On Sun, Mar 08, 2015 at 04:58:05PM +0200, Gena Makhomed wrote: Hi there,
> webpage http://wiki.nginx.org/Redmine has some security problems: > > 1. All redmine config files are available for anybody in internet, > for example: https://redmine.example.com/config/database.yml > contains in plain text login and password for database connection. I don't think that one is an nginx problem. >From reading the redmine docs, it looks like the contents of the "root" directive directory should be whatever is in the distributed redmine public/ directory; not the entire installation including configuration. And if /var/www/redmine does just have the public/ contents and the upstream servers reveal secret information, that would be their problem and not nginx's, I think. > 2. wiki.nginx.org use nginx/1.5.12 with known security vulnerabilities > > 3. Unsafe variable $http_host was used instead of safe one $host I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed to the "real" redmine server as the Host header. That server must be able to handle it safely anyway, no? f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
