fixed some ssl detection stuff
disabled 'help' plugin for now enabled some ownership checks in CryptoBoxRootActions documentation updates for proxy and ssl configurations
This commit is contained in:
parent
2aed13ae18
commit
87af175764
|
@ -1,6 +1,4 @@
|
|||
include README
|
||||
include README.samba
|
||||
include README.davfs
|
||||
include README*
|
||||
include LICENSE
|
||||
include changelog
|
||||
include copyright
|
||||
|
|
27
README.proxy
27
README.proxy
|
@ -1,4 +1,10 @@
|
|||
= apache in front of the cryptobox-server (cherrypy) =
|
||||
Running the CryptoBox behind a proxy
|
||||
|
||||
This describes how to setup the CryptoBox webserver behind a apache or lighttpd
|
||||
as proxy webservers.
|
||||
|
||||
|
||||
-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||
|
||||
The following section describes how to configure an apache2 webserver for
|
||||
forwarding requests to the cherrypy server of the CryptoBox.
|
||||
|
@ -37,29 +43,16 @@ forwarding requests to the cherrypy server of the CryptoBox.
|
|||
|
||||
-----
|
||||
|
||||
= lighttpd in front of the cryptobox-server (cherrypy) =
|
||||
-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||
|
||||
In this section we do the same as above, but with lighttpd.
|
||||
|
||||
Your lighttpd config should contain something like this:
|
||||
|
||||
# default document-root
|
||||
server.document-root = "/usr/share/cryptobox-server/www-data/"
|
||||
|
||||
# TCP port
|
||||
server.port = 443
|
||||
|
||||
# selecting modules
|
||||
server.modules = ( "mod_access",
|
||||
"mod_scgi",
|
||||
"mod_accesslog",
|
||||
"mod_rewrite",
|
||||
"mod_staticfile" )
|
||||
server.modules = ( "mod_scgi" )
|
||||
|
||||
ssl.engine = "enable"
|
||||
ssl.pemfile = "/etc/lighttpd/server.pem"
|
||||
|
||||
scgi.server = ( "/" =>
|
||||
scgi.server = ( "/cryptobox" =>
|
||||
(( "host" => "127.0.0.1",
|
||||
"port" => 8080,
|
||||
"check-local" => "disable"
|
||||
|
|
54
README.ssl
54
README.ssl
|
@ -1,13 +1,51 @@
|
|||
= https for the CryptoBox =
|
||||
Encrypting the communication with the CryptoBox webserver with SSL
|
||||
|
||||
To secure your http connection from the box to your browser,
|
||||
you may use "stunnel".
|
||||
This file describes how to encrypt your connection to the CryptoBox webserver.
|
||||
This is highly recommended as the encryption password for your data could be
|
||||
exposed to intruders in your local network otherwise.
|
||||
|
||||
Please take a look into the "start_stunnel.sh" script. You may use it
|
||||
to create a certificate and dig a tunnel.
|
||||
There are two ways for setting up a SSL connection:
|
||||
- run the CryptoBox webserver behind an ssl-enabled webserver
|
||||
- use stunnel to provide an SSL socket
|
||||
|
||||
In the case, that you already have a certificate just run this
|
||||
command:
|
||||
|
||||
stunnel -p $YOUR_CERT -r localhost:80 -d 443
|
||||
1) CryptoBox behind an ssl-enabled webserver
|
||||
Read the documentation of your favourite webserver to learn how to enable
|
||||
ssl encryption.
|
||||
|
||||
The CryptoBox webserver cannot detect whether the connection is encrypted
|
||||
or not since it is behind the proxy webserver. Thus you have to tell the
|
||||
CryptoBox whether the connection is encrypted or not.
|
||||
|
||||
for apache2:
|
||||
1) enable the 'headers' module (for debian: "a2enmod headers")
|
||||
2) add this line to your ssl-enabled virtualhost:
|
||||
RequestHeader set X-SSL-Request 1
|
||||
3) restart your webserver
|
||||
|
||||
for lighthttpd:
|
||||
TODO
|
||||
|
||||
|
||||
2) CryptoBox behind stunnel
|
||||
If you do not have an ssl certificate yet, then you should create it first.
|
||||
Please take a look into the "start_stunnel.sh" script. You may use it
|
||||
to create a certificate and dig a tunnel.
|
||||
|
||||
In case, that you already have a certificate just run this command:
|
||||
|
||||
stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
|
||||
|
||||
Maybe you should add this to your bootup scripts.
|
||||
|
||||
|
||||
3) Problems with SSL detection?
