How do I/should I disable the local webserver
-
We've got several xcp-ng servers stood up, across many sites. We recently had a security audit, in which we granted the audit machine to various vlans which normally wouldn't be open, after they found no issues on on the 3 vlans that we gave them access to initially. On all of our xcp-ng hosts, they found an issue with the "x-frame-options" returned by the built in web server (see below). Since these servers are on segregated vlans, which aren't accessible by any hosts other than our own, I'm not super worried about it, but have been asked to investigate. Is there a way to disable the built in web server on all of the hosts? Is this what's used for xo to talk to the hosts?
From the auditors:
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. -
@olivierlambert said in How do I/should I disable the local webserver:
But still, yes you can disable it, let me ask @stormi about it, I forgot myself
So, there's no parameter to disable the web page, but there's a way to break it on purpose:
- Create a new
/etc/xapi.conf.d/disable-webserver.conffile, with the following contents:
web-dir = /var/disableweb-
mkdir /var/disableweb -
xe-toolstack-restart
The web server will then answer with a HTTP 404 error because it can't find
index.html - Create a new
-
Hi,
Until XO Lite in XCP-ng 8.3, there's absolutely nothing to inject on the web page that could cause any harm (also because nobody is actually using this page after initial install/deploy). I'll be happy to learn otherwise if it's the case
But still, yes you can disable it, let me ask @stormi about it, I forgot myself
-
@olivierlambert There is a login form to spin up an instance of XO.. not sure if something can be injected there... but that was another bullet point on their list as well... the password field doesn't have autocompletion turned off. Both are low priority items, and I know the autocompletion css tag doesn't work across the board with all browsers.
-
XO is NOT hosted in the Dom0, it's isolated in a dedicated VM, so it's out of the scope of XCP-ng vuln scan.
-
@olivierlambert said in How do I/should I disable the local webserver:
But still, yes you can disable it, let me ask @stormi about it, I forgot myself
So, there's no parameter to disable the web page, but there's a way to break it on purpose:
- Create a new
/etc/xapi.conf.d/disable-webserver.conffile, with the following contents:
web-dir = /var/disableweb-
mkdir /var/disableweb -
xe-toolstack-restart
The web server will then answer with a HTTP 404 error because it can't find
index.html - Create a new
-
@stormi Thank you for the instructions. It works great on most of our servers, but on one of them, we can no longer connect via xo. It gives a connection refused (ECONNREFUSED). I commented out the line in the conf file, and restarted the toolstack, and it connected fine... uncommented, and it went back to the connection refused. Other servers at other sites all work fine. Just this one is giving fits.
-
@yaroz Make sure the directory defined in this configuration file does exist on the system (no typo, or omission to create
/var/disableweb?), else XAPI will abort, seeing that it does not exist. -
@stormi Thank you very much. I didn't even look at the directory name while I was troubleshooting. It was /var/disablweb.. missed an e. All set now.
-
O olivierlambert marked this topic as a question on
-
O olivierlambert has marked this topic as solved on
-
I was trying the process described by @stormi to disable the web page on XCP-NG 7.6.0 (could not upgrade yet
) and it doesn't seem to be working.I got no errors but the web page is still visible.
-
XCP-ng 7.6? Wow, you should really upgrade ASAP, it's not secure to use it!
-
@olivierlambert Thank you. We'll be looking into it when we upgrade the hardware.
-
S stormi forked this topic on
