HTTP plaintext access
Differences
The differences between two versions are shown here.
| Next revision | Previous revision | ||
| http_plaintext_access [2023/07/31 15:28] – created lwsystems | http_plaintext_access [2023/08/16 13:18] (current) – [Nginx] lwsystems | ||
|---|---|---|---|
| Zeile 8: | Zeile 8: | ||
| be entered. | be entered. | ||
| + | |||
| + | ===== ACHTUNG - WICHTIGER HINWEIS! ===== | ||
| + | |||
| + | **Das Aktivieren des Plaintext HTML Login macht Benno MailArchiv bzgl. einer kritischen XSS-Sicherheitslücke (siehe [[https:// | ||
| + | |||
| + | The XSS vulnerability is closed from benno-web version 2.10.2 and benno-rest version 2.10.1 onwards. | ||
| + | |||
| + | Wird die Installation über diesen Weg auf Plaintext HTML Login umgestellt, bleibt die XSS-Sicherheitslücke weiter wirksam und der Server ist danach wieder über die Sicherheitslücke angreifbar! | ||
| + | |||
| + | All customers with a valid Software Maintenance Subscription have been informed by us about the security vulnerabilities and the possibility of fixing them (update). | ||
| + | |||
| + | |||
| + | ===== Reverse-Proxy ===== | ||
| + | |||
| + | Falls die Benno MailArchiv Instanz hinter einem Reverse-Proxy betrieben wird und von diesem per HTTP angesprochen wird | ||
| + | muss der Reverse-Proxy den ursprünglich HTTP-Host Header an den nachgelagerten Webserver schicken. | ||
| + | |||
| + | Zusätzlich muss sichergestellt sein, daß der Header // | ||
| + | |||
| + | ==== Apache2.4 ==== | ||
| + | |||
| + | For an Apache 2.4 reverse proxy, these settings are configured as follows: | ||
| + | < | ||
| + | ProxyPreserveHost on | ||
| + | RequestHeader set X-Forwarded-Proto " | ||
| + | </ | ||
| + | |||
| + | ==== Nginx ==== | ||
| + | |||
| + | When using nginx, the following configuration must be added to the proxy block: | ||
| + | |||
| + | < | ||
| + | proxy_set_header Host $host; | ||
| + | proxy_set_header X-Forwarded-Proto $scheme; | ||
| + | </ | ||
http_plaintext_access.1690817304.txt.gz · Zuletzt geändert: 2023/07/31 15:28 von lwsystems
Page Tools
