No way to set --allow-header-host

[rassie]

There is a new option in town: https://github.com/greenbone/gsa/pull/318. Apparently, it needs to be set to the actual hostname the container is getting accessed with. There is currently no way to do that: even when trying to hack environment variables (e.g. setting LISTEN_ADDRESS to 0.0.0.0 --allowed-header-host=my.example.com) those settings are overridden by service command.

(that also means that overriding those variables in /etc/default/openvas-gsa is not possible)

[boomshadow]

As a work-around, I added --allowed-header-host=MY.IP.ADDRESS to the daemon args and started OpenVAS again. This lets one get up and running to at least start scanning.

docker exec -it openvas bash
apt update && apt install -y vim
vim /etc/init.d/openvas-gsa

Add your custom host or public-facing IP by changing this line:

DAEMON_ARGS="--mlisten 127.0.0.1 -m 9390 --gnuu tls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1..0"

To something like this:

DAEMON_ARGS="--mlisten 127.0.0.1 -m 9390 --allow-header-host=MY.PUBLIC.IP --gnuu tls-priorities=SECURE128:-AES-128-CBC:-CAMELLIA-128-CBC:-VERS-SSL3.0:-VERS-TLS1..0"

Then run that start command again:

./start &

[rassie]

An easier workaround is defining a variable like I did above and restarting gsad with /etc/init.d/openvas-gsa restart. But it's manual work :(

[ntnyc]

I installed today and modified /etc/default/openvas-gsa

ALLOW_HEADER_HOST=my public IP

I rebooted and it works now.