Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/httpd: improve security in configuration file #55410

Merged
merged 3 commits into from Feb 18, 2019
Merged

nixos/httpd: improve security in configuration file #55410

merged 3 commits into from Feb 18, 2019

Conversation

aanderse
Copy link
Member

@aanderse aanderse commented Feb 7, 2019
edited

Motivation for this change

Improve security in configuration file. I've been running these changes at work on a few boxes for a while after the servers were flagged by our Qualys scanner.

NOTE: The TraceEnable and expose_php options are standard in Debian 9.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@infinisil
Copy link
Member

Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it.

From https://httpd.apache.org/docs/current/mod/core.html#traceenable

@aanderse
Copy link
Member Author

aanderse commented Feb 7, 2019
edited

@infinisil

https://security.stackexchange.com/questions/56955/is-the-http-trace-method-a-security-vulnerability

One of the wisest security principles says that what is unused should be disabled.

https://www.owasp.org/index.php/Cross_Site_Tracing

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials.

The option can be turned back on in services.httpd.extraConfig if needed.

@ghost
Copy link

ghost commented Feb 7, 2019

I like these changes 👍

dasJ
dasJ approved these changes Feb 17, 2019
View reviewed changes
Copy link
Member

@dasJ dasJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, TRACE isn't really used nowadays and the rest seems sensible enough

@infinisil infinisil merged commit a3f85f0 into NixOS:master Feb 18, 2019
@aanderse
Copy link
Member Author

Thanks @infinisil!

@aanderse aanderse deleted the apache-defaults branch February 18, 2019 02:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dasJ dasJ dasJ approved these changes

@infinisil infinisil infinisil approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@aanderse @infinisil @dasJ @GrahamcOfBorg