-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web UI is available on IP address as domain name, even with Force SSL and correct SSL certificate #839
Comments
This is something you need to configure in your cloud or hosting provider. You simply should not be routing port 80 (plain http) traffic to the server if you don't want it. Block it at the firewall level, so port 80 requests never reach the server Cronicle is running on. If you are hosted in AWS, this is called a "Security Group", and each one can only route the ports you want (in this case 443). All cloud and hosting providers allow similar functionality. You can also do it at the Linux (OS) level using iptables. Instructions are here: https://www.cyberciti.biz/faq/iptables-block-port/ Also, assuming you aren't routing ALL incoming ports to the server (that would be extremely bad), just change the Cronicle Finally, this is more advanced, but you can bind Cronicle's web server to different network interfaces using pixl-server-web, by changing the However, I highly recommend you block port 80 at the cloud / hosting provider level instead. That's the right way to do it. |
Thank you very much for quick response and for the suggestions. However, the problem here's not allowing port 80, but the site still connecting over port 443 via IP address, and of course because the SSL certificate is in the name of the real domain name, the certificate shows error. If the end-user allows this certificate the site still loads. Please check the following screenshots to clarify what I mean. Step 1: Load the site in browser: https://xxx.xxx.xxx.xxx/ Step 2: Allow unsafe loading, and voila the site still loads: So, e.g. in NginX, an easy way out is SSL reject handshake for the default server_name.
But, there's no such option in Cronicle / pixl-server-web. P.S.: The port 80 is blocked from Cloud Firewall, as well as from iptables, but because this is connecting on 443, the port-blocking doesn't work. |
Oh, I see what you mean now. Let me implement something and I'll get right back to you... |
Okay, I released pixl-server-web v2.0.4 with a new http_allow_hosts feature, and I just released Cronicle v0.9.64 which now includes pixl-server-web v2.0.4 as a dependency. To use this feature, first upgrade your Cronicle to v0.9.64, then add a new configuration property in your Cronicle's "http_allow_hosts": ["mydomain.com", "www.mydomain.com"] This will reject all incoming requests that do not match one or more of the hosts in the See the docs for details on using non-standard port numbers, as you will need to include those in the array. Hope this helps! |
@jhuckaby, I understand you're in time-crunch and you wish to deep-dive more into it, and maybe in Cronicle v2 / Orchestra, but there's still a kind-of vulnerability on the same topic. Here are the details. So, someone can still use the site with MITM attack, if he spoofs the "Host" header. e.g., try running this via cURL you can still load the site:
So, the problem is here, that it's still possible to access underlying website by manipulating the host header, leading to an insecure connection, and loading the site. Our cloud security still flags this as a vulnerability that "SSL Certificate Cannot Be Trusted". There could be many solutions, but based on pixl-server-web code, the easiest one could be, if the RequestURL does not have any of the http_allow_hosts, then:
In your recent patch, I guess, the easiest would be to check if Once again, many thanks for taking this up so quickly. |
Ah ha, I think what you are talking about is SNI:
I'll work on implementing this as part of the allow hosts thing ASAP. |
Okay, I think this one should do it! I just released Cronicle v0.9.65 which pulls in pixl-server-web v2.0.5, which now properly implements SNI (TLS handshake) host matching for the It should no longer be possible to "trick" the server into receiving an insecure request by forging a fake Let me know if this does the trick! |
@jhuckaby , |
Thank you for helping me increase the security of the app! This was immensely helpful to me. 🙏🏻 |
Summary
Web UI of the server is still accessible on http. A proper SSL certificate is setup. Web UI works on HTTPS fine. Force redirection from http to https also works, if accessed via domain name.
However, the site is still accessible via IP address, e.g. http://xxx.xxx.xxx.xxx/ and redirects to https at https://xxx.xxx.xxx.xxx/
If allowed in Browser by user, the site then works. This should not happen. The web UI should not work on public IP address.
Possibly, a pixl-server-web module issue.
Why is this important?
Our cloud security audit has failed Cronicle because of this issue, as it's considered as non-secure.
Steps to reproduce the problem
Your Setup
HTTP setup in following fasion in config.json:
Operating system and version?
Ubuntu 22.04.5 LTS
Node.js version?
v18.17.1
Cronicle software version?
Version 0.9.63
Are you using a multi-server setup, or just a single server?
Single server
Are you using the filesystem as back-end storage, or S3/Couchbase?
Filesystem.
Can you reproduce the crash consistently?
It's not a crash, but yes, consistent issue.
Log Excerpts
The text was updated successfully, but these errors were encountered: