DokuWiki

It's better when it's simple

User Tools

Site Tools


tips:httpslogin

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tips:httpslogin [2017-09-25 17:44]
85.134.86.152 [Force Login via HTTPS]
tips:httpslogin [2017-10-15 16:46] (current)
212.9.99.131 old revision restored (2017-04-04 15:03)
Line 1: Line 1:
- ====== Force Login via HTTPS ====== +====== Force Login via HTTPS ====== 
- ===== Plugins ====== ==== forcessllogin ==== See https://​www.dokuwiki.org/​plugin:​forcessllogin,​ doesn'​t seem to reflect SSL access in URL, i.e. dokuwiki'​s access denied page won't be opened via https protocol which makes debugging and assuring that you're securely logging in difficult. =====Apache===== Using Apache'​s mod_rewrite,​ DokuWiki logins can be forced to use HTTPS, thus preventing clear text passwords on the wire.  You may want to read up on [[:​rewrite|general rewriting]] first. ​ Redirection to a secured connection which is restricted to a certain set of pages (e.g. login pages) requires their recognition based on the URL. Some pages (e.g. "​access denied"​ pages which might be included only in newer versions, e.g. 2014-05-05 "​Ponder Stibbons"​ <​ref>​https://​www.dokuwiki.org/​plugin:​ondeniedlogin</​ref>​) don't include such a mark and cannot be distungished from the rest of URLs (which one might want to be accessed without a secure connection in order to save server resources). ​ FIXME The rest of the paragraph only handles requests with a ''?​do=login''​ GET query which doesn'​t cover at least "​access denied"​ pages! Research about a redirection rule for all authentification requests over HTTP is necessary.\\ ​  ​See discussion for solution. ​  ​The following assumes you already set up HTTPS support for your wiki, making it available via HTTP and HTTPS on the same address. For performance reasons only the login and profile updates should be forced to HTTPS while all "​normal"​ wiki actions will continue to work on HTTP.  Since you need to have cookies set up via HTTPS to work on HTTP as well, you need to disable the [[config:​securecookie]] option first. Then proceed to set up the redirection in your ''​.htaccess'': ​ <​code>​ # Switch to secure on login, profile and admin actions RewriteEngine On RewriteCond %{HTTPS} !on RewriteCond %{QUERY_STRING} do=(log|profile|admin) RewriteRule ^(.*) https://​%{HTTP_HOST}/​$1 [R,​QSA,​L,​NE] ​ # Change back to non-secure on show action RewriteCond %{HTTPS} on RewriteCond %{QUERY_STRING} !do=(log|profile|admin) RewriteCond %{REQUEST_METHOD} GET RewriteRule ^(.*) http://​%{HTTP_HOST}/​$1 [R,QSA,L] </​code> ​ You may want to change ''​%%${HTTP_HOST}%%''​ to ''​${SERVER_NAME}'',​ where server name matches the hostname in your SSL certificate. ​ Notes: ​  ​* the above switches back to non-SSL on the show action only. This means switchback might not occur immediately after login, but ensures there will be no "mixed content"​ warnings during the SSL operation. ​   * if you have other rewrite rules, such as [[:​rewrite|those used in general rewriting]],​ place these rules before the others. ​   * if your DokuWiki'​s installation directory isn't the root directory (something like %%http://​example.com/​%%**wiki/​**),​ you have to add this extra path to the lines 5 and 11 of the above snippet, which will thus be something like: ''​RewriteRule ^(.*) %%http://​%%%{HTTP_HOST}/​**wiki/​**$1 [R,​QSA,​L]'' ​    ​====securecookie==== **Please note:** You need to disable the "​[[config:​securecookie]]"​ in ''​conf/​dokuwiki.php''​ in order for the above code to work. Otherwise your logins will not successfully register. ​ This is because with securecookie enabled, the session cookie created during the HTTPS login can't be sent over HTTP and the session is lost.  =====nginx===== This setup is also possible in nginx but with a minor tweak to your fastcgi_params. ​ First, you need to have separate server instances, for ''​http''​ and ''​https''​ each, to keep things clean (and for ''​rewrite''​ not to get confused and get trapped in redir loops). This can look like this. Each instance has it's own rewrite rule to switch from http and https. ​ <​code>​ # Tested with nginx 0.8.5 # In http context of your nginx configuration map $scheme $php_https { default off; https on; }      server {  server_name wiki.host.org ​ root /​path/​to/​dokuwiki; ​ index doku.php; ​ listen 80;  #Enforce https for logins, admin  if ($args ~* do=(log|admin|profile)) {   ​rewrite ^ https://​$host$request_uri?​ redirect; ​  include dokuwiki.conf; ​    ​     server {  server_name wiki.host.org; ​ root /​path/​to/​dokuwiki; ​ index doku.php; ​ listen 443 ssl;  keepalive_requests ​   10;  keepalive_timeout ​    60 60;  ssl_certificate ​     /​etc/​ssl/​certs/​ssl-cert-snakeoil.pem; ​ ssl_certificate_key ​ /​etc/​ssl/​private/​ssl-cert-snakeoil.key; ​ #switch back to plain http for normal view   ​if ($args ~* (do=show|^$)){ ​  ​rewrite ^ http://​$host$request_uri?​ redirect; ​  include dokuwiki.conf; ​    ​} </​code> ​ In ''​dokuwiki.conf''​ (same path as your nginx.conf) you can use the [[http://​wiki.nginx.org/​Dokuwiki|snippet from nginx wiki]], but you __need__ to add    fastcgi_param HTTPS $php_https; ​ to your your fastcgi_params. This parameter and the ''​map''​ directive in the beginning are required because Dokuwiki checks for $_SERVER['​HTTPS'​] to work.   ​Like with apache, you need to disable [[#​securecookie|securecookie]] in your ''​conf/​dokuwiki.php''​. ​   ===== php Based HTTPS ===== Below is useful if you wish to force https connection ALWAYS (not just for login), and wish not to rely on Apache or NGINX htaccess or other server specific directives. ​ Place below lines on top of the template file at '''​...lib/​tpl/​template-name/​main.php''' ​ <code php> <?php if ($_SERVER[HTTPS]!="​on"​) {   ​//​$strURIName=$_SERVER['​SERVER_NAME'​] . getenv("​REQUEST_URI"​); ​   // The function '​getenv'​ does not work if your Server API is ASAPI (IIS). ​  ​// So, try to don't use getenv('​REMOTE_ADDR'​),​ but $_SERVER["​REMOTE_ADDR"​]. ​  ​$strURIName= $_SERVER['​SERVER_NAME'​] . $_SERVER['​REQUEST_URI'​]; ​  ​header ("​Location:​ https://​$strURIName"​); ​  ​// If it doesn'​t work for you and you need to troubleshoot your php code,    // uncomment below to find out about your particular server variables ​  ​/*   ​echo "<​b>​_SERVER Variables from $_SERVER</​b><​br><​br>"; ​  ​reset($_SERVER); ​  ​while (list ($key, $val) = each ($_SERVER)) {   ​print $key . " = " . $val . "<​br>"; ​  ​  ​*/ }  ?> </​code> ​ Thanks.. That saved my day!     ​===== Discussion ===== ==== [[:​rewrite|general rewriting]] mandatory? ==== Isn't [[:​rewrite|general rewriting]] a requirement to get rewriting for login working so that the sentence should be clearer? I myself didn't get to that point so far, but as far as I'm concerned the managing of some config settings like basedir, and setting the appropriate ''​$conf['​userewrite'​]''​ value (see also [[:​rewrite#​Discussion]]) seems crucial ​ --- [[user>​krichter|krichter]] //​2014-06-02 01:​11// ​ ==== Update for 2014-05-05 "​Ponder Stibbons"​ ==== Are these instructions up to date for 2014-05-05 "​Ponder Stibbons"?​ If yes, is there a template to include an overview for tested versions (with indication whether it's working for them or not, like for plugins) - facilitates the research enormously. If no, is there someone who has an idea (with redirection to HTTPS (first section for ''​.htaccess''​ I get it working partially - it's more randomly actually - and with both section I get an endless redirection warning of firefox (tried about 20 to 30 combinations with hints from [[:​rewrite|general rewriting]] and gave up...   ​==== 17 Jul 14 - Access Denied SSL Login fix ==== I have created the solution to the “access denied” ​pages that enables rewrite rules to redirect the user to an SSL login page. This fix was an edit to the source code that redirects the user to the same page with the ‘do=login’ ​query string this enables the rewrite rules to take effect and redirect to an SSL login page, once the user logs in they will be presented with the page they tried to access. This fix is on my websites [[http://​nofusscomputing.com/​mantis/​view.php?