webgui: https redirect to fqdn

[aque]

The current HTTP->HTTPS redirect results in a certificate error when not using the FQDN. Browsers configured for web proxy auto-discovery (WPAD) connect to http://wpad/wpad.dat but fail to download due to this validation error.

$ curl -4v http://wpad/wpad.dat
*   Trying 172.16.109.135:80...
* Connected to wpad (172.16.109.135) port 80 (#0)
> GET /wpad.dat HTTP/1.1
> Host: wpad
> User-Agent: curl/7.75.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://wpad/wpad.dat
< Content-Length: 0
< Date: Thu, 25 Mar 2021 00:00:38 GMT
< Server: OPNsense
< 
* Connection #0 to host wpad left intact

This PR appends the domain name to the HTTP redirect. While this fixes the issue, I do not know if it is the proper solution as a webgui restart is now required anytime the domain name changes. Feel free to reject.

[AdSchellevis]

The problem lies in the original fetch, wpad isn't a fqdn, in which case the webgui won't try to fix your redirect. I'm not using wpad myself, but adding the domain will most likely kill ip based setups.

$ curl -4v http://opnsense.localdomain
*   Trying 10.37.132.100...
* TCP_NODELAY set
* Connected to opnsense.localdomain (10.37.132.100) port 80 (#0)
> GET / HTTP/1.1
> Host: opnsense.localdomain
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Location: https://opnsense.localdomain/
< Content-Length: 0
< Date: Wed, 24 Mar 2021 20:15:36 GMT
< Server: OPNsense
< 
* Connection #0 to host opnsense.localdomain left intact
* Closing connection 0

[kulikov-a]

@aque hi, if it is not possible to use fqdn for the wpad option, you can try to add https://wpad/wpad.dat uri to the GUI cert's SAN?

[aque]

@kulikov-a hi, unfortunately adding wpad to the SAN is not an option with Let's Encrypt certificates since it is unverifiable.

@AdSchellevis, this affects unqualified names in general and not just http://wpad/wpad.dat.

$ curl -4v http://OPNsense
*   Trying 172.16.109.135:80...
* Connected to OPNsense (172.16.109.135) port 80 (#0)
> GET / HTTP/1.1
> Host: OPNsense
> User-Agent: curl/7.75.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://opnsense/
< Content-Length: 0
< Date: Thu, 25 Mar 2021 14:45:56 GMT
< Server: OPNsense
< 
* Connection #0 to host OPNsense left intact

I had not considered IP based setups. Would a solution that specifically targets these two edge cases be acceptable?

[kulikov-a]

@aque
got it. thanks.
then maybe just give the wpad.dat without a redirect?
#3416 (comment)

[fichtner]

Ideally wpad should only serve on http redirect or not. Lighttpd gained pluggable file support a week ago that makes this possible now without tainting web GUI code or settings.

[fichtner]

Closing this as per previous recommendation.