Add option to disable fileserver in XAPI conf #5608
Conversation
|
We get this feature request from a lot of users that wan't to completely disable the webserver for security reason. |
ocaml/xapi/fileserver.ml
Outdated
| else ( | ||
| Buf_io.assert_buffer_empty bio ; | ||
| let is_external_http = is_external_http req s in | ||
| if is_external_http && !Xapi_globs.website_https_only then |
There was a problem hiding this comment.
Could this expression not be extended to get the desired outcome? I don't like the deeper and deeper nesting if it could be avoided.
There was a problem hiding this comment.
As a configuration option, this is fine with me.
There was a problem hiding this comment.
I've tried using options, along with bind, to indicate whether a single reply has been sent back to the client, but it ends up more verbose, and not quite as clean as I would like:
let reply_maybe condition reply =
if condition () then
Some (reply ())
else
None
...
let ( let* ) = Option.bind in
let reply () =
let* () =
reply_maybe
(fun () -> !Xapi_globs.disable_webserver)
(fun () -> Http_svr.response_forbidden ~req s)
in
let* () =
reply_maybe
(fun () -> is_external_http && !Xapi_globs.website_https_only)
(fun () -> Http_svr.response_forbidden ~req s)
in
...
in
match reply () with
| Some () ->
()
| None ->
Http_svr.response_missing s (missing uri)
|
What is it exactly that users complain about? We already allow a setting to disable port 80, to appease the port scanners |
|
In XCP-ng 8.3, we provide a full client (XO Lite) directly available in HTTPS. Some users are afraid of it, despite it's just a client that ultimately runs in their browser. So we want to offer them the choice to disable it completely. In addition to this, scanners may detect CVEs in JS dependencies of XO lite from time to time, which we will fix, but users may need to disable the web server temporarily to comply with security rules about detected CVEs in software until we publish the fix and they can schedule applying it. |
|
My preference would be to filter the common http handler's list by name to not load the |
benjamreis
force-pushed
the
disable-fileserver-option
branch
from
e1befc6 to
8f059a8
Compare
Done! :) |
|
Re-tested and validated. |
New XAPI conf option: `disable-webserver` (default: false) If true, all requests for the fileserver will get a 403 response. Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
benjamreis
force-pushed
the
disable-fileserver-option
branch
from
73a4c06 to
26712bb
Compare
See: xapi-project/xen-api#5608 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
See: xapi-project/xen-api#5608 Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
4 participants
New XAPI conf option:
disable-webserver(default: false)If true, all requests for the fileserver will get a 403 response.