> The instructions for securing elogd using an SSL proxy are incomplete.
> http://midas.psi.ch/elog/adminguide.html#secure
> http://midas.psi.ch/elogs/contributions/11
>
> If you follow these instructions, elogd will still listen for and accept non-SSL connections on it's own TCP port bypassing the SSL proxy.
>
> (True, the elogd TCP port number is somewhat secret, so there is some security-by-obscurity here).
>
> To secure the elogd TCP port against connections that bypass the SSL proxy, elogd has to be started
> with the "-n localhost" command line options.
>
> To add this option, one has to edit /etc/init.d/elogd. I do not know if this change will be lost when the elog rpm package is updated.
>
> It would be better if this option could have been specified through elogd.conf.
>
> The "-n" command line option is not documented here
> http://midas.psi.ch/elog/adminguide.html#config
> but is visible if you run "elogd -h".
>
> P.S. Even with "-n localhost", users of the local machine can bypass the SSL proxy.
>
> K.O.
I added the option "interface" to the config file. So you could do
[global]
...
interface = localhost
It was not there originally since most people who care about security use a firewall. The firewall (either locally or one another machine), opens only port 443 for the secure connection and
not the non-secure one (typically 80 or 8080). This way this has not been an issue in the past. As you guessed correctly the -n option would be overwritten by an rpm package update, so
that's why I added the "interface" option. |