​id=99 |‘bug and feature ​tracker’]] as a patch file.  Jon, [[http://​nofusscomputing.com|No Fuss Computing.]] ​ ==== 25 Nov 15 - wrong protocol service or infinite loop ====  I try to CASsify my **Dokuwiki** with **phpCAS**. My CAS server does not allow http services (which I could change but it is not my purpose).\\ So I did install the plugin authplaincas with success and the phpCAS lib too. Evrything is OK except one thing : ''​Client.php''​ from phpCAS lib does not return the service to the CAS server with ''​https''​ but only with ''​http''​. I could made a trick which I post here : https://​github.com/​Jasig/​phpCAS/​issues/​178\\ First I was thinking **phpCAS** was the problem then it was **Dokuwiki** and then again **phpCAS** but now I think it is **DokuWiki** which report the wrong protocol service. ​ I tried different solution like rewrite engine into ''​.htaccess''​ but it leads to an infinite loop (I disabled secure cookie option). ​ For more information,​ I use an Apache2.4 Reverse proxy with permanent redirect 80 to 443 and a backend web with Apache2.4 with HTTP only.  I think the problem is HTTPS protocol information is not transmit to my backend which host my DokuWiki or when I get infinite loop I think my cookie is not preserve. ​ How can I fix it or debug it ? Help will be very appreciate. ​ Regards,\\ Guy CARRÉ\\ ​ guycarre at free dot fr  **EDIT** I found what it was wrong and I post it here : https://​github.com/​Jasig/​phpCAS/​issues/​178 ​  ​Good night ;-)  ==== 30 Nov 15 - do ==== Over HTTP, not logged on a inexistent page if you try to view source(do=edit),​ you'll "​do=login"​ implicitly, over HTTP. I suggest to switch to https on "​do=(login|admin|profile|edit)"​.\\ ​ Also, I'm not sure that this configuration really **needs** secure cookie disabled, it needs it **enabled** to me. Actually, steal a cookie is as easy as steal a cleartext password. Ok, it doesn'​t last as long, and isn't as powerful (or is it)..\\ ​ Switching back to http, you loose session : abilities to edit, config etc, what's wrong with this? Doing such an action puts you back to https, the cookie is send and you retrieve your session. Maybe some other actions need to switch to https then like media things, etc, I don't know.\\ ​ These are just suggestions,​ I do not master neither dokuwiki nor http(s)(server or protocol). ​ ==== 16 Feb 2016 - Use TLS all the time ====  We should amend this tip to recommend using TLS for all connections. ​ Per the "30 Nov 15 - do" comment above, if you send the cookie insecurely for an active session, then it can be trivially stolen as the cookie going across the wire in the clear. ​ [[https://​en.wikipedia.org/​wiki/​Firesheep|Firesheep]] makes this task automated and trivial to execute. ​ Further, [[https://​www.owasp.org/​index.php/​Session_Management_Cheat_Sheet#​Transport_Layer_Security|OWASP]] best practices are to run all secure all the time. Finally, we should recommend the 443 vhost send the [[https://​en.wikipedia.org/​wiki/​HTTP_Strict_Transport_Security|HTTP Strict Transport Security (HSTS)]] header too.  This is done with a single line in the 443 vhost (for Apache in this example): <​code>​Header always set Strict-Transport-Security "​max-age=63072000;​ preload"</​code> ​ One step further would be to strongly recommend that TLS be configured by default. ​ Though this makes the install more technically challenging,​ having a default setup of sending login credentials in the clear is a bad idea.  + 
 +===== Plugins ====== 
 +==== forcessllogin ==== 
 +See https://​www.dokuwiki.org/​plugin:​forcessllogin,​ doesn'​t seem to reflect SSL access in URL, i.e. dokuwiki'​s access denied page won't be opened via https protocol which makes debugging and assuring that you're securely logging in difficult. 
 +=====Apache===== 
 +Using Apache'​s mod_rewrite,​ DokuWiki logins can be forced to use HTTPS, thus preventing clear text passwords on the wire. 
