diff options
author | Simon McVittie <smcv@debian.org> | 2019-02-10 16:56:41 +0000 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2019-02-26 22:21:31 +0000 |
commit | 9a275b2f1846d7268c71a740975447e269383849 (patch) | |
tree | 0c832065045c67438ede85f237b93f77b74ecd2b /doc/tips | |
parent | d283e4ca1aeb6ca8cc0951c8495f778071076013 (diff) | |
download | ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar ikiwiki-9a275b2f1846d7268c71a740975447e269383849.tar.gz |
doc: Document security issues involving LWP::UserAgent
Recommend the LWPx::ParanoidAgent module where appropriate.
It is particularly important for openid, since unauthenticated users
can control which URLs that plugin will contact. Conversely, it is
non-critical for blogspam, since the URL to be contacted is under
the wiki administrator's control.
Signed-off-by: Simon McVittie <smcv@debian.org>
Diffstat (limited to 'doc/tips')
-rw-r--r-- | doc/tips/using_a_proxy.mdwn | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/tips/using_a_proxy.mdwn b/doc/tips/using_a_proxy.mdwn new file mode 100644 index 000000000..39df3c42a --- /dev/null +++ b/doc/tips/using_a_proxy.mdwn @@ -0,0 +1,22 @@ +Some ikiwiki plugins make outgoing HTTP requests from the web server: + +* [[plugins/aggregate]] (to download Atom and RSS feeds) +* [[plugins/blogspam]] (to check whether a comment or edit is spam) +* [[plugins/openid]] (to authenticate users) +* [[plugins/pinger]] (to ping other ikiwiki installations) + +If your ikiwiki installation cannot contact the Internet without going +through a proxy, you can configure this in the [[setup file|setup]] by +setting environment variables: + + ENV: + http_proxy: "http://proxy.example.com:8080" + https_proxy: "http://proxy.example.com:8080" + # optional + no_proxy: ".example.com,www.example.org" + +Note that some plugins will use the configured proxy for all destinations, +even if they are listed in `no_proxy`. + +To avoid server-side request forgery attacks, ensure that your proxy does +not allow requests to addresses that are considered to be internal. |