Restricting the REST 1.0 mail-gateway with Nginx

distancesprinter · January 11, 2024, 6:10pm

I am upgrading RT to 5.0.5. We use RT on FreeBSD with Nginx as a web server and spawn_fcgi. Communication between spawn_fcgi and Nginx occurs via unix socket (not IP).

I see that in the release announcement Best Practical recommends protecting the REST 1.0 mail-gateway on the web server. Recommended configuration is provided for Apache but not Nginx.

I am attempting to duplicate the configuration for Nginx to apply to our system.

Does the following look like the appropriate configuration, and what is the best way to test that it is working properly?

location /REST/1.0/NoAuth/mail-gateway {
    allow 127.0.0.1;
    allow ::1;
    deny  all;

}

Does /bin/mail-gateway support communication over unix socket? It seems to me like that would be even more secure and more performant.

distancesprinter · January 12, 2024, 6:03pm

Answering #1:

The configuration above is good, as long as you remember to add all the other fastcgi parameters and other configuration you have on your primary location / block (in case that wasn’t clear–I should have put a ‘...’ up there).

$ curl https://my-rt-host/REST/1.0/NoAuth/mail-gateway
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
$ curl --connect-to my-rt-host:443:127.0.0.1:443 https://my-rt-host/REST/1.0/NoAuth/mail-gateway
not ok - operation unsuccessful
$ tail -n 2 /var/log/nginx/access.log
10.10.99.199 - - [12/Jan/2024:12:46:34 -0500] "GET /REST/1.0/NoAuth/mail-gateway HTTP/2.0" 403 153 "-" "curl/8.5.0"
127.0.0.1 - - [12/Jan/2024:12:46:41 -0500] "GET /REST/1.0/NoAuth/mail-gateway HTTP/2.0" 200 32 "-" "curl/8.5.0"

The not ok - operation unsuccessful response is the standard response the REST API will return for malformed request on unprotected route.

When I curl without redirecting the request to 127.0.0.1, I get 403 Forbidden.

For #2:

I would still very-much appreciate a response if anybody knows.

Andrew_Ruthven · January 13, 2024, 3:34am

Hey,

For #2, Looking in rt-mailgate, which is what talks to the mail-gateway API, it looks like the answer is “no, can’t use a socket”. It is using LWP and has a URL for the endpoint.

Cheers,
Andrew