You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Benoit Tellier (Jira)" <se...@james.apache.org> on 2022/01/10 04:58:00 UTC

[jira] [Created] (JAMES-3690) Allow to restrict the host webadmin is listening on

Benoit Tellier created JAMES-3690:
-------------------------------------

             Summary: Allow to restrict the host webadmin is listening on
                 Key: JAMES-3690
                 URL: https://issues.apache.org/jira/browse/JAMES-3690
             Project: James Server
          Issue Type: Improvement
          Components: webadmin
            Reporter: Benoit Tellier
             Fix For: 3.7.0


By default the WebAdmin server is activated, listens on all addresses without JWT security activated by default. This of course represents an open door for unaware users, failing to setup decent firewalling.

There is a `host` option, set to localhost by default, that can provide a false sens of safety - however this is not applied.

The proposal here is:
 - To use the host option to limit interfaces the webadmin server listens on
 - Ship a sample configuration listening on localhost thus preventing external use
 - Ship 0.0.0.0 for docker as port exposure is required (we can expect the admin to know what he is doing)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org