Securing /setup location

BobNoorduin · January 27, 2017, 2:18pm

Hi there,

After installation of bluemind the /setup location is quite open - password-secured only. I would suggest admins do something such as:

vi /etc/nginx/sites-available/bm-client-access

{{{
location /setup/ {
allow 127.0.0.1;
allow ; #subnets that are trusted…
deny all;

the rest...

}
}}}

And possibly same for /adminconsole if needed.

nginx -s reload / service bm-nginx restart

It would be better if bluemind, during installation, would ask for the trusted IP networks from which /setup is permitted…

My $0.02

Anthony.L · January 31, 2017, 6:03pm

+1

Toony · February 2, 2017, 11:00am

You can open a suggestion in our suggestion box.

You can do this using a NGinx proxy, in front of BlueMind or by modifying BlueMind NGinx configuration, but you must re-do this after every update.

blueminded_admin · March 3, 2017, 9:38am

I fully agree with this request, it could even use the trusted networks from postfix config by default imho. Nginx proxy in front of bluemind isn’t the solution, it’s typically a security problem within the app.

Regarding the suggested workaround, isn’t it possible to use /etc/nginx/bm-local.d/ config files so it’s not overwritten with update ?