On 08.03.2015 22:50, Francis Daly wrote:
webpage http://wiki.nginx.org/Redmine has some security problems:
1. All redmine config files are available for anybody in internet,
for example: https://redmine.example.com/config/database.yml
contains in plain text login and password for database connection.
I don't think that one is an nginx problem.
Yes, this is not nginx problem. This is nginx configuration problem,
which provided at wiki.nginx.org as "drop in configuration" for redmine.
From reading the redmine docs, it looks like the contents of the "root"
directive directory should be whatever is in the distributed redmine
public/ directory; not the entire installation including configuration.
I am talk about configuration recommended
at webpage http://wiki.nginx.org/Redmine
not about "reading the redmine docs".
And if /var/www/redmine does just have the public/ contents and the
upstream servers reveal secret information, that would be their problem
and not nginx's, I think.
root /var/www/redmine;
try_files $uri @ruby;
Request https://redmine.example.com/config/database.yml will be
processed by nginx, because file /var/www/redmine/config/database.yml
exists. For details - see manual about try_files directive in nginx.
3. Unsafe variable $http_host was used instead of safe one $host
I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed
to the "real" redmine server as the Host header. That server must be
able to handle it safely anyway, no?
Such configuration allow to spoof nginx built-in server selection rules.
because nginx will use server name from request line, but will provide
to upstream completely different server name, from Host request header.
So, $host must be used always with proxy_pass instead of $http_host.
--
Best regards,
Gena
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
