[ https://issues.apache.org/jira/browse/JAMES-3690?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoit Tellier closed JAMES-3690. --------------------------------- Resolution: Fixed > Allow to restrict the host webadmin is listening on > --------------------------------------------------- > > Key: JAMES-3690 > URL: https://issues.apache.org/jira/browse/JAMES-3690 > Project: James Server > Issue Type: Improvement > Components: webadmin > Reporter: Benoit Tellier > Priority: Major > Fix For: 3.7.0 > > Time Spent: 10m > Remaining Estimate: 0h > > By default the WebAdmin server is activated, listens on all addresses without > JWT security activated by default. This of course represents an open door for > unaware users, failing to setup decent firewalling. > There is a `host` option, set to localhost by default, that can provide a > false sens of safety - however this is not applied. > The proposal here is: > - To use the host option to limit interfaces the webadmin server listens on > - Ship a sample configuration listening on localhost thus preventing > external use > - Ship 0.0.0.0 for docker as port exposure is required (we can expect the > admin to know what he is doing) -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org