[security advisory] http://wiki.nginx.org/Redmine

[Gena Makhomed]

On 08.03.2015 22:50, Francis Daly wrote:

>> webpage http://wiki.nginx.org/Redmine has some security problems:
>>
>> 1. All redmine config files are available for anybody in internet,
>> for example: https://redmine.example.com/config/database.yml
>> contains in plain text login and password for database connection.
>
> I don't think that one is an nginx problem.
>

Yes, this is not nginx problem. This is nginx configuration problem,
which provided at wiki.nginx.org as "drop in configuration" for redmine.

> From reading the redmine docs, it looks like the contents of the "root"
> directive directory should be whatever is in the distributed redmine
> public/ directory; not the entire installation including configuration.

I am talk about configuration recommended
at webpage http://wiki.nginx.org/Redmine
not about "reading the redmine docs".

> And if /var/www/redmine does just have the public/ contents and the
> upstream servers reveal secret information, that would be their problem
> and not nginx's, I think.

    root /var/www/redmine;
    try_files $uri @ruby;

Request https://redmine.example.com/config/database.yml will be
processed by nginx, because file /var/www/redmine/config/database.yml
exists. For details - see manual about try_files directive in nginx.

>> 3. Unsafe variable $http_host was used instead of safe one $host
>
> I'm not sure how $http_host is less safe than $host. It is proxy_pass'ed
> to the "real" redmine server as the Host header. That server must be
> able to handle it safely anyway, no?

Such configuration allow to spoof nginx built-in server selection rules.
because nginx will use server name from request line, but will provide
to upstream completely different server name, from Host request header.

So, $host must be used always with proxy_pass instead of $http_host.

-- 
Best regards,
  Gena