[Rspamd-Users] Require Web UI password for localhost
Yves Goergen
nospam.list at unclassified.de
Sun Nov 22 15:19:42 UTC 2020
Hello,
I'm setting up Rspamd for my shared webhosting server. Everything looks
good so far. I've also set a password for the Web UI and it is required
when accessing through a reverse proxy through Apache.
There is a security issue, though, as the password is not required when
accessing directly through localhost. Like through an SSH tunnel or from
a local client. Now any of my users can open such a local connection
with ease. That means that anybody who is allowed to run their website
scripts on the machine can reconfigure the spam filter for the entire
system. There is no protection whatsoever against local users, even from
unprivileged accounts.
This is clearly not acceptable for me, so I need a solution for it.
Could I just remove 127.0.0.1 and ::1 from the secure_ip configuration
setting? It would then be empty/absent. What consequences does that
have? Or is there an option to always require a password, like with any
normal authentication service?
-Yves
More information about the Users
mailing list