How do I/should I disable the local webserver
-
Hi,
Until XO Lite in XCP-ng 8.3, there's absolutely nothing to inject on the web page that could cause any harm (also because nobody is actually using this page after initial install/deploy). I'll be happy to learn otherwise if it's the case
But still, yes you can disable it, let me ask @stormi about it, I forgot myself
-
@olivierlambert There is a login form to spin up an instance of XO.. not sure if something can be injected there... but that was another bullet point on their list as well... the password field doesn't have autocompletion turned off. Both are low priority items, and I know the autocompletion css tag doesn't work across the board with all browsers.
-
XO is NOT hosted in the Dom0, it's isolated in a dedicated VM, so it's out of the scope of XCP-ng vuln scan.
-
@olivierlambert said in How do I/should I disable the local webserver:
But still, yes you can disable it, let me ask @stormi about it, I forgot myself
So, there's no parameter to disable the web page, but there's a way to break it on purpose:
- Create a new
/etc/xapi.conf.d/disable-webserver.conffile, with the following contents:
web-dir = /var/disableweb-
mkdir /var/disableweb -
xe-toolstack-restart
The web server will then answer with a HTTP 404 error because it can't find
index.html - Create a new
-
@stormi Thank you for the instructions. It works great on most of our servers, but on one of them, we can no longer connect via xo. It gives a connection refused (ECONNREFUSED). I commented out the line in the conf file, and restarted the toolstack, and it connected fine... uncommented, and it went back to the connection refused. Other servers at other sites all work fine. Just this one is giving fits.
-
@yaroz Make sure the directory defined in this configuration file does exist on the system (no typo, or omission to create
/var/disableweb?), else XAPI will abort, seeing that it does not exist. -
@stormi Thank you very much. I didn't even look at the directory name while I was troubleshooting. It was /var/disablweb.. missed an e. All set now.
-
O olivierlambert marked this topic as a question on
-
O olivierlambert has marked this topic as solved on
-
I was trying the process described by @stormi to disable the web page on XCP-NG 7.6.0 (could not upgrade yet
) and it doesn't seem to be working.I got no errors but the web page is still visible.
-
XCP-ng 7.6? Wow, you should really upgrade ASAP, it's not secure to use it!
-
@olivierlambert Thank you. We'll be looking into it when we upgrade the hardware.
-
S stormi forked this topic on
