Apache2 reverse proxy setup exposing directory listings and serving unintended files

Hi,

FusionAuth was installed via Debian packages for reference. Running version 1.38.1.

We have FusionAuth set up behind Apache2 acting as a reverse proxy. I used the sample configuration available here as a starting point. I disabled all directory listings in the main Apache configuration.

This configuration works with little issues.

Our FusionAuth instance is running out of /usr/local/fusionauth/fusionauth-app/ which contains 4 other sub directories, bin/, lib/, template/, web/, 3rd-party-licenses/.

When testing behavior for this setup, it came to my attention that you could access, for example, the start script that is in the bin directory when navigating to https://ourfusionauthserver.com/bin from the browser.

The same can be said for the other directories at that level.

I added explicit ProxyPass exclusions for each of these paths at the virtual host level and it does have the intended effect of limiting access to these files from browser.

However, I haven't yet found this particular issue raised in other documentation, and it's making me think I have something configured incorrectly either in FusionAuth or Apache2.

If anyone has insight on this configuration or have resolved this issue themselves, I would appreciate the help.

@dan The configuration files and logs are inaccessible, assuming you're talking about the ones residing up a directory from /fusionauth-app/.

Thank you for stating the risks of the leakage. The only thing that raised flags here was the default fusionauth.properties file in the template directory had the default database user and password, but those should be, and were, changed when installing.

I will fork and submit a PR later tonight or this week.

Thanks again.

@dan The configuration files and logs are inaccessible, assuming you're talking about the ones residing up a directory from /fusionauth-app/.

Thank you for stating the risks of the leakage. The only thing that raised flags here was the default fusionauth.properties file in the template directory had the default database user and password, but those should be, and were, changed when installing.

I will fork and submit a PR later tonight or this week.

Thanks again.

Hi,

FusionAuth was installed via Debian packages for reference. Running version 1.38.1.

We have FusionAuth set up behind Apache2 acting as a reverse proxy. I used the sample configuration available here as a starting point. I disabled all directory listings in the main Apache configuration.

This configuration works with little issues.

Our FusionAuth instance is running out of /usr/local/fusionauth/fusionauth-app/ which contains 4 other sub directories, bin/, lib/, template/, web/, 3rd-party-licenses/.

When testing behavior for this setup, it came to my attention that you could access, for example, the start script that is in the bin directory when navigating to https://ourfusionauthserver.com/bin from the browser.

The same can be said for the other directories at that level.

I added explicit ProxyPass exclusions for each of these paths at the virtual host level and it does have the intended effect of limiting access to these files from browser.

However, I haven't yet found this particular issue raised in other documentation, and it's making me think I have something configured incorrectly either in FusionAuth or Apache2.

If anyone has insight on this configuration or have resolved this issue themselves, I would appreciate the help.