Closed gaia closed 5 years ago
Yes, --enable-host-header-whitelist
must be provided to make the connector enforce the Host
header (this is not exactly intuitive, maybe it's worth enabling it automatically if --host-header-whitelist
is passed). And if you need to specify a non-default IP, as in your case, you need both parameters.
I tested option B in a similar setup, with two computers in the same LAN (no firewalls), and it worked. What does curl give you when you point it to http://10.10.10.xxx:12345/connector/status
?
@syntaxcase thank you for the clarification, it works now. and yes using both seems counter-intuitive.
The client that willl use the yubihsm sits in the same LAN as the VM that is connected to the yubihsm. In addition to firewalling at the KMS VM, I'd like to enable host-header-whitelist
I tried
a)
yubihsm-connector -d --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345
and b)yubihsm-connector -d --enable-host-header-whitelist --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345
(where xxx is the LAN IP where the yubihsm is)
B didn't work. Is
--enable-host-header-whitelist
necessary when--host-header-whitelist
is set? Does the former simply enable the default host headers list and should not be used in conjunction with the latter?