 + 
 +You may want to read up on [[:​rewrite|general rewriting]] first. 
 + 
 +Redirection to a secured connection which is restricted to a certain set of pages (e.g. login pages) requires their recognition based on the URL. Some pages (e.g. "​access denied"​ pages which might be included only in newer versions, e.g. 2014-05-05 "​Ponder Stibbons"​ <​ref>​https://​www.dokuwiki.org/​plugin:​ondeniedlogin</​ref>​) don't include such a mark and cannot be distungished from the rest of URLs (which one might want to be accessed without a secure connection in order to save server resources). 
 + 
 +FIXME The rest of the paragraph only handles requests with a ''?​do=login''​ GET query which doesn'​t cover at least "​access denied"​ pages! Research about a redirection rule for all authentification requests over HTTP is necessary.\\ ​  
 +See discussion for solution. ​ 
 + 
 +The following assumes you already set up HTTPS support for your wiki, making it available via HTTP and HTTPS on the same address. For performance reasons only the login and profile updates should be forced to HTTPS while all "​normal"​ wiki actions will continue to work on HTTP. 
 + 
 +Since you need to have cookies set up via HTTPS to work on HTTP as well, you need to disable the [[config:​securecookie]] option first. Then proceed to set up the redirection in your ''​.htaccess'':​ 
 + 
 +<​code>​ 
 +# Switch to secure on login, profile and admin actions 
 +RewriteEngine On 
 +RewriteCond %{HTTPS} !on 
 +RewriteCond %{QUERY_STRING} do=(log|profile|admin) 
 +RewriteRule ^(.*) https://​%{HTTP_HOST}/​$1 [R,​QSA,​L,​NE] 
 + 
 +# Change back to non-secure on show action 
 +RewriteCond %{HTTPS} on 
 +RewriteCond %{QUERY_STRING} !do=(log|profile|admin) 
 +RewriteCond %{REQUEST_METHOD} GET 
 +RewriteRule ^(.*) http://​%{HTTP_HOST}/​$1 [R,QSA,L] 
 +</​code>​ 
 + 
 +You may want to change ''​%%${HTTP_HOST}%%''​ to ''​${SERVER_NAME}'',​ where server name matches the hostname in your SSL certificate. 
 + 
 +Notes: 
 +  ​* the above switches back to non-SSL on the show action only. This means switchback might not occur immediately after login, but ensures there will be no "mixed content"​ warnings during the SSL operation. 
 + 
 +  ​* if you have other rewrite rules, such as [[:​rewrite|those used in general rewriting]],​ place these rules before the others. 
 + 
 +  ​* if your DokuWiki'​s installation directory isn't the root directory (something like %%http://​example.com/​%%**wiki/​**),​ you have to add this extra path to the lines 5 and 11 of the above snippet, which will thus be something like: ''​RewriteRule ^(.*) %%http://​%%%{HTTP_HOST}/​**wiki/​**$1 [R,​QSA,​L]''​ 
 + 
 + 
 + 
 + 
 +====securecookie==== 
 +**Please note:** You need to disable the "​[[config:​securecookie]]"​ in ''​conf/​dokuwiki.php''​ in order for the above code to work. Otherwise your logins will not successfully register. ​ This is because with securecookie enabled, the session cookie created during the HTTPS login can't be sent over HTTP and the session is lost. 
 + 
 +=====nginx===== 
 +This setup is also possible in nginx but with a minor tweak to your fastcgi_params. 
 + 
 +First, you need to have separate server instances, for ''​http''​ and ''​https''​ each, to keep things clean (and for ''​rewrite''​ not to get confused and get trapped in redir loops). This can look like this. Each instance has it's own rewrite rule to switch from http and https. 