|
||||
If the CryptoBox continues to complain about the unencrypted connection, even
|
||||
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
|
||||
one of the following things:
|
||||
- set the request header value "X-SSL-Request" to "1" (one)
|
||||
- set the environment setting "HTTPS" to a non-empty value during the
|
||||
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
|
||||
would be the right place for this.
|
||||
- let the CryptoBox webserver listen to port 443
|
||||
|
||||
|
|
|
@ -55,8 +55,6 @@ EVENT_MARKER = '_event_scripts_'
|
|||
|
||||
def checkIfFileIsSafe(fname):
|
||||
"""check if the file and its parents are only writeable for root"""
|
||||
#FIXME: for now we may skip this test - but users will not like it this way :)
|
||||
return True
|
||||
props = os.stat(fname)
|
||||
## check if it is owned by non-root
|
||||
if props.st_uid != 0: return False
|
||||
|
@ -74,15 +72,14 @@ def checkIfPluginIsValid(plugin):
|
|||
import imp
|
||||
try:
|
||||
x = imp.load_source("cbox_plugin",plugin)
|
||||
#TODO: no wildcard catches, please!
|
||||
except Exception:
|
||||
except (SyntaxError, IOError):
|
||||
return False
|
||||
try:
|
||||
if getattr(x, "PLUGIN_TYPE") == "cryptobox":
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
except Exception:
|
||||
except AttributeError:
|
||||
return False
|
||||
|
||||
|
||||
|
|
|
@ -39,3 +39,4 @@ rm "$TMP_FILE"
|
|||
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
|
||||
|
||||
stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}
|
||||
|
|
@ -1,3 +1,11 @@
|
|||
cryptobox (0.2.57-1) unstable; urgency=low
|
||||
|
||||
* added some documentation
|
||||
* fixed ssl issue
|
||||
* turn on some ownership checks of CryptoBoxRootActions
|
||||
|
||||
-- Lars Kruse <devel@sumpfralle.de> Thu, 14 Dec 2006 00:36:26 +0100
|
||||
|
||||
cryptobox (0.2.56-1) unstable; urgency=low
|
||||
|
||||
* added inline help texts
|
||||
|
|
|
@ -14,3 +14,7 @@ PORT=8080
|
|||
# some more server options (rarely necessary)
|
||||
#SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
|
||||
|
||||
# if the CryptoBox keeps complaining about a non-encrypted connection, then
|
||||
# you can override this warning by uncommenting the following line:
|
||||
#export HTTPS=1
|
||||
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
README
|
||||
README.samba
|
||||
README.davfs
|
||||
README.ssl
|
||||
README.proxy
|
||||
copyright
|
||||
changelog
|
||||
doc/html
|
||||
|
|
|
@ -29,7 +29,9 @@ class help(cryptobox.plugins.base.CryptoBoxPlugin):
|
|||
"""The help feature of the CryptoBox.
|
||||
"""
|
||||
|
||||
plugin_capabilities = [ "system" ]
|
||||
#plugin_capabilities = [ "system" ]
|
||||
#TODO: enable this plugin as soon as the user documentation is ready again
|
||||
plugin_capabilities = [ ]
|
||||
plugin_visibility = [ "menu" ]
|
||||
request_auth = False
|
||||
rank = 80
|
||||
|
|
|
@ -107,8 +107,8 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
|
|||
<th></th>
|
||||
<th></th>
|
||||
</tr>
|
||||
<?cs # count non-volume plugins ?><?cs set: all_count = #0
|
||||
?><?cs each:x = Settings.PluginList ?><?cs if: !x.Types.volume ?><?cs
|
||||
<?cs # count system plugins ?><?cs set: all_count = #0
|
||||
?><?cs each:x = Settings.PluginList ?><?cs if: x.Types.system ?><?cs
|
||||
set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
|
||||
<tr>
|
||||
<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
|
||||
|
@ -119,7 +119,7 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
|
|||
</tr>
|
||||
<?cs set:run_counter = 0 ?><?cs
|
||||
loop:index = #0, #100, #1 ?><?cs
|
||||
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && !x.Types.volume
|
||||
each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.system
|
||||
?><?cs set: run_counter = run_counter + 1 ?><tr>
|
||||
<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
|
||||
<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>
|
||||
|
|
|
@ -415,6 +415,8 @@ class WebInterfaceSites:
|
|||
if cherrypy.request.headers.has_key("X-SSL-Request") \
|
||||
and (cherrypy.request.headers["X-SSL-Request"] == "1"):
|
||||
return True
|
||||
## plaintext connection
|
||||
return False
|
||||
|
||||
|
||||
def __set_web_lang(self, value):
|
||||
|
|
Loading…
Reference in New Issue