On Fri, Jul 22, 2016 at 11:57 AM, Perry E. Metzger <[email protected]> wrote:
> On Tue, 19 Jul 2016 17:25:00 -0400 Jim Popovitch <[email protected]>
> wrote:
>> On Tue, Jul 19, 2016 at 5:10 PM, Perry E. Metzger
>> <[email protected]> wrote:
>> > https://httpoxy.org/ seems to impact any python program (among
>> > many others) that runs under cgi. Does it cause trouble for
>> > mailman? What is a reasonable mitigation?
>>
>> If I understand the issue correctly (and admittedly It's kinda a new
>> issue) this only affects proxied HTTP transactions, not HTTPS ones.
>
> That is incorrect, so far as I can tell.
According to httpoxy.org, HTTPS is not affected by HTTP_PROXY statements.
"And, of course, another defense-in-depth strategy that works is to
use HTTPS for internal requests, not just for securing your site’s
connections to the outside world. Those aren’t affected by HTTP_PROXY."
Of course, that's if you are using a very complicated split-mailman
setup (web on one system, other parts on other hosts), If not, then
what in your httpd.conf is would be proxying? And if nothing is
proxying, then why haven't you already disabled proxy statements? Are
you running anything else on the mailman server, PHP, etc?
-Jim P.
------------------------------------------------------
Mailman-Users mailing list [email protected]
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
