scratchy;169509 Wrote: > > > RequestHeader set Referer http://localhost:9000/ >
That line looks potentially dangerous, like it might bypass the CSRF protections in SlimServer. If you request http://yourwebserver/slimserver/setup.html?page=BASIC_PLAYER_SETTINGS do you get a 403 Forbidden error? If you do not get such an error and you have CSRF Protection Level (web > Server Settings > Security) at Medium or High, then your reverse proxy setup is compromising your server security. SlimServer's web interface will function properly regardless of the Host header sent by the client. If you configure your Apache reverse proxy to use the original Host request header, SlimServer's CSRF protection will be able to distinguish normal requests from questionable ones, and protect you. It looks like instead of that RequestHeader line I cited, you should use Code: -------------------- ProxyPreserveHost On -------------------- so that SlimServer will, in normal use, see Host values like "yourwebserver" and Referer URLs like "http://yourwebserver/slimserver/"; that match the Host headers. I haven't tried this, only looked at the docs, e.g. http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost -Peter -- peterw http://www.tux.org/~peterw/ free plugins: http://www.tux.org/~peterw/#slim BlankSaver BottleRocket FuzzyTime SaverSwitcher SleepFade StatusFirst VolumeLock ------------------------------------------------------------------------ peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=31571 _______________________________________________ unix mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/unix
