[Rspamd-Users] Require Web UI password for localhost

[Tim Harman]

On 23/11/2020 4:19 am, Yves Goergen wrote:
> Hello,
> 
> I'm setting up Rspamd for my shared webhosting server. Everything
> looks good so far. I've also set a password for the Web UI and it is
> required when accessing through a reverse proxy through Apache.
> 
> There is a security issue, though, as the password is not required
> when accessing directly through localhost. Like through an SSH tunnel
> or from a local client. Now any of my users can open such a local
> connection with ease. That means that anybody who is allowed to run
> their website scripts on the machine can reconfigure the spam filter
> for the entire system. There is no protection whatsoever against local
> users, even from unprivileged accounts.
> 
> This is clearly not acceptable for me, so I need a solution for it.
> Could I just remove 127.0.0.1 and ::1 from the secure_ip configuration
> setting? It would then be empty/absent. What consequences does that
> have? Or is there an option to always require a password, like with
> any normal authentication service?
> 
> -Yves

Why don't you unbind it from localhost and bind it to a specific 
interface that you have appropriate IPtables etc rules in place for?

-!- rspamd/local.d » cat worker-controller.inc
bind_socket = "192.168.x.y:11334";

But yea if you're letting your webhosting users use SSH to port forward, 
having rspamd open will soon be the least of your problems I'd suggest!

Tim