Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-1262

host header injection hardening

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:

      Description

      We decided to fix the header injection issue at least in the production environment (MEN-1160).

      The way to go is to:

      • define a server_name in nginx.conf, which will contain the actual domain
        • this has to be parametrized like multiple other settings in prod.yml
        • currently the config is embedded in the gateway container - we should pull it out into the integration repo first and mount it accordingly
      • disallow requests with Host != actual domain
      • add a guidance to mender-docs on substituting the server_name upon production install

        Attachments

          Container Issues

            Issue Links

              Activity

                People

                • Assignee:
                  marcin.chalczynski Marcin Chalczynski
                  Reporter:
                  marcin.chalczynski Marcin Chalczynski
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support

                      Summary Panel