Fossil

Check-in [226b14fc]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Updated www/ssl.wiki to cover the new "Redirect to HTTPS" setting and to add recovery methods for the case where enabling it causes a redirect loop.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:226b14fc72e65bf783e1ac3ccd23be683ab8b33a783fac04765c6b9a4ff150d8
User & Date: wyoung 2019-01-22 03:01:49
Context
2019-01-22
03:02
Fixed a Markdown-ism in previous check-in: 485eda76 user: wyoung tags: trunk
03:01
Updated www/ssl.wiki to cover the new "Redirect to HTTPS" setting and to add recovery methods for the case where enabling it causes a redirect loop. check-in: 226b14fc user: wyoung tags: trunk
02:52
Updated the Security-Audit page to better handle the change from the old https-login setting to the new redirect-to-https setting. check-in: 37918a1f user: wyoung tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/ssl.wiki.

201
202
203
204
205
206
207
208
209
210
211
212
213





214
215
216
217
218
219
220


221
222


223












224
225

226
227
228
229
230
231
232
233
234

To use TLS encryption in cloning and syncing to a remote Fossil
repository, be sure to use the <tt>https:</tt> URI scheme in
<tt>clone</tt> and <tt>sync</tt> commands.  If your server is configured
to serve the repository via both HTTP and HTTPS, it's easy to
accidentally use unencrypted HTTP if you forget the all-important 's'.

There is a setting in the Fossil UI under Admin &rarr; Access called
"Redirect to HTTPS on the Login page."  This setting is not enabled by
default.  This setting does not automatically upgrade clones and syncs
done via the <tt>http</tt> URI scheme.  It only affects web UI access to
the Fossil repository.






<b id="rloop">WARNING:</b> Never enable this setting when running Fossil
behind an HTTPS proxy with Fossil running underneath it via HTTP or
SCGI.  This will cause an infinite redirect loop any time someone tries
to log into the web UI.  Fossil sees that it's being accessed via HTTP,
so it redirects the browser to an HTTPS equivalent URL, which causes the
client to hit the HTTPS front end proxy up again for access, which
causes Fossil to see that it's being accessed via HTTP, so it redirects


the client to...'round and 'round it goes until the web browser detects
it's in a redirect loop and gives up.















If you wish to enforce TLS-only access to a Fossil web server, it is
best done at the HTTPS front-end proxy layer, not by use of Fossil-level

settings like this one.  The [./tls-nginx.md|nginx TLS proxy guide]
shows one way to achieve this, for example.


<h2>Terminology Note</h2>

This document is called <tt>ssl.wiki</tt> for historical reasons. The
TLS protocol was originally called SSL, and it went through several
revisions before being replaced by TLS. Years before this writing, SSL







|
|
|
|
<

>
>
>
>
>
|
<
<
<
<
|
|
>
>
|
|
>
>

>
>
>
>
>
>
>
>
>
>
>
>
|
<
>
|
|







201
202
203
204
205
206
207
208
209
210
211

212
213
214
215
216
217
218




219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240

241
242
243
244
245
246
247
248
249
250

To use TLS encryption in cloning and syncing to a remote Fossil
repository, be sure to use the <tt>https:</tt> URI scheme in
<tt>clone</tt> and <tt>sync</tt> commands.  If your server is configured
to serve the repository via both HTTP and HTTPS, it's easy to
accidentally use unencrypted HTTP if you forget the all-important 's'.

As of Fossil 2.8, there is a setting in the Fossil UI under Admin &rarr;
Access called "Redirect to HTTPS," which is set to "Off" by default.
Changing this only affects web UI access to the Fossil repository. It
doesn't affect clones and syncs done via the <tt>http</tt> URI scheme.


In Fossil 2.7 and earlier, there was a much weaker form of this setting
affecting the <tt>/login</tt> page only. If you're using this setting,
you should migrate to the new setting as soon as possible, because the
old setting allows multiple ways of defeating it.

<b id="rloop">WARNING:</b> Enabling HTTPS redirects at the Fossil repo




level while running Fossil behind an HTTPS proxy can result in an
infinite redirect loop.  It happens when the proxy mechanism presents
"`http`" URIs to Fossil, so Fossil issues a redirect, so the browser
fetches the page again, causing Fossil to see an "`http`" URI again, so
it issues a redirect...'round and 'round it goes until the web browser
detects it's in a redirect loop and gives up. This problem prevents you
from getting back into the Admin UI to fix it, but there are several
ways to fix it:

  #  <p><b>Reset via CLI.</b> You can turn the setting back off from the
     CLI with the command "<tt>fossil -R /path/to/repo.fossil set
     redirect-to-https 0</tt>". (Currently doesn't work.)</p>
  #  <p><b>Backup first.</b> This setting is stored in the Fossil
     repository, so if you make a backup first <i>on the server</i>, you
     can restore the repo file if enabling this feature creates a
     redirect loop.</p>
  #  <p><b>Download, fix, and restore.</b> You can copy the remote
     repository file down to a local machine, use <tt>fossil ui</tt> to
     fix the setting, and then upload it to the repository server
     again.</p>

It's best to enforce TLS-only access at the front-end proxy level

anyway. It not only avoids the problem entirely, it can be significantly
more secure.  The [./tls-nginx.md|nginx TLS proxy guide] shows one way
to achieve this.</p>


<h2>Terminology Note</h2>

This document is called <tt>ssl.wiki</tt> for historical reasons. The
TLS protocol was originally called SSL, and it went through several
revisions before being replaced by TLS. Years before this writing, SSL