[SOLVED] Nessus Security Scan Fail - Internal IP in HTTP Header

[bertie_uk]

As part of our company security policy we regularly run Nessus security scanner against our servers.

Our Zimbra OSS has failed on "HTTP Header Internal IP Disclosure" which basically means the internal 192.168.x.x IP of the server is being sent in the HTTP header. Tenable Network Security

On Tomcat we add a proxyName value to rewrite the header with the domain name.

But I don't know if this is possible with Jetty, or how it is done in the Zimbra Jetty.

Anyone any ideas?

Thanks

[phoenix]

Why don't you just disable the x-originating-ip in the Admin UI or is there some other IP showing?

[bertie_uk]

It's not in the email header, but the HTTP header returned from Jetty.

I have the option you describe disabled already.

Thanks

bertie

[bertie_uk]

Found a solution. Similar to the Tomcat method.

In /opt/zimbra/jetty/etc/jetty.xml.in add the following lines to the <!-- user services connector, no SSL --> section:

<Set name="forwarded">true</Set>
<Set name="hostHeader">mail.domain.com</Set>


and to the <!-- user services connector, SSL --> section:

<Set name="forwarded">true</Set>
<Set name="hostHeader">mail.domain.com:443</Set>

Then restart Zimbra.

Don't use the jetty.xml as this is overwritten by the .in version when Zimbra restarts.

Bertie

[bertie_uk]

P.s. Seems a Zimbra upgrade removes this.

[arifsaha]

Quote:

Originally Posted by bertie_uk

P.s. Seems a Zimbra upgrade removes this.

That's normal Zimbra behaviour, BTW.

[arifsaha]

Quote:

Originally Posted by bertie_uk

In /opt/zimbra/jetty/etc/jetty.xml.in add the following lines to the <!-- user services connector, no SSL --> section:
<Set name="forwarded">true</Set>
<Set name="hostHeader">mail.domain.com</Set>
and to the <!-- user services connector, SSL --> section:
<Set name="forwarded">true</Set>
<Set name="hostHeader">mail.domain.com:443</Set>
Then restart Zimbra.

Sorry to raise old thread, but I am wondering whether this change will allow the IP address of the client show in mailbox.log and audit.log of Zimbra behind http proxies?

For example, an failed login from IP address 99,98.97.96 which connect to proxy 111.112.113.114 will show up as a log entry like this:

Code:

2011-04-13 20:37:39,694 INFO  [btpool0-36341] [name=anaccount@mydomain.tld;oip=111.112.113.114;ua=zclient/5.0.11_GA_2695.RHEL5_64;] SoapEngine - handler exception: authentication failed for anaccount, invalid password

As the actual address 99,98.97.96 does not show at all. With the change bertie_uk suggested will cause the log entry those the actual client IP address in that log entry?

Thanks!

[j2b]

Please see the other your request: logging client IPs when running behind non-Zimbra nginx HTTP proxy