Hi,
I start using webdis today, and want to expose it to public internet. And I want it password protected and disable the anonymous access.
I find the ACL part is confusing.
Firstly I try
"acl": [
{
"http_basic_auth": "user:password",
"enabled": [ "*" ]
}
],But I can still access the api without username and password! It's very surprise to me.
Later I figure out the correct way:
"acl": [
{"disabled": ["*"]},
{
"http_basic_auth": "user:password",
"enabled": [ "*" ]
}
],It seems to me that the anonymous access is somewhat special: it is always enabled unless explicitly disabled by hand. acl is allow-list style except for the anonymous access.
Maybe it's not a good idea from the security point of view? I suggest changing the code to fully allow-list style, no special treatment for the anonymous access. You can of course enable it by default by providing the example webdis.json, but after users delete that part, the anonymous access should be disabled as well.
Hi,
I start using webdis today, and want to expose it to public internet. And I want it password protected and disable the anonymous access.
I find the ACL part is confusing.
Firstly I try
But I can still access the api without username and password! It's very surprise to me.
Later I figure out the correct way:
It seems to me that the anonymous access is somewhat special: it is always enabled unless explicitly disabled by hand. acl is allow-list style except for the anonymous access.
Maybe it's not a good idea from the security point of view? I suggest changing the code to fully allow-list style, no special treatment for the anonymous access. You can of course enable it by default by providing the example
webdis.json, but after users delete that part, the anonymous access should be disabled as well.