https://www.ilinux.fr One of our client can put his SSL cert (not let's encrypt) then he can kill for all the other client (using Let's Encrypt cert SSL) that are hosted on this web server ! So kill all websites ... all using Let's Encrypt. I'm investigating why ... he had put key and cert. in SSL tab then save ... then kill all other SSL cert (LE), all other website retrieve his SSL cert. Edit : security tag , removed
You should not post before you investigated what happened on your system and even more not claim that you found a security issue as it's more likely that you expose a misconfiguration on your side than an issue in ISPConfig. Just a guess, did you mix * and IP address in websites IPv4 field?
hello Till, yes the client put internal web server IP address in "IPv4-Address" field and not * like other website. But this is allowed ! And the problem is , if one client is playing with is cert conf. (or anything else in his environment) he can kill other one ... that not a good thing.
It is allowed because you, the administrator that is responsible for that server, configured your server to allow it. An IP has always precedence over a wildcard. To fix your server configuration, go to System > Server IP and uncheck the namevirtualhost option in the settings of the IP address and click save. You meant to make this sentence in bold, after I reminded you to not post such things before you even investigated the issue, really? Here my reply: it's not a security issue, it's just an admin that did not know how to configure and maintain a web server. It is common knowledge under webmasters how an apache and nginx server works and that an IP has always precedence over a wildcard and when you decide that you allow both options to your customers, then what you describe must happen when someone selects the Ip while others use the wildcard.
it's was the default option, i haven't touched nothing. you mean this option : " HTTP NameVirtualHost" ? if yes, by default it's checked. So i unckeck (namevirtualhost - HTTP NameVirtualHost) , as mentioned below, but ... when i go to Sites\Websites tab (with client interface) , then choose, or addnew, site ... it' always possible to choose * or web server ip address. What 's i am doing wrong ? "IP has always precedence over a wildcard and when you decide that you allow both options to your customers," , so how to disable this possibility for our customer ? thank you for you're answer till.
It was, it is not anymore when installing new systems. Uncheck HTTP NameVirtualHost for every IP. Then open the web, select *, and click save. Do this for every site.
I've just tested it here in ISPConfig 3.2.2 and the IP does not show up in the IPv4 selector of the website, neither for admin nor client, when you have unticked the namevirtualhost checkbox in the IP settings.
i'm on "This Version: 3.1.15p3" ... we are speaking of : System \ Server IP Addresses \ then "HTTP NameVirtualHost" uncheck is it right ?
It should work fine for that aswell, but you should update as several security issues have been fixed in the last releases.
Beside of that what @Th0m mentioned, if you do not use automatic network configuration (which is disabled by default), then you can even delete the IP address under System > Server IP.
ouhhh, delete delete ... no no ! ;-) it's work in fact, end-user can see the local ip BUT cannot save ! So it's working. but that 's was very strange to seer all this server site's having our client cert !!!. This solved for me. Thank to all you.