 + 
 +<​code>​ 
 +# Tested with nginx 0.8.5 
 +# In http context of your nginx configuration 
 +map $scheme $php_https { default off; https on; } 
 + 
 +    ​server { 
 + server_name wiki.host.org 
 + root /​path/​to/​dokuwiki;​ 
 + index doku.php; 
 + listen 80; 
 + #Enforce https for logins, admin 
 + if ($args ~* do=(log|admin|profile)) { 
 + rewrite ^ https://​$host$request_uri?​ redirect; 
 + } 
 + include dokuwiki.conf;​ 
 +    ​} 
 + 
 +    ​server { 
 + server_name wiki.host.org;​ 
 + root /​path/​to/​dokuwiki;​ 
 + index doku.php; 
 + listen 443 ssl; 
 + keepalive_requests ​   10; 
 + keepalive_timeout ​    60 60; 
 + ssl_certificate ​     /​etc/​ssl/​certs/​ssl-cert-snakeoil.pem;​ 
 + ssl_certificate_key ​ /​etc/​ssl/​private/​ssl-cert-snakeoil.key;​ 
 + #switch back to plain http for normal view 
 + 
 + if ($args ~* (do=show|^$)){ 
 + rewrite ^ http://​$host$request_uri?​ redirect; 
 + } 
 + include dokuwiki.conf;​ 
 +    ​} 
 +</​code>​ 
 + 
 +In ''​dokuwiki.conf''​ (same path as your nginx.conf) you can use the [[http://​wiki.nginx.org/​Dokuwiki|snippet from nginx wiki]], but you __need__ to add 
 + 
 +  ​fastcgi_param HTTPS $php_https; 
 + 
 +to your your fastcgi_params. This parameter and the ''​map''​ directive in the beginning are required because Dokuwiki checks for $_SERVER['​HTTPS'​] to work.  
 + 
 +Like with apache, you need to disable [[#​securecookie|securecookie]] in your ''​conf/​dokuwiki.php''​. ​ 
 + 
 + 
 +===== php Based HTTPS ===== 
 +Below is useful if you wish to force https connection ALWAYS (not just for login), and wish not to rely on Apache or NGINX htaccess or other server specific directives. ​ Place below lines on top of the template file at '''​...lib/​tpl/​template-name/​main.php'''​ 
 + 
 +<code php> 
 +<?php 
 +if ($_SERVER[HTTPS]!="​on"​) { 
 +  ​//​$strURIName=$_SERVER['​SERVER_NAME'​] . getenv("​REQUEST_URI"​); ​ 
 +  ​// The function '​getenv'​ does not work if your Server API is ASAPI (IIS). 
 +  ​// So, try to don't use getenv('​REMOTE_ADDR'​),​ but $_SERVER["​REMOTE_ADDR"​]. 
 +  ​$strURIName= $_SERVER['​SERVER_NAME'​] . $_SERVER['​REQUEST_URI'​];​ 
 +  ​header ("​Location:​ https://​$strURIName"​);​ 
 +  ​// If it doesn'​t work for you and you need to troubleshoot your php code,  
 +  ​// uncomment below to find out about your particular server variables 
 +  ​/* 
 +  ​echo "<​b>​_SERVER Variables from $_SERVER</​b><​br><​br>";​ 
 +  ​reset($_SERVER);​ 
 +  ​while (list ($key, $val) = each ($_SERVER)) { 
 +  ​print $key . " = " . $val . "<​br>";​ 
 +  ​} 
 +  ​*/ 
 +} 
 + 
 +?> 
 +</​code>​ 
 + 
 +Thanks.. That saved my day! 
 + 
 + 
 + 
 + 
 +===== Discussion ===== 
 +==== [[:​rewrite|general rewriting]] mandatory? ==== 
 +Isn't [[:​rewrite|general rewriting]] a requirement to get rewriting for login working so that the sentence should be clearer? I myself didn't get to that point so far, but as far as I'm concerned the managing of some config settings like basedir, and setting the appropriate ''​$conf['​userewrite'​]''​ value (see also [[:​rewrite#​Discussion]]) seems crucial ​ --- [[user>​krichter|krichter]] //​2014-06-02 01:11// 
 + 
 +==== Update for 2014-05-05 "​Ponder Stibbons"​ ==== 
 +Are these instructions up to date for 2014-05-05 "​Ponder Stibbons"?​ If yes, is there a template to include an overview for tested versions (with indication whether it's working for them or not, like for plugins) - facilitates the research enormously. If no, is there someone who has an idea (with redirection to HTTPS (first section for ''​.htaccess''​ I get it working partially - it's more randomly actually - and with both section I get an endless redirection warning of firefox (tried about 20 to 30 combinations with hints from [[:​rewrite|general rewriting]] and gave up...  
 + 
 +==== 17 Jul 14 - Access Denied SSL Login fix ==== 
 +I have created the solution to the “access denied” ​pages that enables rewrite rules to redirect the user to an SSL login page. 
