If you are wondering why you want to disable HTTPEnableConnectorHeaders go read Jasper Kiaer's excellent post on why this maybe the worst security hole in Domino ever. Yes, ever.

So now you've sent HTTPEnableConnectorHeaders=0 in the server notes.ini (make sure the setting has taken with a "show config http*" in the server console). You restart HTTP on Domino and you get this when you try to access the server:

Request contains an HTTP header that does not contain a colon

Then you also need to disable the headers in Apache or Nginx. For Apache comment out or delete lines that look like this (in fact anything that contains the evil $WSxx headers):

RequestHeader set $WSRA "%{CLIENTIP}e"
RequestHeader set $WSRH "%{CLIENTIP}e"

For Nginx remove or comment out the following (again, also any other $WSxx you may have):

proxy_set_header        $WSRA              $remote_addr;
proxy_set_header        $WSRH              $remote_addr;
proxy_set_header        $WSSN              $host;
proxy_set_header        $WSIS              True;

Once you do that restart your reverse proxy of choice.

Darren Duke   |   November 2 2015 02:53:28 AM   |    domino  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (4)

Gravatar Image
1 - Jesse Gallagher    http://frostillic.us    11/02/2015 9:37:16 AM

Eh, you say "worst security hole in Domino ever", I say "Domino server-side security has always been a shared delusion". Po-tay-to, po-tah-to.

Gravatar Image
2 - Darren Duke       11/02/2015 10:46:02 AM

@1, Jesse, I don't disagree about the shared illusion, but it's one thing to have code running as a user, it's a completely different (and much more scary) thing to have all authentication bypassed by adding a simple HTTP header. You generally have a level of trust in the developer or signer of code. You generally have complete and utter distrust of any drive-by hacker trying to gain access to the server.

Gravatar Image
3 - Jesse Gallagher    http://frostillic.us    11/02/2015 12:00:53 PM

It's definitely an additional potential attack vector - there's no getting around with that. My stance is that it's not, when clamped down to a local adapter or LAN, more worrisome than the bevy of other ways to gain heightened access when the attacker has access to run code on the server.

That said, I totally get why an admin would decide that getting accurate remote hosts and connection information in the requests/logs isn't worth the lost sleep.

Gravatar Image
4 - Paul Johnson       11/09/2015 4:26:14 PM

HTTPEnableConnectorHeaders=1 should only be set on systems that are using the WebSphere plugin to enable another web server to act as a front-end to the Domino web server. This is the only time this setting should be enabled. This setting is not needed with reverse proxy implementations. When this setting is enabled, only the front-end web server should be given access to the Domino web server. This restricted access can be configured using the example for "Allow access only from two trusted proxy servers" in the Domino Administrator Help document "Restricting access by IP address on the Web server" { http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_restrictingaccessbyipaddressonthewebserver_t.dita?lang=en }