Audit Nginx avec Gixy

,

Hello,

Par curiosité sur mon serveur YunoHost j’ai installé et lancé gixy, un outil d’analyse de configuration Nginx.

Résultat, gixy détecte 12 problèmes “medium” et 14 “high”. Le résultat complet (j’ai modfié mon nom de domaine) : https://framabin.org/p/?a8901b440f086b3b#PSWG+nRg0OSfQ6+wneufiNIbofbSnKIJSo31Db/08tw=

Apps actuellement installées :

  • Kanboard
  • Nextcloud
  • phpMyAdmin
  • Rainloop
  • Tiny Tiny RSS
  • Wallabag
  • Wiki.js
  • Wordpress

Je ne sais pas trop quoi en conclure ni que faire de ce rapport (transmettre aux packagers des apps concernées via les dépôts git ?)

Gavy

The alias_traversal issues detected here is about location ^~ /.well-known/acme-challenge, which is not directly related to apps nginx config.

But to open an issue in YunoHost about it sounds like a good idea.

About the other one, host_spoofing, I don’t really get the difference between $http_host an $host.
Mostly it’s about location /yunohost/api/, but all apps using a proxy_pass are probably concerned as well.
Same, an issue in YunoHost would probably be welcome.

1 Like

Here’s a PR for the acme-challenge traversal issue (which in fact will only happen on “old” instances for some reason)

1 Like

@Maniack_Crudelis thanks for your answer, i will open an issue about host_spoofing tomorrow as @aleks already solved the other one.

@Aleks thanks for the quick fix!

Note: about security issue you can contact securely the yunohost team like this:
https://yunohost.org/#/security_team

@ljf i didn’t know, thanks for the link (and i am unable to tell if that is a sensitive security or not, that’s why i posted here. Feel free to delete this post if you think that’s better).
@ljf & @Aleks Do you want me to open an issue for host_spoofing, as suggested by @Maniack_Crudelis ?