IBM Domino with Nginx may reveal data.

NGinx as a reverse proxy in front of IBM Domino works great.


You can use Jesse Gallagher's guide on Nginx with IBM Domino to get you started

There 3 things to be aware off:

1) All communication HTTPS only

The first think you might want to do is make sure all communication is HTTPS only.

By adding this parameter

return 301 https://$host$request_uri;

All http traffic from the browser will get a redirection to HTTPS instead.

The HTTP 301 parameter will make the redirection "permanent".

2) Disable connectors

Set HTTPEnableConnectorHeaders=0 in notes.ini

You don't need the connector and it will just open a can of worms. Just don't.

Read more here:
https://nevermind.dk/nevermind/blog.nsf/subject/security-hole-leaves-ibm-domino-server-wide-open---part-one
https://nevermind.dk/nevermind/blog.nsf/subject/security-hole-leaves-ibm-domino-server-wide-open---part-two

3) IBM Domino with Nginx may reveal data.

You most likely will use HTTP and not HTTPS to communicate with Domino back-end from Nginx, especially if you are working with more than one internet domain.

When running with the redirecting setup like above all may seem "nice and dandy", but it is probably not.

It is just redirecting so fast that you don't notice something may be wrong.

The problem is that when you log in to Domino it will redirect you using HTTP and NOT HTTPS.

This means one response from Domino server and one request from browser will be HTTP.

The request from the browser will then be redirected to HTTPS and all will look nice in the browser.

All fast so you will not notice the error, but a network sniffer will..and Domino's access cookies can be harvested .

The simple way to find out if your hit by this issue is to look at the network traffic in the browser using developer tools.

As you can see here the browser tries to access using HTTP but get redirected with a 301.


Fortunately the fix is easy.

You want Nginx always to return a response with the same protocol as the request used.

By adding:

proxy_redirect http:// $scheme://;

Nginx will return the response from Domino in HTTPS


Posted on 06/19/2018 01:23:09 PM CEDT

Blog Search

About this Blog

Writings mostly about Lotus Notes/Domino...by me :
Jesper Kiaer,Espergærde, Denmark

Looking for a developer? I'm available contact@jezzper.com