aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-01-15 15:13:41 +0100
committerKim Alvefur <zash@zash.se>2022-01-15 15:13:41 +0100
commitb1874898028aa584bb02c3ec082ab8c9f54ae951 (patch)
tree0ebba5aad0f674f33d43843c7cb3b777a1c27b9e
parente0e180aa9d9cac1e427ac23be49aca0c4059f755 (diff)
downloadprosody-b1874898028aa584bb02c3ec082ab8c9f54ae951.tar.gz
prosody-b1874898028aa584bb02c3ec082ab8c9f54ae951.zip
mod_http: Limit unencrypted http port (5280) to loopback by default
Since accessing this port directly over the wider Internet is unlikely to intentional anymore. Most uses will likely be by reverse proxies, by mistake or because of trouble configuring HTTPS. Blocking mistaken uses is just a good thing, letting users send potentially private things unencrypted tends to be Strongly Discouraged these days. Many reverse proxy setups operate over loopback, so listening there instead of all interfaces is a net improvement. Improved automatic certificate location and SNI support has mostly eliminated the need for manual certificate configuration so HTTPS should Just Work once certificates have been provided. For local testing during development, connecting over loopback is likely fine as well. When really needed, `http_interfaces` can still be set. Suggested by Link Mauve
-rw-r--r--CHANGES1
-rw-r--r--plugins/mod_http.lua1
2 files changed, 2 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 13aab690..3e7907f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -32,6 +32,7 @@ TRUNK
- Direct TLS (including https) certificates updated on reload
- Pluggable authorization providers (mod_authz_)
- Easy use of Mozilla TLS recommendations presets
+- Unencrypted HTTP port (5280) restricted to loopback by default
### HTTP
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index 100581b5..c7795089 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -304,6 +304,7 @@ end);
module:provides("net", {
name = "http";
listener = server.listener;
+ private = true;
default_port = 5280;
multiplex = {
pattern = "^[A-Z]";