I am upgrading RT to 5.0.5. We use RT on FreeBSD with Nginx as a web server and spawn_fcgi. Communication between spawn_fcgi and Nginx occurs via unix socket (not IP).
I see that in the release announcement Best Practical recommends protecting the REST 1.0 mail-gateway on the web server. Recommended configuration is provided for Apache but not Nginx.
I am attempting to duplicate the configuration for Nginx to apply to our system.
- Does the following look like the appropriate configuration, and what is the best way to test that it is working properly?
location /REST/1.0/NoAuth/mail-gateway {
allow 127.0.0.1;
allow ::1;
deny all;
}
- Does /bin/mail-gateway support communication over unix socket? It seems to me like that would be even more secure and more performant.
Answering #1:
The configuration above is good, as long as you remember to add all the other fastcgi parameters and other configuration you have on your primary location /
block (in case that wasn’t clear–I should have put a ‘...
’ up there).
$ curl https://my-rt-host/REST/1.0/NoAuth/mail-gateway
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
$ curl --connect-to my-rt-host:443:127.0.0.1:443 https://my-rt-host/REST/1.0/NoAuth/mail-gateway
not ok - operation unsuccessful
$ tail -n 2 /var/log/nginx/access.log
10.10.99.199 - - [12/Jan/2024:12:46:34 -0500] "GET /REST/1.0/NoAuth/mail-gateway HTTP/2.0" 403 153 "-" "curl/8.5.0"
127.0.0.1 - - [12/Jan/2024:12:46:41 -0500] "GET /REST/1.0/NoAuth/mail-gateway HTTP/2.0" 200 32 "-" "curl/8.5.0"
The not ok - operation unsuccessful
response is the standard response the REST API will return for malformed request on unprotected route.
When I curl
without redirecting the request to 127.0.0.1
, I get 403 Forbidden
.
For #2:
I would still very-much appreciate a response if anybody knows.
Hey,
For #2, Looking in rt-mailgate, which is what talks to the mail-gateway API, it looks like the answer is “no, can’t use a socket”. It is using LWP and has a URL for the endpoint.
Cheers,
Andrew