Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

host header injection hardening

Description

We decided to fix the header injection issue at least in the production environment (https://northerntech.atlassian.net/browse/MEN-1160#icft=MEN-1160).

The way to go is to:

  • define a server_name in nginx.conf, which will contain the actual domain

    • this has to be parametrized like multiple other settings in prod.yml

    • currently the config is embedded in the gateway container - we should pull it out into the integration repo first and mount it accordingly

  • disallow requests with Host != actual domain

  • add a guidance to mender-docs on substituting the server_name upon production install

Affects versions

None

Environment

None

blocks

Checklist

Activity

Show:

Marcin ChalczynskiJune 27, 2017 at 2:13 PM

a bunch of PRs:

first, the core implementation in the gateway's nginx.conf/Dockerfile:
https://github.com/mendersoftware/mender-api-gateway-docker/pull/65

then, a bit in integration allowing to configure the host whitelist for prod deployments:
https://github.com/mendersoftware/integration/pull/287

finally, updated docs on the necessary gateway config:
https://github.com/mendersoftware/mender-docs/pull/179

eystein.maloy.stenbergJune 16, 2017 at 11:18 PM

Thanks, done.

Marcin ChalczynskiJune 7, 2017 at 9:38 AM

please add to backlog

Fixed

Details

Assignee

Reporter

Labels

Story Points

Priority

Sprint

Backlog

yes

Zendesk Support

Checklist

Created June 7, 2017 at 9:31 AM
Updated March 27, 2024 at 3:55 PM
Resolved June 30, 2017 at 10:15 AM

Flag notifications