From: Remi Gacogne Date: Fri, 11 Aug 2017 09:11:10 +0000 (+0200) Subject: Switch the default webserver's ACL to "127.0.0.1, ::1" X-Git-Tag: dnsdist-1.2.0~21^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=be3e14771236c0476713d7d55aa2d60622a799e2;p=pdns Switch the default webserver's ACL to "127.0.0.1, ::1" --- diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst index bb946ca0b..ee279acbf 100644 --- a/docs/http-api/index.rst +++ b/docs/http-api/index.rst @@ -9,9 +9,9 @@ Webserver To launch the internal webserver, add a :ref:`setting-webserver` to the configuration file. This will instruct PowerDNS to start a webserver on localhost at port 8081, without password protection. -Only local users (on the same host) will be able to access the webserver by default, but we still strongly advise the use of a password protection. -The webserver lists a lot of information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc. -The webserver does not allow remote management. +By default the webserver listens on localhost, meaning only local users (on the same host) will be able to access the webserver. Since the default ACL before 4.1.0 allows access from everywhere if :ref:`webserver-address` is set to a different value, we strongly advise the use of a password protection. +The webserver lists a lot of potentially sensitive information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc. +The webserver does not allow remote management of the daemon, but allows control over the size of the queries and response rings that may be used to monitor activities. The following webserver related configuration items are available: * :ref:`setting-webserver`: If set to anything but 'no', a webserver is launched. diff --git a/docs/settings.rst b/docs/settings.rst index c33ee23c4..ea3922be2 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -1432,7 +1432,11 @@ IP Address for webserver/API to listen on. ------------------------ - IP ranges, separated by commas or whitespace -- Default: 0.0.0.0/0,::/0 +- Default: 127.0.0.1,::1 + +.. versionchanged:: 4.1.0 + + Default is now 127.0.0.1,::1, was 0.0.0.0,::/0 before. Webserver/API access is only allowed from these subnets. diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 64f04de14..2bf1d18f4 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -133,7 +133,7 @@ void declareArguments() ::arg().set("webserver-address","IP Address of webserver/API to listen on")="127.0.0.1"; ::arg().set("webserver-port","Port of webserver/API to listen on")="8081"; ::arg().set("webserver-password","Password required for accessing the webserver")=""; - ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="0.0.0.0/0,::/0"; + ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="127.0.0.1,::1"; ::arg().setSwitch("out-of-zone-additional-processing","Do out of zone additional processing")="yes"; ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes"; diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 997739a09..5dcb4cc9d 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -3218,7 +3218,7 @@ int main(int argc, char **argv) ::arg().set("webserver-address", "IP Address of webserver to listen on") = "127.0.0.1"; ::arg().set("webserver-port", "Port of webserver to listen on") = "8082"; ::arg().set("webserver-password", "Password required for accessing the webserver") = ""; - ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="0.0.0.0/0,::/0"; + ::arg().set("webserver-allow-from","Webserver access is only allowed from these subnets")="127.0.0.1,::1"; ::arg().set("carbon-ourname", "If set, overrides our reported hostname for carbon stats")=""; ::arg().set("carbon-server", "If set, send metrics in carbon (graphite) format to this server IP address")=""; ::arg().set("carbon-interval", "Number of seconds between carbon (graphite) updates")="30"; diff --git a/pdns/recursordist/docs/http-api/index.rst b/pdns/recursordist/docs/http-api/index.rst index ca9b4ecaa..3ce8d09fb 100644 --- a/pdns/recursordist/docs/http-api/index.rst +++ b/pdns/recursordist/docs/http-api/index.rst @@ -21,8 +21,8 @@ Webserver To launch the internal webserver, add a :ref:`setting-webserver` to the configuration file. This will instruct PowerDNS to start a webserver on localhost at port 8081, without password protection. -Only local users (on the same host) will be able to access the webserver by default, but we still strongly advise the use of a password protection. -The webserver lists a lot of information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc. +By default the webserver listens on localhost, meaning only local users (on the same host) will be able to access the webserver. Since the default ACL before 4.1.0 allows access from everywhere if :ref:`webserver-address` is set to a different value, we strongly advise the use of a password protection. +The webserver lists a lot of potentially sensitive information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc. The webserver does not allow remote management. The following webserver related configuration items are available: diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index b3d9dc13f..08263e544 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1069,7 +1069,11 @@ IP address for the webserver to listen on. ``webserver-allow-from`` ------------------------ - IP addresses, comma separated -- Default: 0.0.0.0, ::/0 +- Default: 127.0.0.1,::1 + +.. versionchanged:: 4.1.0 + + Default is now 127.0.0.1,::1, was 0.0.0.0,::/0 before. These subnets are allowed to access the webserver.