 +This fix was an edit to the source code that redirects the user to the same page with the ‘do=login’ ​query string this enables the rewrite rules to take effect and redirect to an SSL login page, once the user logs in they will be presented with the page they tried to access. This fix is on my websites [[http://​nofusscomputing.com/​mantis/​view.php?​id=99 |‘bug ​and feature ​tracker’]] as a patch file.  Jon, [[http://​nofusscomputing.com|No Fuss Computing.]] 
 + 
 +==== 25 Nov 15 - wrong protocol service or infinite loop ==== 
 + 
 +I try to CASsify my **Dokuwiki** with **phpCAS**. My CAS server does not allow http services (which I could change but it is not my purpose).\\ 
 +So I did install the plugin authplaincas with success and the phpCAS lib too. Evrything is OK except one thing : ''​Client.php''​ from phpCAS lib does not return the service to the CAS server with ''​https''​ but only with ''​http''​. I could made a trick which I post here : 
 +https://​github.com/​Jasig/​phpCAS/​issues/​178\\ 
 +First I was thinking **phpCAS** was the problem then it was **Dokuwiki** and then again **phpCAS** but now I think it is **DokuWiki** which report the wrong protocol service. 
 + I tried different solution like rewrite engine into ''​.htaccess''​ but it leads to an infinite loop (I disabled secure cookie option). 
 + For more information,​ I use an Apache2.4 Reverse proxy with permanent redirect 80 to 443 and a backend web with Apache2.4 with HTTP only. 
 + I think the problem is HTTPS protocol information is not transmit to my backend which host my DokuWiki or when I get infinite loop I think my cookie is not preserve. 
 + How can I fix it or debug it ? Help will be very appreciate. 
 + 
 +Regards,\\ 
 +Guy CARRÉ\\ 
 + guycarre at free dot fr 
 + 
 +**EDIT** 
 +I found what it was wrong and I post it here : 
 +https://​github.com/​Jasig/​phpCAS/​issues/​178 
 + 
 + Good night ;-) 
 + 
 +==== 30 Nov 15 - do ==== 
 +Over HTTP, not logged on a inexistent page if you try to view source(do=edit),​ you'll "​do=login"​ implicitly, over HTTP. 
 +I suggest to switch to https on "​do=(login|admin|profile|edit)"​.\\ ​ 
 +Also, I'm not sure that this configuration really **needs** secure cookie disabled, it needs it **enabled** to me. Actually, steal a cookie is as easy as steal a cleartext password. Ok, it doesn'​t last as long, and isn't as powerful (or is it)..\\ ​ 
 +Switching back to http, you loose session : abilities to edit, config etc, what's wrong with this? Doing such an action puts you back to https, the cookie is send and you retrieve your session. Maybe some other actions need to switch to https then like media things, etc, I don't know.\\ ​ 
 +These are just suggestions,​ I do not master neither dokuwiki nor http(s)(server or protocol). 
 + 
 +==== 16 Feb 2016 - Use TLS all the time ==== 
 + 
 +We should amend this tip to recommend using TLS for all connections. ​ Per the "30 Nov 15 - do" comment above, if you send the cookie insecurely for an active session, then it can be trivially stolen as the cookie going across the wire in the clear. ​ [[https://​en.wikipedia.org/​wiki/​Firesheep|Firesheep]] makes this task automated and trivial to execute. ​ Further, [[https://​www.owasp.org/​index.php/​Session_Management_Cheat_Sheet#​Transport_Layer_Security|OWASP]] best practices are to run all secure all the time. Finally, we should recommend the 443 vhost send the [[https://​en.wikipedia.org/​wiki/​HTTP_Strict_Transport_Security|HTTP Strict Transport Security (HSTS)]] header too.  This is done with a single line in the 443 vhost (for Apache in this example): 
 +<​code>​Header always set Strict-Transport-Security "​max-age=63072000;​ preload"</​code>​ 
 + 
 +One step further would be to strongly recommend that TLS be configured by default. ​ Though this makes the install more technically challenging,​ having a default setup of sending login credentials in the clear is a bad idea. 
 + 
tips/httpslogin.txt · Last modified: 2017-10-15 16:46 by 212.9.99.131