Change Details

Here's a piece of goodness that has plagued us for the longest time... Our `httpd.conf` looked similar to so: ``` # cat /etc/httpd/conf/httpd.conf | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache ServerAdmin webmaster@cryptopp.com ServerName www.cryptopp.com:80 ... <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` Our `LocalSettings.php` used protocol agnostic URLs like so: ``` # cat /var/www/html/w/LocalSettings.php | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' <?php if( defined( 'MW_INSTALL_PATH' ) ) { $IP = MW_INSTALL_PATH; } else { $IP = dirname( __FILE__ ); } ... # Notice cryptopp.com vs www.cryptopp.com $wgServer = "//cryptopp.com"; $wgSitename = "Crypto++ Wiki"; $wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = "detect"; ... ``` Whenever we tried to Logon through the wiki, it would take two tries for unexplained reasons. We searched through all the log files, and never encounter one squawk. Today we enabled a mod_rewrite rule to rewrite _all_ HTTP to HTTPS. This is due to Chrome's upcoming change of displaying any site in HTTP as insecure. Also see https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/. Here's what the change looked like: ``` <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R] </IfModule> </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` The mod_rewrite completely broke wiki logons. We would visit the logon page, it would show HTTPS in the URL bar, but MediaWiki would display a message "Use Secure Logon" (IIRC), and the logon process would loop me back to the logon page without an actual login. Again, we would check the logs and there was nothing mentioned. When we changed `$wgServer` to `www.cryptopp.com`, then everything worked as expected. The problem above is (1) we were set to "warn" level, but no warnings or errors were logged. (2) We wasted countless hours on it, which means 10's to 100's of thousands of hours will be wasted around the world. (3) Many folks will avoid the secure state or better security posture because it is difficult to diagnose and fix. Its hard to find a canonical answer as a reference. Typically, the usual Stack Overflow fodder shows up. Please start logging problems like ServerName != wgServer at "warn" level and above. It will save developers around the world untold pain and suffering, and it will improve the security posture for a number of sites. The improvement will come when the cause and fix become easy to diagnose.

Here's a piece of goodness that has plagued us for the longest time... Our `httpd.conf` looked similar to so: ``` # cat /etc/httpd/conf/httpd.conf | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache ServerAdmin webmaster@cryptopp.com ServerName www.cryptopp.com:80 ... <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` Our `LocalSettings.php` used protocol agnostic URLs like so: ``` # cat /var/www/html/w/LocalSettings.php | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' <?php if( defined( 'MW_INSTALL_PATH' ) ) { $IP = MW_INSTALL_PATH; } else { $IP = dirname( __FILE__ ); } ... # Notice cryptopp.com vs www.cryptopp.com $wgServer = "//cryptopp.com"; $wgSitename = "Crypto++ Wiki"; $wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = "detect"; ... ``` Whenever we tried to Logon through the wiki, it would take two tries for unexplained reasons. We searched through all the log files, and never encounter one squawk. Today we enabled a mod_rewrite rule to rewrite _all_ HTTP to HTTPS. This is due to Chrome's upcoming change of displaying any site in HTTP as insecure. Also see https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/. Here's what the change looked like: ``` <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R] </IfModule> </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` The mod_rewrite completely broke wiki logons. We would visit the logon page, it would show HTTPS in the URL bar, but MediaWiki would display a message "Use Secure Logon" (IIRC), and the logon process would loop me back to the logon page without an actual login. Again, we would check the logs and there was nothing mentioned. When we changed `$wgServer` to `www.cryptopp.com`, then everything worked as expected. The problem above is (1) we were set to "warn" level, but no warnings or errors were logged. (2) We wasted countless hours on it, which means 10's to 100's of thousands of hours will be wasted around the world. (3) Many folks will avoid the secure state or better security posture because it is difficult to diagnose and fix. Its hard to find a canonical answer as a reference. Typically, the usual Stack Overflow fodder shows up. Please start logging problems like `ServerName != wgServer` at "warn" level and above. It will save developers around the world untold pain and suffering, and it will improve the security posture for a number of sites. The improvement will come when the cause and fix become easy to diagnose.

Here's a piece of goodness that has plagued us for the longest time... Our `httpd.conf` looked similar to so: ``` # cat /etc/httpd/conf/httpd.conf | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' ServerRoot "/etc/httpd" Listen 80 Include conf.modules.d/*.conf User apache Group apache ServerAdmin webmaster@cryptopp.com ServerName www.cryptopp.com:80 ... <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` Our `LocalSettings.php` used protocol agnostic URLs like so: ``` # cat /var/www/html/w/LocalSettings.php | sed '/^[[:space:]]*#/d' | sed '/^\s*$/d' <?php if( defined( 'MW_INSTALL_PATH' ) ) { $IP = MW_INSTALL_PATH; } else { $IP = dirname( __FILE__ ); } ... # Notice cryptopp.com vs www.cryptopp.com $wgServer = "//cryptopp.com"; $wgSitename = "Crypto++ Wiki"; $wgSecureLogin = true; $wgCookieHttpOnly = true; $wgCookieSecure = "detect"; ... ``` Whenever we tried to Logon through the wiki, it would take two tries for unexplained reasons. We searched through all the log files, and never encounter one squawk. Today we enabled a mod_rewrite rule to rewrite _all_ HTTP to HTTPS. This is due to Chrome's upcoming change of displaying any site in HTTP as insecure. Also see https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/. Here's what the change looked like: ``` <VirtualHost *:80> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [L,R] </IfModule> </VirtualHost> <VirtualHost *:443> ServerName www.cryptopp.com ServerAlias *.cryptopp.com *.cryptopp.* cryptopp.com </VirtualHost> ``` The mod_rewrite completely broke wiki logons. We would visit the logon page, it would show HTTPS in the URL bar, but MediaWiki would display a message "Use Secure Logon" (IIRC), and the logon process would loop me back to the logon page without an actual login. Again, we would check the logs and there was nothing mentioned. When we changed `$wgServer` to `www.cryptopp.com`, then everything worked as expected. The problem above is (1) we were set to "warn" level, but no warnings or errors were logged. (2) We wasted countless hours on it, which means 10's to 100's of thousands of hours will be wasted around the world. (3) Many folks will avoid the secure state or better security posture because it is difficult to diagnose and fix. Its hard to find a canonical answer as a reference. Typically, the usual Stack Overflow fodder shows up. Please start logging problems like `ServerName != wgServer` at "warn" level and above. It will save developers around the world untold pain and suffering, and it will improve the security posture for a number of sites. The improvement will come when the cause and fix become easy to diagnose.