oss-sec mailing list archives
And Harbor? (was: Portus, missing certificate validation on proxified https traffic)
From: Raphael Geissert <atomo64 () gmail com>
Date: Wed, 7 Mar 2018 14:53:07 +0100
On 7 March 2018 at 14:34, Raphael Geissert <atomo64 () gmail com> wrote: [...]
Oh and it appears that this one comes from the Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of the NGinx configuration"[2] : https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57
From a quick look at harbor, it would appear to also be missing the
certificate validation on the proxified connections: https://github.com/vmware/harbor/tree/master/make/common/templates/nginx (as of 19a13e8) CC'ing vmware security, fwiw.
[1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf [2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md [3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21 [4] https://github.com/Djelibeybi/Portus-On-OracleLinux7
Cheers, -- Raphael Geissert
Current thread:
- And Harbor? (was: Portus, missing certificate validation on proxified https traffic) Raphael Geissert (Mar 07)