( "/" =>
scgi.server = ( "/cryptobox" =>
(( "host" => "127.0.0.1",
"port" => 8080,
"check-local" => "disable"

View File

@ -1,13 +1,51 @@
= https for the CryptoBox =
Encrypting the communication with the CryptoBox webserver with SSL
To secure your http connection from the box to your browser,
you may use "stunnel".
This file describes how to encrypt your connection to the CryptoBox webserver.
This is highly recommended as the encryption password for your data could be
exposed to intruders in your local network otherwise.
Please take a look into the "start_stunnel.sh" script. You may use it
to create a certificate and dig a tunnel.
There are two ways for setting up a SSL connection:
- run the CryptoBox webserver behind an ssl-enabled webserver
- use stunnel to provide an SSL socket
In the case, that you already have a certificate just run this
command:
stunnel -p $YOUR_CERT -r localhost:80 -d 443
1) CryptoBox behind an ssl-enabled webserver
Read the documentation of your favourite webserver to learn how to enable
ssl encryption.
The CryptoBox webserver cannot detect whether the connection is encrypted
or not since it is behind the proxy webserver. Thus you have to tell the
CryptoBox whether the connection is encrypted or not.
for apache2:
1) enable the 'headers' module (for debian: "a2enmod headers")
2) add this line to your ssl-enabled virtualhost:
RequestHeader set X-SSL-Request 1
3) restart your webserver
for lighthttpd:
TODO
2) CryptoBox behind stunnel
If you do not have an ssl certificate yet, then you should create it first.
Please take a look into the "start_stunnel.sh" script. You may use it
to create a certificate and dig a tunnel.
In case, that you already have a certificate just run this command:
stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
Maybe you should add this to your bootup scripts.
3) Problems with SSL detection?
If the CryptoBox continues to complain about the unencrypted connection, even
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
one of the following things:
- set the request header value "X-SSL-Request" to "1" (one)
- set the environment setting "HTTPS" to a non-empty value during the
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
would be the right place for this.
- let the CryptoBox webserver listen to port 443

View File

@ -55,8 +55,6 @@ EVENT_MARKER = '_event_scripts_'
def checkIfFileIsSafe(fname):
"""check if the file and its parents are only writeable for root"""
#FIXME: for now we may skip this test - but users will not like it this way :)
return True
props = os.stat(fname)
## check if it is owned by non-root
if props.st_uid != 0: return False
@ -74,15 +72,14 @@ def checkIfPluginIsValid(plugin):
import imp
try:
x = imp.load_source("cbox_plugin",plugin)
#TODO: no wildcard catches, please!
except Exception:
except (SyntaxError, IOError):
return False
try:
if getattr(x, "PLUGIN_TYPE") == "cryptobox":
return True
else:
return False
except Exception:
except AttributeError:
return False

View File

@ -39,3 +39,4 @@ rm "$TMP_FILE"
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}

8
debian/changelog vendored
View File

@ -1,3 +1,11 @@
cryptobox (0.2.57-1) unstable; urgency=low
* added some documentation
* fixed ssl issue
* turn on some ownership checks of CryptoBoxRootActions
-- Lars Kruse <devel@sumpfralle.de> Thu, 14 Dec 2006 00:36:26 +0100
cryptobox (0.2.56-1) unstable; urgency=low
* added inline help texts

View File

@ -14,3 +14,7 @@ PORT=8080
# some more server options (rarely necessary)
#SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
# if the CryptoBox keeps complaining about a non-encrypted connection, then
# you can override this warning by uncommenting the following line:
#export HTTPS=1

View File

@ -1,6 +1,8 @@
README
README.samba
README.davfs
README.ssl
README.proxy
copyright
changelog
doc/html

View File

@ -29,7 +29,9 @@ class help(cryptobox.plugins.base.CryptoBoxPlugin):
"""The help feature of the CryptoBox.
"""
plugin_capabilities = [ "system" ]
#plugin_capabilities = [ "system" ]
#TODO: enable this plugin as soon as the user documentation is ready again
plugin_capabilities = [ ]
plugin_visibility = [ "menu" ]
request_auth = False
rank = 80

View File

@ -107,8 +107,8 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
<th></th>
<th></th>
</tr>
<?cs # count non-volume plugins ?><?cs set: all_count = #0
?><?cs each:x = Settings.PluginList ?><?cs if: !x.Types.volume ?><?cs
<?cs # count system plugins ?><?cs set: all_count = #0
?><?cs each:x = Settings.PluginList ?><?cs if: x.Types.system ?><?cs
set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
<tr>
<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
@ -119,7 +119,7 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
</tr>
<?cs set:run_counter = 0 ?><?cs
loop:index = #0, #100, #1 ?><?cs
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && !x.Types.volume
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.system
?><?cs set: run_counter = run_counter + 1 ?><tr>
<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>

View File

@ -415,6 +415,8 @@ class WebInterfaceSites:
if cherrypy.request.headers.has_key("X-SSL-Request") \
and (cherrypy.request.headers["X-SSL-Request"] == "1"):
return True
## plaintext connection
return False
def __set_web_lang(self, value):