The instructions for securing elogd using an SSL proxy are incomplete.
http://midas.psi.ch/elog/adminguide.html#secure
http://midas.psi.ch/elogs/contributions/11
If you follow these instructions, elogd will still listen for and accept non-SSL connections on it's own TCP port bypassing the SSL proxy.
(True, the elogd TCP port number is somewhat secret, so there is some security-by-obscurity here).
To secure the elogd TCP port against connections that bypass the SSL proxy, elogd has to be started
with the "-n localhost" command line options.
To add this option, one has to edit /etc/init.d/elogd. I do not know if this change will be lost when the elog rpm package is updated.
It would be better if this option could have been specified through elogd.conf.
The "-n" command line option is not documented here
http://midas.psi.ch/elog/adminguide.html#config
but is visible if you run "elogd -h".
P.S. Even with "-n localhost", users of the local machine can bypass the SSL proxy.
K.O. |