• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved SECURITY - attack surface : ports 7080 and 7081

@Peter Debik There is no way that this should be enabled by default on new installs. This breaks all Apache modsecurity attack triggers and any Apache log statistics programs as the client address only reports 127.0.0.1 as the client address after enabling it.
Must be a misconfiguration of mod_remoteip.
At the end of /etc/apache2/plesk.conf.d/server.conf, there needs to be 127.0.0.1 added to the line RemoteIPInternalProxy.
@Peter Debik is that enough to forward to dev or should I open a bug?
 
@Peter Debik Unfortunately in my testing it looks like there is another big issue with this change. After enabling "plesk bin apache --listen-on-localhost true" the PHP $_SERVER["SERVER_ADDR"] reports as "127.0.0.1" instead of the real server IP address. This means that any PHP applications that previously used the $_SERVER["SERVER_ADDR"] will be broken (like WHMCS license checks for example).
 
@danami I cannot derive an internal bug report from the post as it requires a more detailed description with steps to reproduce and an example. If you want it processed fast, please use a support ticket for it, else please report it here: Issue Report | Plesk Forum
 
@Peter Debik There is no way that this should be enabled by default on new installs. This breaks all Apache modsecurity attack triggers and any Apache log statistics programs as the client address only reports 127.0.0.1 as the client address after enabling it.
Forcing apache to only listen to localhost seems like a sensible default to me.
 
Ok I realise now that the recommended fix also has undesirable consequences such as breaking awstats.

It also makes me wonder about the accuracy of the awstats and other metrics when using a reverse proxy.
 
Back
Top