[BlueOnyx:24279] Re: 5209R logins - More code archeology
Ernie
ernie at info.eis.net.au
Fri Sep 11 08:26:54 -05 2020
Hi Michael,
it's not hard to see what happened it's in the code comments.
Here is part of /etc/admserv/conf/httpd.conf on a 5107R box.
# ssl is on for the admin server by default
<VirtualHost _default_:444>
SSLEngine off
RewriteEngine On
RewriteCond %{HTTP_HOST} ^([^:]+)
RewriteCond %{DOCUMENT_ROOT} !-d
RewriteRule .* http://%1:444/error/forbidden.html [L,R
RewriteCond %{HTTP_HOST} ^([^:]+)
RewriteRule ^/admin/?$ http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST} ^([^:]+)
RewriteRule ^/siteadmin/?$ http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST} ^([^:]+)
RewriteRule ^/personal/?$ http://%1:444/login.php [L,R]
RewriteCond %{HTTP_HOST} ^([^:]+)
RewriteRule ^/login/?$ http://%1:444/login.php [L,R]
</VirtualHost>
The comment says that "ssl is on for the admin server by default", hence it's
on port 444 but someone has snuck in "SSLEngine off", contridicting the
comment, and did not changed the port back to 81, so there it remains on the wrong port for years.
- Ernie.
> Hi Ernie,
>
> > eg. normal http is port 80, so http admin was port 81
> > normal https is port 443 so hrrps admin was port 444.
> >
> > I am not sure when that was changed the other way around, it was several
> > years ago that's for certain. I prefered the original cobalt ports.
>
> Nice catch. But as for
> https://www.mail-archive.com/cobaltfacts@list.cobaltfacts.com/msg03281.html
> ... that's from 2005 and doesn't mention anything with the Sausalito
> GUI, but was a specifically catered response for a RaQ 1/2/3 related
> question. And by *now* I'm sure that the info there wasn't correct to
> begin with. For the RaQ3 that answer is definitely wrong.
>
> I just downloaded the Qube2 and Qube3 OS restore CD and took a look. I
> also found a mirror of my old data.smd.net where I had all the Cobalt
> related stuff hosted. I lost that data 10 years ago in a hard disk
> crash, but I'm thankful to Arthur and Franklin for making that mirror,
> so that I can get it back now.
>
> Let us dive a bit into the early days: Recall that the Qube's were
> billed as workgroup servers? They couldn't do multiple Vsites. So they
> only had one (primary) Vsite. It also seems like the Qube 2 (at least as
> far as the ISO from 1997 goes) couldn't do SSL - at all.
>
> So as far as the Qube and Qube 2 go you had port 80 for reaching the
> primary webpage. IF there was one. If there wasn't, then that would lead
> to a landing page that redirected to http://<IP|hostname>:81, where you
> found the GUI via HTTP.
>
> I then checked the RPM repository of the RaQ2 and although it *does*
> have OpenSSL-0.9.5a, neither Apache nor the AdmServ have any HTTPS
> provisions. At all.
>
> See: http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/
>
> So RaQ, RaQ 2, Qube, Qube 2: No SSL Apache, no SSL GUI.
>
> This seems to be supported by the screenshot from a PDF manual, which
> shows a page of the RaQ 2 GUI with the URL bar *not* cropped out of the
> picture.
>
> And there it says: http://bert.cobaltnet.com:81/sysManage/index.html
>
> So HTTP and port 81.
>
> I couldn't find any OS restore CDs for the RaQ3 or RaQ4. So again let's
> go and check the mirrored RPMs instead:
>
> Qube2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube2/eng/RPMS/apache-conf-q2-1.0-13.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Port 81
> -----------------------------------
> No SSL provisions.
>
> RaQ2 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq2/RPMS/apache-conf-raq2-1.0-17.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Port 81
> -----------------------------------
> No SSL provisions.
>
> RaQ3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq3/RPMS/apache-conf-pacifica-14.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
>
> RaQ4 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq4/RPMS/apache-conf-shinkansen-4.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
>
> RaQ XTR Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raqxtr/eng/RPMS/apache-conf-monterey-23.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
>
> Qube 3 Apache and AdmServ configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/qube3/OS-6.4/RPMS/apache-conf-carmel-8.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
>
> RaQ550 Apache and Admserv configs:
> http://data.blueonyx.biz/ftp.cobalt.com/products/raq550/RPMS/apache-conf-ptlobos-15.noarch.rpm
> --/etc/admserv/httpd.conf----------
> Listen 81
> Listen 444
> [...]
> <VirtualHost _default_:444>
> SSLEngine off
> </VirtualHost>
> -----------------------------------
>
> >From that we can deduct that starting with the Qube 3 and RaQ 3 the GUI
> used port 81 for HTTPS and port 444 for HTTP.
>
> Older models such as Qube, Qube 2, RaQ and RaQ 2 did NOT have SSL and
> used port 80 for Apache and 81 for the HTTP-GUI.
>
> Now let us look at the "WHY". Why no HTTPS and why the port switcheroo
> between HTTP-81 to HTTPS-81:
>
> It sounds like ancient history, but once upon a time the US had export
> restrictions on cryptography. Everyone dealt differently with that.
> Microsoft invented pseudo-crypto like ROT13. And anyone else with more
> than two functioning brain cells just didn't export cryptography unless
> they were legally in the clear. Shipping OpenSSL was apparently OK, but
> anything that built on top of that in a certain way (such as mod_ssl or
> the predecessor Apache-OpenSSL) wasn't.
>
> Eventually the export restrictions got relaxed, though. My memory is a
> bit faint about the exact year when that happened. 1998 or 1999 seems
> likely. 1998 is about the time the RaQ2 development was still ongoing.
> They might have started w/o crypto built in and it was too late to do so
> now w/o rocking the boat too much. Also they might not yet have known
> which side of the fence the ball would eventually drop.
>
> So the RaQ2 remained w/o crypto, but the RaQ3 got it from the start. The
> RaQ3 "apache-openssl" RPM has its first entry in the RPM's changelog in
> August of 1999.
>
> That re-affirms the following:
>
> SSL only got added out of the box when the RaQ3 came out.
>
> Qube, Qube 2, RaQ, RaQ2: Apache HTTP port 80 and no HTTPS on port 443.
> The GUI (in HTTP-only-mode) was running on port 81.
>
> RaQ3, RaQ4, XTR, RaQ550, Qube3 ControlStation: HTTP-GUI on port 444,
> HTTPS-GUI at port 81.
>
> Why did they switch port 81 from HTTP to HTTPS? We can only guess. But
> my assumption is: Due to the Qube's history as workgroup server (and
> absence of SSL) they used port 81 HTTP for the GUI initially. When they
> were able to internationally ship with the crypto stuff pre-installed,
> they needed another port and bumped security up a notch by making 81
> HTTPS and defaulting the HTTP GUI to 444 instead.
>
> All in all that certainly was not an entirely logical or intuitive
> choice. But in a way it's relatable.
>
> --
> With best regards
>
> Michael Stauber
[ Attachment, skipping... ]
[ Attachment, skipping... ]
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list