[Rspamd-Users] Require Web UI password for localhost

Yves Goergen nospam.list at unclassified.de
Sun Nov 22 15:19:42 UTC 2020


I'm setting up Rspamd for my shared webhosting server. Everything looks 
good so far. I've also set a password for the Web UI and it is required 
when accessing through a reverse proxy through Apache.

There is a security issue, though, as the password is not required when 
accessing directly through localhost. Like through an SSH tunnel or from 
a local client. Now any of my users can open such a local connection 
with ease. That means that anybody who is allowed to run their website 
scripts on the machine can reconfigure the spam filter for the entire 
system. There is no protection whatsoever against local users, even from 
unprivileged accounts.

This is clearly not acceptable for me, so I need a solution for it. 
Could I just remove and ::1 from the secure_ip configuration 
setting? It would then be empty/absent. What consequences does that 
have? Or is there an option to always require a password, like with any 
normal authentication service?


More information about the Users mailing list