TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Output warning when using default SERVER_NAME

Browse Source
fix/reject-invalid-host-headers
Oliver Günther 3 years ago
parent c9c3c39c3b
commit e606b95b09
No known key found for this signature in database
GPG Key ID: A3A8BDAD7C0C552C
2 changed files with 9 additions and 2 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      docker/prod/entrypoint.sh
  2. 4
      docs/installation-and-operations/installation/docker/README.md

7
docker/prod/entrypoint.sh
Unescape View File

@ -4,11 +4,18 @@ set -e
set -o pipefail
APACHE_PIDFILE=/run/apache2/apache2.pid
SERVER_NAME=${SERVER_NAME:="_default_"}
if [ -n "$DATABASE_URL" ]; then
/usr/local/bin/migrate-mysql-to-postgres || exit 1
fi
# Warn when default hostname set
if [ "${SERVER_NAME}" = "_default_" ]; then
echo "WARNING: You are using the default SERVER_NAME setting. If your docker container is public-facing, this is a security concern."
echo "Please see https://www.openproject.org/docs/installation-and-operations/installation/docker/ for more information how to secure your installation."
fi
# handle legacy configs
if [ -d "$PGDATA_LEGACY" ]; then
echo "WARN: You are using a legacy volume path for your postgres data. You should mount your postgres volumes at $PGDATA instead of $PGDATA_LEGACY."

4
docs/installation-and-operations/installation/docker/README.md
Unescape View File

@ -112,14 +112,14 @@ those directories mounted:
sudo mkdir -p /var/lib/openproject/{pgdata,assets}
docker run -d -p 8080:80 --name openproject \
-e SERVER_HOSTNAME=openproject.example.com \ # The public facing host name
-e SERVER_NAME=openproject.example.com \ # The public facing host name
-e SECRET_KEY_BASE=secret \ # The secret key base used for cookies
-v /var/lib/openproject/pgdata:/var/openproject/pgdata \
-v /var/lib/openproject/assets:/var/openproject/assets \
openproject/community:11
```
Please make sure you set the correct public facing hostname in `SERVER_HOSTNAME`. If you don't have a load-balancing or proxying web server in front of your docker container,
Please make sure you set the correct public facing hostname in `SERVER_NAME`. If you don't have a load-balancing or proxying web server in front of your docker container,
you will otherwise be vulnerable to [HOST header injections](https://portswigger.net/web-security/host-header), as the internal server has no way of identifying the correct host name.
**Note**: Make sure to replace `secret` with a random string. One way to generate one is to run `head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 ; echo ''` if you are on Linux.

Write Preview
Loading…
Cancel
Save