<div dir="ltr"><div dir="ltr">Hi <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <<a href="mailto:osa@freebsd.org.ru">osa@freebsd.org.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Kaushal,<br>
<br>
hope you're doing well.<br>
<br>
Would you mind to provide your fillings and concerns, if any, on the<br>
ngx_http_dav module.<br>
<br>
It's definitely possible to use the build scripts, available in the<br>
pkg-oss repo, [1], update configure options and rebuild the package<br>
for your needs.<br>
<br>
References<br>
----------<br>
1. <a href="https://hg.nginx.org/pkg-oss/" rel="noreferrer" target="_blank">https://hg.nginx.org/pkg-oss/</a><br>
<br>
Thank you.<br>
<br>
-- <br>
Sergey A. Osokin<br>
<br>
On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:<br>
> Hi,<br>
> <br>
> I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux<br>
> release 8.8 (Ootpa). Is there a way to disable http_dav_module in Nginx Web<br>
> server?<br>
> <br>
> # nginx -v<br>
> nginx version: nginx/1.24.0<br>
> # cat /etc/redhat-release<br>
> Red Hat Enterprise Linux release 8.8 (Ootpa).<br>
> #<br>
> # nginx -V 2>&1 | grep http_dav_module<br>
> configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx<br>
> --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf<br>
> --error-log-path=/var/log/nginx/error.log<br>
> --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid<br>
> --lock-path=/var/run/nginx.lock<br>
> --http-client-body-temp-path=/var/cache/nginx/client_temp<br>
> --http-proxy-temp-path=/var/cache/nginx/proxy_temp<br>
> --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp<br>
> --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp<br>
> --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx<br>
> --with-compat --with-file-aio --with-threads --with-http_addition_module<br>
> --with-http_auth_request_module --with-http_dav_module<br>
> --with-http_flv_module --with-http_gunzip_module<br>
> --with-http_gzip_static_module --with-http_mp4_module<br>
> --with-http_random_index_module --with-http_realip_module<br>
> --with-http_secure_link_module --with-http_slice_module<br>
> --with-http_ssl_module --with-http_stub_status_module<br>
> --with-http_sub_module --with-http_v2_module --with-mail<br>
> --with-mail_ssl_module --with-stream --with-stream_realip_module<br>
> --with-stream_ssl_module --with-stream_ssl_preread_module<br>
> --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security<br>
> -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions<br>
> -fstack-protector-strong -grecord-gcc-switches<br>
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1<br>
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic<br>
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection<br>
> -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'<br>
> <br>
> Please guide me. Thanks in Advance.<br>
> <br>
> Best Regards,<br>
> <br>
> Kaushal<br>
<br>
> _______________________________________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
> <a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a><br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote><div><br></div><div>Hi Sergey,</div><div><br></div><div>I am working with an enterprise customer in financial domain. Their security team have suggested is the below recommendation. </div><div><br></div><div>############################################################################################################</div>2.1.2 Ensure HTTP WebDAV module is not installed (Automated)<br>Profile Applicability:<br>• Level 2 - Webserver<br>• Level 2 - Proxy<br>• Level 2 – Loadbalancer<br>Description:<br>The http_dav_module enables HTTP Extensions for Web Distributed Authoring and Versioning<br>(WebDAV) as defined by RFC 4918. This enables file-based operations on your web server, such<br>as the ability to create, delete, change and move files on your server. Most modern<br>architectures have replaced this functionality with cloud-based object storage, in which case<br>the module should not be installed.<br>Rationale:<br>WebDAV functionality opens up an unnecessary path for exploiting your web server. Through<br>misconfigurations of WebDAV operations, an attacker may be able to access and manipulate<br>files on the server.<br>Audit:<br>Run the following command to ensure the http_dav_module is not installed:<br>nginx -V 2>&1 | grep http_dav_module<br><br>Ensure the output of the command is empty.<br>Remediation:<br>To remove the http_dav_module, recompile nginx from source without the --<br>withhttp_dav_module flag.<br>Default Value:<br>The HTTP WebDAV module is not installed by default when installing from source. It does come<br><div>by default when installed using dnf.</div><div>############################################################################################################<br></div><div> </div><div>Please guide me further. Thanks in advance.<br><br>Best Regards,<br><br>Kaushal<br></div></div></div>