moderator page behind nginx with SSL
The rest of mailman version 2.1.22 is working fine with SSL and some rewriting by nginx and yet https://cibolo.us/mailman/admindb/open_electroporator gives a message "will be sent over an insecure connection" when I seta button to discard and then do the submit all data button.
Is there a way to use SSL here?
Or... will I need to disable SSL for this page to get that submit to work?
I think it has to do the 'DEFAULT_URL_PATTERN' setting as discussed here:
https://wiki.list.org/DOC/4.27%20Securing%20Mailman%27s%20web%20GUI%20by%20u...
Not sure you are having the same problem that I did at one point but this was causing the moderation page to not work in my case until I adjusted to DEFAULT_URL_PATTERN = 'https://%s/mailman/', Prior to that setting I remember a similar error and the bigger issue was anything I did in moderation just didn't have a real effect. I would select to delete or allow and either way nothing would change. After that fix the moderation page just worked.
Good luck.
Christopher Puchalski
From: John Griessen <john@cibolo.com> To: mailman-users@python.org Date: 06/17/2016 08:04 AM Subject: [Mailman-Users] moderator page behind nginx with SSL Sent by: "Mailman-Users" <mailman-users-bounces +chris.puchalski=raytheon.com@python.org>
The rest of mailman version 2.1.22 is working fine with SSL and some rewriting by nginx and yet https://cibolo.us/mailman/admindb/open_electroporator gives a message "will be sent over an insecure connection" when I seta button to discard and then do the submit all data button.
Is there a way to use SSL here?
Or... will I need to disable SSL for this page to get that submit to work?
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/chris.puchalski%40rayt...
Hi,
I have the same setup and the moderation pages work fine with my setup. I would recommend ensuring your hosts are set up correctly in mm_cfg.py so that HTTPS is used.
Andrew.
-----Original Message----- From: Mailman-Users [mailto:mailman-users-bounces+andrew=hodgsonfamily.org@python.org] On Behalf Of John Griessen Sent: 17 June 2016 15:58 To: mailman-users@python.org Subject: [Mailman-Users] moderator page behind nginx with SSL
The rest of mailman version 2.1.22 is working fine with SSL and some rewriting by nginx and yet https://cibolo.us/mailman/admindb/open_electroporator gives a message "will be sent over an insecure connection" when I seta button to discard and then do the submit all data button.
Is there a way to use SSL here?
Or... will I need to disable SSL for this page to get that submit to work?
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/andrew%40hodgsonfamily...
John Griessen writes:
The rest of mailman version 2.1.22 is working fine with SSL and some rewriting by nginx and yet https://cibolo.us/mailman/admindb/open_electroporator gives a message "will be sent over an insecure connection" when I seta button to discard and then do the submit all data button.
Do you have a proper certificate for the host, rooted in a well-known service? I suppose you do, but it's the first thing to check. The second is whether that root service is listed in your browser's list of trusted roots.
Third, is this actually SSL and not TLS? SSL is in fact considered insecure by many experts; many libraries implementing these protocols now refuse to use SSL (even v3), and some issue a warning if the server forces it.
On 06/18/2016 05:39 AM, Stephen J. Turnbull wrote:
The rest of mailman version 2.1.22 is working fine with SSL and some rewriting by nginx and yet https://cibolo.us/mailman/admindb/open_electroporator gives a message "will be sent over an insecure connection" when I seta button to discard and then do the submit all data button.
Do you have a proper certificate for the host, rooted in a well-known service? I suppose you do, but it's the first thing to check.
it is from letsencrypt.org
The
second is whether that root service is listed in your browser's list of trusted roots.
It works fine for my webpages I set up such as http://cibolo.us/mailman/listinfo/open_electroporator that URl is rewritten and permenanetly directed to below: https://cibolo.us/mailman/listinfo/open_electroporator
Third, is this actually SSL and not TLS? SSL is in fact considered insecure by many experts; many libraries implementing these protocols now refuse to use SSL (even v3), and some issue a warning if the server forces it.
I suppose it is TLS. I followed very recent guides to set it up.
Yes, as far as behind nginx it is TLS:
# SSL Settings
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate /etc/ssl/xxxxxxxxxxxxxxxxxxx;
ssl_certificate_key /etc/ssl/xxxxxxxxxxxxxxxxxx;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dhparam2048.pem;
Only admin of pending moderation is affected. Maybe I have an operator error -- I'll check for setting the moderator name and password -- it may be blank or from an older version of mailman that this installation was migrated from... fix_url has been run on the affected list. That was after some restoring of data dirs and there could be permissions problems...so maybe I still need to run fix_url again...
Thanks for the suggestions.
