From 5b9395aea1a910cb12ab04f9a266da1e7136256e Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 11 Apr 2018 16:45:15 +0000 Subject: [PATCH] Refuse external connections to the API The Etherpad API is only useful for authenticated access via the secret API key, which resides on the server's filesystem. It can already be accessed from localhost over the nodejs listener socket, so doesn't need to be reachable through the external Apache proxy. Refuse connections to it through Apache in an effort to reduce exposure to future unauthenticated or authentication bypass bugs in the API implementation. Change-Id: Ia5cf2f15c21eb397eeb878c81cd3c7a29f5aecbd --- templates/etherpadlite.vhost.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/etherpadlite.vhost.erb b/templates/etherpadlite.vhost.erb index 5cd0147..a2d3e01 100644 --- a/templates/etherpadlite.vhost.erb +++ b/templates/etherpadlite.vhost.erb @@ -78,6 +78,9 @@ # etherpad-lite installation. RewriteRule ^/robots.txt$ <%= scope.lookupvar("etherpad_lite::apache::docroot") %>/robots.txt [L] + # Refuse external connections to the API through the proxy + RewriteRule ^/api/ - [F,L] + RewriteCond %{REQUEST_URI} !^/p/ RewriteCond %{REQUEST_URI} !^/locales/ RewriteCond %{REQUEST_URI} !^/locales.json