IBM Domino with Nginx may reveal data.
NGinx as a reverse proxy in front of IBM Domino works great.
You can use Jesse Gallagher's guide on Nginx with IBM Domino to get you started
There 3 things to be aware off:
1) All communication HTTPS only
The first think you might want to do is make sure all communication is HTTPS only.
By adding this parameter
return 301 https://$host$request_uri;
All http traffic from the browser will get a redirection to HTTPS instead.
The HTTP 301 parameter will make the redirection "permanent".
2) Disable connectors
Set HTTPEnableConnectorHeaders=0 in notes.ini
You don't need the connector and it will just open a can of worms. Just don't.
Read more here:
https://nevermind.dk/nevermind/blog.nsf/subject/security-hole-leaves-ibm-domino-server-wide-open---part-one
https://nevermind.dk/nevermind/blog.nsf/subject/security-hole-leaves-ibm-domino-server-wide-open---part-two
3) IBM Domino with Nginx may reveal data.
You most likely will use HTTP and not HTTPS to communicate with Domino back-end from Nginx, especially if you are working with more than one internet domain.
When running with the redirecting setup like above all may seem "nice and dandy", but it is probably not.
It is just redirecting so fast that you don't notice something may be wrong.
The problem is that when you log in to Domino it will redirect you using HTTP and NOT HTTPS.
This means one response from Domino server and one request from browser will be HTTP.
The request from the browser will then be redirected to HTTPS and all will look nice in the browser.
All fast so you will not notice the error, but a network sniffer will..and Domino's access cookies can be harvested .
The simple way to find out if your hit by this issue is to look at the network traffic in the browser using developer tools.
As you can see here the browser tries to access using HTTP but get redirected with a 301.
Fortunately the fix is easy.
You want Nginx always to return a response with the same protocol as the request used.
By adding:
proxy_redirect http:// $scheme://;
Nginx will return the response from Domino in HTTPS
Posted on 06/19/2018 01:23:09 PM CEDT
Show Comments(0)
Create Comment