I could not find any examples of people using mailman behind TLS cert so I disabled the redirecting to https and the moderator function works that way. Either way the general admin pages including membership work as expected.
There must be a problem with the nginx rewrites used to handle
http://cibolo.us/mailman/admindb/mailman-list-name
as opposed to
http://cibolo.us/mailman/listinfo/mailman-list-name
I'll ask the nginx list about it, and probably stay with no https for mailman lists.
Hi,
Fwiw, here is my setup:
server { listen 80; listen [::]:80; server_name lists.hodgsonfamily.org lists.bcab.org.uk; access_log off; error_log off;
location / {
rewrite ^ https://$host$request_uri permanent;
}
}
server { listen 443 ssl; listen [::]:443 ssl; server_name lists.hodgsonfamily.org lists.bcab.org.uk; access_log /var/log/nginx/lists-access.log; error_log /var/log/nginx/lists-error.log warn; root /var/www/lists; ssl_certificate /etc/ssl/certs/samwise.hodgsonfamily.org.pem; ssl_certificate_key /etc/ssl/private/samwise.hodgsonfamily.org.key; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/private/dhparams.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl_stapling on; ssl_stapling_verify on; resolver 80.68.80.24 80.68.80.25;
location = / {
rewrite ^ /listinfo permanent;
}
location ~ ^/(admin|confirm|edithtml|listinfo|options|rmlist|subscribe|admindb|create|htdig|mmsearch|private|roster) {
fastcgi_split_path_info (^/[^/]*)(.*)$;
fastcgi_param SCRIPT_FILENAME /usr/local/mailman/cgi-bin/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
}
location /icons {
alias /usr/local/mailman/icons;
}
location /pipermail {
alias /usr/local/mailman/archives/public;
}
location /htdigimages {
alias /var/lib/htdig/www;
}
}
Here is my mm_cf.py file so you can see how I did the vhosts:
DEFAULT_URL_PATTERN = 'https://%s/' PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
Andrew.
On 06/21/2016 10:01 AM, John Griessen wrote:
I could not find any examples of people using mailman behind TLS cert so I disabled the redirecting to https and the moderator function works that way. Either way the general admin pages including membership work as expected.
See the reply at <https://mail.python.org/pipermail/mailman-users/2016-June/080916.html> which tells you exactly how to fix this.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 06/21/2016 12:10 PM, Mark Sapiro wrote:
On 06/21/2016 10:01 AM, John Griessen wrote:
I could not find any examples of people using mailman behind TLS cert so I disabled the redirecting to https and the moderator function works that way. Either way the general admin pages including membership work as expected.
See the reply at <https://mail.python.org/pipermail/mailman-users/2016-June/080916.html> which tells you exactly how to fix this.
I checked and my configuration had: DEFAULT_URL_HOST = 'cibolo.us' DEFAULT_URL_PATTERN = 'http://%s/mailman/' DEFAULT_EMAIL_HOST = 'cibolo.us' MTA='Postfix'
nginx was set to serve www.cibolo.us and cibolo.us by redirecting to https://cibolo.us
the subdirectories are set to be rewritten as in https://www.nginx.com/resources/wiki/start/topics/recipes/mailman/
location /mailman location /images/mailman location /pipermail
After noting these settings, I reran
sudo /usr/sbin/withlist -l -r fix_url sandbox
then cleared the browser cache, then browsed https://cibolo.us/mailman/listinfo
where I see an overall lists list
I use those links to navigate to
https://cibolo.us/mailman/listinfo/sandbox https://cibolo.us/mailman/admin/sandbox https://cibolo.us/mailman/admindb/sandbox
and when I change action to take to discard and click submit,
a security warning pops up saying info will not be encrypted, I click continue,
The radio button for discard goes back to Defer, the state it was in before.
All other functions of the admin pages work normally except for this.
======================================================= If I change nginx to not redirect, but serve http without TLS certs when asked, the user interface for moderation works normally.
Is there some special rewrite needed for
On 6/24/16 8:09 AM, John Griessen wrote:
DEFAULT_URL_PATTERN = 'http://%s/mailman/' ... After noting these settings, I reran
sudo /usr/sbin/withlist -l -r fix_url sandbox
You need to put
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
in mm,_cfg.py ad then rerun
sudo /usr/sbin/withlist -l -r fix_url sandbox
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 06/24/2016 10:29 AM, Mark Sapiro wrote:
put
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
That fixed it.
The nginx folks were quick to spot this also in just a few minutes.
Thanks, John Griessen
participants (5)
-
Andrew Hodgson
-
Christopher A Puchalski
-
John Griessen
-
Mark Sapiro
-
Stephen J. Turnbull