From 3e49bd84dcaa78c4370ffcf1fb1965fb67da4e68 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 7 Nov 2024 19:56:29 -0300 Subject: [PATCH] Deactivated public api of listmonk by default, which was a security hole --- group_vars/all | 1 + roles/docker-listmonk/files/deactivate-public-api.conf | 3 +++ roles/docker-listmonk/tasks/main.yml | 9 +++++++++ 3 files changed, 13 insertions(+) create mode 100644 roles/docker-listmonk/files/deactivate-public-api.conf diff --git a/group_vars/all b/group_vars/all index 1aa2255f..bd583374 100644 --- a/group_vars/all +++ b/group_vars/all @@ -190,6 +190,7 @@ bigbluebutton_enable_greenlight: "true" #### Listmonk listmonk_admin_username: "admin" +listmonk_public_api_activated: False # Security hole. Can be used for spaming #### Mastodon mastodon_version: "latest" diff --git a/roles/docker-listmonk/files/deactivate-public-api.conf b/roles/docker-listmonk/files/deactivate-public-api.conf new file mode 100644 index 00000000..8d1e8e36 --- /dev/null +++ b/roles/docker-listmonk/files/deactivate-public-api.conf @@ -0,0 +1,3 @@ +location /api/public/subscription { + return 403; +} \ No newline at end of file diff --git a/roles/docker-listmonk/tasks/main.yml b/roles/docker-listmonk/tasks/main.yml index 32b798f2..3aeb1903 100644 --- a/roles/docker-listmonk/tasks/main.yml +++ b/roles/docker-listmonk/tasks/main.yml @@ -2,6 +2,15 @@ - name: "include docker/compose/database.yml" include_tasks: docker/compose/database.yml +- name: Set nginx_docker_reverse_proxy_extra_configuration based on listmonk_public_api_activated + set_fact: + nginx_docker_reverse_proxy_extra_configuration: >- + {% if not listmonk_public_api_activated %} + {{ lookup('file', '{{ role_path }}/files/deactivate-public-api.conf') }} + {% else %} + "" + {% endif %} + - name: "include tasks nginx-docker-proxy-domain.yml" include_tasks: nginx-docker-proxy-domain.yml