[Security:low] nginx portal example file does not filter REST urls
Concerned version
Version: %2.0 Platform: Nginx
Summary
The provided NGINX portal config contains a bunch of blocks that look like
# REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all;
}
However, these configuration directive do not actually block anything.
Logs
curl -sk -IXGET https://auth.example.com/sessions/ | head -1
HTTP/2 200
Nginx should instead send a 403
Possible fixes
I could not find an easy fix. We need to move those blocks before the main location
block and duplicate the fastcgi directives inside them, which leads to a rather ugly file. I will look harder into it later.
Impact
Is this a security issue? REST services are not enabled by default, and sysadmins who choose to enable them are responsible for securing them correctly. Still, the configuration file is pretty misleading.