[Rspamd-Users] Require Web UI password for localhost

Tim Harman tim at muppetz.com
Mon Nov 23 00:20:45 UTC 2020


On 23/11/2020 4:19 am, Yves Goergen wrote:
> Hello,
> 
> I'm setting up Rspamd for my shared webhosting server. Everything
> looks good so far. I've also set a password for the Web UI and it is
> required when accessing through a reverse proxy through Apache.
> 
> There is a security issue, though, as the password is not required
> when accessing directly through localhost. Like through an SSH tunnel
> or from a local client. Now any of my users can open such a local
> connection with ease. That means that anybody who is allowed to run
> their website scripts on the machine can reconfigure the spam filter
> for the entire system. There is no protection whatsoever against local
> users, even from unprivileged accounts.
> 
> This is clearly not acceptable for me, so I need a solution for it.
> Could I just remove 127.0.0.1 and ::1 from the secure_ip configuration
> setting? It would then be empty/absent. What consequences does that
> have? Or is there an option to always require a password, like with
> any normal authentication service?
> 
> -Yves

Why don't you unbind it from localhost and bind it to a specific 
interface that you have appropriate IPtables etc rules in place for?

-!- rspamd/local.d » cat worker-controller.inc
bind_socket = "192.168.x.y:11334";

But yea if you're letting your webhosting users use SSH to port forward, 
having rspamd open will soon be the least of your problems I'd suggest!

Tim


More information about the Users mailing list