1

I currently have a cloud vm set up with Docker, which is running my personal website. One container running is a public facing Caddy server which acts as a reverse proxy to the other container. The other container is a BusyBox image running httpd (for it's small RAM usage) acting as a simple static file server.

I understand that busybox is intended for embedded use and that busybox httpd wasn't necessarily designed to be public facing. However, httpd is running behind a reverse proxy.

Are there any security concerns I should consider when using busybox httpd as a public file server? (as opposed to more popular http servers like nginx/apache)

thesilican
  • 111
  • 3

1 Answers1

0

It should be fine. It's code is reviewed well, but it's complicated. See https://git.busybox.net/busybox/tree/networking/httpd.c

By default CGI scripts are enabled so if you allow uploading files then someone may upload some exploit.cgi file. But anyway to execute it the file should have execution permissions. Another one similar attack is to upload an html page with a JavaScript that may stole cookies. Also you may upload a conf file into a directory but it's very limited. Basic auth doesn't have a brute force protection so you may need some Fail2Ban configured but I never did this and not sure that failed attempts are logged. You may also accidentally enable a proxy.

The BB httpd has four limitations that affects security:

  1. No virtual hosting support
  2. No TLS/HTTPS
  3. Configuration is simple but it's easy to mess up because of lack of samples.
  4. No custom headers e.g. Content Security Policy (CSP)

You may find some self checks on OWASP website https://cheatsheetseries.owasp.org/IndexTopTen.html

Sergey Ponomarev
  • 103
  • 4