search

Yubico / yubihsm-connector

https://developers.yubico.com/yubihsm-connector/
Apache License 2.0
31 stars 14 forks source link

host-header-whitelist usage #10

Closed gaia closed 5 years ago

gaia commented 5 years ago

The client that willl use the yubihsm sits in the same LAN as the VM that is connected to the yubihsm. In addition to firewalling at the KMS VM, I'd like to enable host-header-whitelist

I tried

a) yubihsm-connector -d --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345 and b) yubihsm-connector -d --enable-host-header-whitelist --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345

(where xxx is the LAN IP where the yubihsm is)

B didn't work. Is --enable-host-header-whitelist necessary when --host-header-whitelist is set? Does the former simply enable the default host headers list and should not be used in conjunction with the latter?

syntaxcase commented 5 years ago

Yes, --enable-host-header-whitelist must be provided to make the connector enforce the Host header (this is not exactly intuitive, maybe it's worth enabling it automatically if --host-header-whitelist is passed). And if you need to specify a non-default IP, as in your case, you need both parameters.

I tested option B in a similar setup, with two computers in the same LAN (no firewalls), and it worked. What does curl give you when you point it to http://10.10.10.xxx:12345/connector/status?

gaia commented 5 years ago

@syntaxcase thank you for the clarification, it works now. and yes using both seems counter-intuitive.