Having issues viewing password URL.

[nstall]

I got my password pusher site up and running but anytime I generate a link I cannot browse to it to see the password. I just get the site cannot be reached. Did I do something wrong somewhere? Any help would be appreciated.

[vaindil]

What exactly is the error that you're getting? This is likely a configuration issue with your web server. Are you using apache or nginx?

[nstall]

I am using apache. Its just a web error when I click the URL. It says "webserver ip address" refused to connect. This site can't be reached.

[nstall]

The URL is also pointing to pw.php and then an ID. Could it be something with that file? Or the database?

[thnilsen]

@nstall - A few questions for you in order to troubleshoot.

• which OS are you running under? I most certainly sounds like a configuration issue with Apache. If you're running Centos/RedHat it might be a SELinux issue.
• Is the server under your control, or is it a ISP hosted server?
• Do you have access the apache logs to see if there are any indicators of what the issue might be?
• What directory is pw.php install under (full path)?

I would start looking at the apache logs (errors.log/access.og to see if there are any clues there.

[nstall]

I am currently running under Ubuntu 16.04 LTS, The server is under my control it is hosted on a vm at the moment. Where would the apache logs be located at? (Sorry fairly new to Linux). The directory of pw.php is in /var/www/pwpusher_public/pw.php.

[thnilsen]

The log files under Ubuntu are at /var/log/apache2/.

Make sure apache is running by issuing the following command:

systemctl status apache2

and make sure it lists the apache2 daemon as active and running.

[thnilsen]

I got my password pusher site up and running but anytime I generate a link I cannot browse to it to see the password..

Does this mean that you are actually able to fill out the form and generate the link, but when using the generated link it doesn't work? If that is the case it is most likely an issue with a missing php module or something. Look in the apache logs as suggested, but also look in /var/log/syslog to see if there are is anything relating to PHP .

[nstall]

apache2 should be running as I can get to localhost and my pwpusher site. It is just the URL the pwpusher generates that I cannot get to. In the access log it shows this.

10.1.1.171 - [13/Nov/2018:1319:45 -0600 "POST /pwpusher/pw.php HTTP/1.1" 200 1757 "http://10.1.20.25/" "Mozillia/5.0 {WindowsNT 10.0; Win64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 70.0.3558.77 Safari/537.6

[thnilsen]

I think you will find the cause of the issue in /var/log/syslog

[nstall]

Anything specific I might be looking for? If I upload my log could you take a look?

[thnilsen]

Look for something like "PHP Parse Error" or anything with PHP and ERROR. I can review the log if you want. If you do attach the log, please also attach the /var/log/apache2/error.log as well if it exists.

[nstall]

Here are the logs. error.log syslog.txt

[nstall]

So here is something I found here is a link that it is giving me https://10.1.20.25/pwpusher/pw.php?id=bd1b41af-156b-44cb-85c1-d79d29fc22dc as soon as I take off the https:// and just have 10.1.20.25/pwpusher/pw.php?id=bd1b41af-156b-44cb-85c1-d79d29fc22dc it works. Is there a reason the https:// is messing the link up? Also just a side question now that I think about it. Can I make changes to the config.php file on the fly or do I have to do something else first?

[thnilsen]

I found nothing in the two logs that would indicate any problems. It sounds like it the SSL setup of your apache that's causing the issue. If you try a different browser with the https://... url, does that still give the same error? Ubuntu should have generated at default certificate for Apache, so SSL should in principle work.

You can do the following command to make sure Apache is listening on the https port. netstat -ln|grep ":443"

which should produce an output similar to this: tcp 0 0 101.20.25:443 0.0.0.0:* LISTEN

If it doesn't, then you need to investigate the SSL setup of apache. The config file for that is usually /etc/apache2/sites-enabled/default-ssl.conf. You can run the following command to see if it shows up.: ll /etc/apache2/sites-enabled/default-ssl.conf

If it doesn't try the following command to enable it: a2ensite default-ssl

[nstall]

Just a side question now that I think about it. Can I make changes to the config.php file on the fly or do I have to do something else first?

[nstall]

Looks like default-ssl was not enabled however the pwpusher generates an https link and right now I can only get to it by http. Do I have to add something to my default-ssl.conf file to get https working?

[thnilsen]

If you have enabled the ssl-config and reloaded apache, it should work since you have the pwpusher link in the default webroot directory (assuming you haven't changed the default configuration). After you have enabled the default SSL config, reload apache with

systemctl restart apache2

[nstall]

Yeah reloaded apache with the command still nothing. default-ssl.conf says the document root is /var/www/html. Do I need to change this to /var/www since that is where the pwpusher is located?

[thnilsen]

Sorry my mistake. Yes, you should have the files and folders from your pwpusher_public folder in the document root folder.

[thnilsen]

Just a side question now that I think about it. Can I make changes to the config.php file on the fly or do I have to do something else first?

Yes, any change you save to the php files will normally be re-read the next time any of the public pages like pw.php is loaded.

[nstall]

Ok so I got HTTPS working by creating an http.conf file and enabling it from that. However whenever I access the site I get your connection is not private NET::ERR_CERT_AUTHORITY_INVALID and I have to click advanced and proceed. Which would be a hassle for some users. Do I have to create a certificate of some sort?

[thnilsen]

Good to hear you got it up and running. The easiest way to fix the invalid SSL certs is to go with LetsEncrypt offering. They offer free certificates and can be installed pretty easily using the certbot utility. Start with installing certbot itself and take if from there.

apt-get install certbot

Here's a tutorial on how to set it up on Ubuntu 16.04 : https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

[nstall]

I got authentication working with the site but if I send the link the receiving user has to authenticate with apache. Is there a way to only make the creation page needed to be authenticated to? The logout button at the top of the page just says please close the browser when you click it which makes me think I do not have something set up correctly.

[thnilsen]

The way the code works at the current version there is no easy way to have authentication active and at the same time avoid to request for credentials to retrieve a secret.

I've been thinking of modifying the code by splitting the creation and retrieval into two separate PHP scripts to make that possible, but I've not gotten around to do so yet.

[nstall]

Ok thanks for the info.

[nstall]

So for CAS authentication it would work then? At least thats how it looks in the config.php file.

[thnilsen]

I haven't tried CAS myself or reviewed the code related to it, so I can't say if it does or not. But you can always try it and see.

A patch to limit the creation of secrets to a range of IP subnets was suggested in #49 by spiridonovpolytechnic. If you look at my fork for this project it includes that ip whitelist feature as well as some other smaller fixes (including an XSS bug fix). My repo is at https://github.com/thnilsen/PHPasswordPusher