I like that there is a config option to require public-key authentication for SSH access, thus enforcing strong authentication. Thank you for that. I want to accomplish similar for the management https server by requiring client certificates (signed by my CA) in order to successfully connect to the management interface. I’ve succeeded in doing this by adding 3 lines to /etc/httpd/conf/ssl-global.conf, but I fear my changes won’t survive a core update. Is there a better way to do this? or at least a way that will likely survive a core update?
I suspect the files in the /etc/httpd/conf/ directory are not ones likely to be modified by a Core Update but it can’t be guaranteed.
What you can do as a safety step is to add etc/httpd/conf/ssl-global.conf
to the /var/ipfire/backup/include.user
file.
This will ensure that your changes are included in the backup done by IPFire before it runs the Core Update. Note that the leading / is removed from the definitions put into include.user
After a Core Update is run you can then either first check that everything still works as you want or you could just as standard download the backup file made by IPFire and then restore from it.
@dzenc , @bonnietwin :
I don’t think this solution is working in all cases.
What about corrections/enhancements included in a CU? They are deleted by the restore.
Therefore I think we should discuss a general modification for this. Either in the development list or as a feature request in Bugzilla, or both.
I did this globally in /etc/httpd/conf/ssl-global.conf. Client certificates need to be signed by the cert file listed above. (You should be able to increase SSLVerifyDepth if you use intermediate certificates.)
To follow up for anyone trying to replicate this, I tested by upgrading from 168 to 170 (without adding anything to the backup config) and noticed that it re-installed a clean ssl-global.conf after the upgrade. Instead of backing it up and restoring it, I added a patch to rc.local, and force a reboot if it applies, like so: (not the most efficient, but it seems to work)