From 9a275b2f1846d7268c71a740975447e269383849 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sun, 10 Feb 2019 16:56:41 +0000 Subject: doc: Document security issues involving LWP::UserAgent Recommend the LWPx::ParanoidAgent module where appropriate. It is particularly important for openid, since unauthenticated users can control which URLs that plugin will contact. Conversely, it is non-critical for blogspam, since the URL to be contacted is under the wiki administrator's control. Signed-off-by: Simon McVittie --- doc/tips/using_a_proxy.mdwn | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 doc/tips/using_a_proxy.mdwn (limited to 'doc/tips') diff --git a/doc/tips/using_a_proxy.mdwn b/doc/tips/using_a_proxy.mdwn new file mode 100644 index 000000000..39df3c42a --- /dev/null +++ b/doc/tips/using_a_proxy.mdwn @@ -0,0 +1,22 @@ +Some ikiwiki plugins make outgoing HTTP requests from the web server: + +* [[plugins/aggregate]] (to download Atom and RSS feeds) +* [[plugins/blogspam]] (to check whether a comment or edit is spam) +* [[plugins/openid]] (to authenticate users) +* [[plugins/pinger]] (to ping other ikiwiki installations) + +If your ikiwiki installation cannot contact the Internet without going +through a proxy, you can configure this in the [[setup file|setup]] by +setting environment variables: + + ENV: + http_proxy: "http://proxy.example.com:8080" + https_proxy: "http://proxy.example.com:8080" + # optional + no_proxy: ".example.com,www.example.org" + +Note that some plugins will use the configured proxy for all destinations, +even if they are listed in `no_proxy`. + +To avoid server-side request forgery attacks, ensure that your proxy does +not allow requests to addresses that are considered to be internal. -- cgit v1.2.3