Hello, webpage http://wiki.nginx.org/Redmine has some security problems:
1. All redmine config files are available for anybody in internet, for example: https://redmine.example.com/config/database.yml contains in plain text login and password for database connection. 2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities 3. Unsafe variable $http_host was used instead of safe one $host =================================================================== Content of page http://wiki.nginx.org/Redmine for now: [...] This is very nearly a drop in configuration. The only thing you should need to change will be the root location, upstream servers, and the server name. upstream redmine { server 127.0.0.1:8000; server 127.0.0.1:8001; server 127.0.0.1:8002; } server { server_name redmine.DOMAIN.TLD; root /var/www/redmine; location / { try_files $uri @ruby; } location @ruby { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_read_timeout 300; proxy_pass http://redmine; } } [...] =================================================================== -- Best regards, Gena _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
