Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-1262

host header injection hardening

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:

      Description

      We decided to fix the header injection issue at least in the production environment (MEN-1160).

      The way to go is to:

      • define a server_name in nginx.conf, which will contain the actual domain
        • this has to be parametrized like multiple other settings in prod.yml
        • currently the config is embedded in the gateway container - we should pull it out into the integration repo first and mount it accordingly
      • disallow requests with Host != actual domain
      • add a guidance to mender-docs on substituting the server_name upon production install

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                marcin.chalczynski Marcin Chalczynski
                Reporter:
                marcin.chalczynski Marcin Chalczynski
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support

                    Summary Panel