• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    HTTPS Redirect Web GUI

    Scheduled Pinned Locked Moved Unsolved
    FOG Problems
    3
    8
    624
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cul3r0
      last edited by

      Re: Boot.php permissiondenied

      Is there any way to write a port 80 > 443 redirect affecting only the web gui? Due to my customers security requirements i need a redirect to ssl secured port 443 for web gui. But i know the fog client stops working and that’s an entirely different beast. I tried adding the redirect shown here which worked for web gui but then didn’t allow ipxe boot to work and got error with “Operation Permitted”. I imagine just like stated in this previous post has to do with redirect. Any advice on a redirect only affecting web gui?

      ea0dc354-a888-4036-a636-8d11848db1c4-image.png

      JJ FullmerJ 1 Reply Last reply Reply Quote 0
      • JJ FullmerJ
        JJ Fullmer Testers @cul3r0
        last edited by

        @cul3r0

        I have such a redirect

        <VirtualHost *:80>
            <FilesMatch "\.php$">
                SetHandler "proxy:fcgi://127.0.0.1:9000/"
            </FilesMatch>
            KeepAlive Off
            ServerName ip.of.fog.server
            ServerAlias hostnameOfFogServer
            DocumentRoot /var/www/html/
            <Directory /var/www/html/fog/>
                DirectoryIndex index.php index.html index.htm
            </Directory>
            RewriteEngine On
            RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
            RewriteRule .* - [F]
            RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
            RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
            RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
        </VirtualHost>
        

        This is assuming you have your cert configured in ssl.conf too.
        I’m running centos with httpd as that might make a difference if you’re running debian based apache

        Have you tried the FogApi powershell module? It's pretty cool IMHO
        https://github.com/darksidemilk/FogApi
        https://fogapi.readthedocs.io/en/latest/
        https://www.powershellgallery.com/packages/FogApi
        https://forums.fogproject.org/topic/12026/powershell-api-module

        C 1 Reply Last reply Reply Quote 0
        • C
          cul3r0 @JJ Fullmer
          last edited by

          @JJ-Fullmer Does this affect you pxe booting into fog from asset? I do have SSL configured cert on https port for web gui.

          JJ FullmerJ 1 Reply Last reply Reply Quote 0
          • JJ FullmerJ
            JJ Fullmer Testers @cul3r0
            last edited by

            @cul3r0 It does not, that configuration is elsewhere. If you enabled https support at install then you have to do something special to get that disabled for pxe because it embeds the self-signed cert made at install into the on-the-fly pxe compilation process.

            Have you tried the FogApi powershell module? It's pretty cool IMHO
            https://github.com/darksidemilk/FogApi
            https://fogapi.readthedocs.io/en/latest/
            https://www.powershellgallery.com/packages/FogApi
            https://forums.fogproject.org/topic/12026/powershell-api-module

            C 1 Reply Last reply Reply Quote 0
            • C
              cul3r0 @JJ Fullmer
              last edited by

              @JJ-Fullmer so i didn’t notice but thats the same original file. Your config is the one i have but Nessus vuln scanner and curl command as well do not have a redirect going from http to https. We do get a 302 redirect but unfortunately its redirecting back to http

              C 1 Reply Last reply Reply Quote 0
              • C
                cul3r0 @cul3r0
                last edited by

                9e9c2483-144a-4a0c-bd5a-a3c43807aaa1-image.png

                This is the result from Nessus Vulnerability scanner when it comes to port 80 “not redirecting” to https 443

                JJ FullmerJ 1 Reply Last reply Reply Quote 0
                • JJ FullmerJ
                  JJ Fullmer Testers @cul3r0
                  last edited by

                  @cul3r0 The https redirect is actually only working for me if I go to the fqdn on http, i.e. http://fog-server.domain.tld will redirect to https but http://fog-server will not redirect.
                  I’m pretty sure it’s possible to adjust the rules to redirect everything to the fqdn on https. You can probably mess with the rules to make it rewrite anything to go the the fqdn on https

                  Have you tried the FogApi powershell module? It's pretty cool IMHO
                  https://github.com/darksidemilk/FogApi
                  https://fogapi.readthedocs.io/en/latest/
                  https://www.powershellgallery.com/packages/FogApi
                  https://forums.fogproject.org/topic/12026/powershell-api-module

                  1 Reply Last reply Reply Quote 0
                  • D
                    dvorak
                    last edited by dvorak

                    @JJ-Fullmer said in HTTPS Redirect Web GUI:

                    https redirect

                    I had this issue, but wanted to add to the Copilot answer that works on RHEL 8.10 running the latest Apache and FOG 1.5.10.1634 (this assumes you installed FOG with NO HTTPS option, in other words HTTPS disabled by default):

                    To redirect all HTTP requests on port 80 to HTTPS on port 443 using your provided certificate and key, you can use the following configuration:

                    Create a new configuration file in the /etc/httpd/conf.d/ directory, for example, redirect.conf:

                    <VirtualHost *:80>
                        ServerName ip.of.fog.server
                        ServerAlias hostnameOfFogServer
                        RewriteEngine On
                        RewriteCond %{HTTPS} off
                        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
                    </VirtualHost>
                    

                    Update your SSL configuration in the /etc/httpd/conf.d/ssl.conf file to include your certificate and key:

                    <VirtualHost *:443>
                        ServerName ip.of.fog.server
                        ServerAlias hostnameOfFogServer
                        DocumentRoot /var/www/html/
                        SSLEngine on
                        SSLCertificateFile /opt/fog/ssl/UNIQUE-FOR-ME/MYCERT.cer
                        SSLCertificateKeyFile /opt/fog/ssl/UNIQUE-FOR-ME/MYCERT.key
                    
                        <Directory /var/www/html/fog/>
                            DirectoryIndex index.php index.html index.htm
                            AllowOverride All
                            Require all granted
                        </Directory>
                    
                        <FilesMatch "\.php$">
                            SetHandler "proxy:fcgi://127.0.0.1:9000/"
                        </FilesMatch>
                    
                        RewriteEngine On
                        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
                        RewriteRule .* - [F]
                        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
                        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
                        RewriteRule ^/fog/(.*)$ /fog/api/index.php [QSA,L]
                    </VirtualHost>
                    

                    Restart Apache to apply the changes:

                    sudo systemctl restart httpd
                    

                    This configuration will redirect all HTTP requests to HTTPS and use the provided certificate and key for SSL. Make sure to replace ip.of.fog.server and hostnameOfFogServer with your actual server IP and hostname.

                    Lastly, When enrolling a cert I used the FQDN and plain hostname as a “Subject Alternative Name”. For my company, this means internal use only (.pvt). This takes care of both redirects (prob could have also talked to the DNS team to redirect the hostname to the FQDN eg hostname.blah.pvt as well. But it’s better (and faster) in the cert if you can do it that way.

                    1 Reply Last reply Reply Quote 0
                    • 1 / 1
                    • First post
                      Last post

                    186

                    Online

                    12.0k

                    Users

                    17.3k

                    Topics

                    155.2k

                    Posts
                    Copyright © 2012-2024 FOG Project