Xibo behind WAF

levynger · October 18, 2023, 7:32am

This is a general topic on Web Login protection, in addition to the 2FA available,

WAF allow admin with own Hosted public solution of Xibo CMS to enhance security for the Xibo CMS in many aspects.

Assuming that CMS uses SSL certificate over 443, still there needs to be distinct understating how the players (any type/platform of player) connect to the server,
as it uses the same port 443 and 9505, however if it has access to different paths that the user login and cross-site browse endpoints,
this allows the CMS admin to set WAF and limit access to the login page for selected public IP, Client certificates ect.
while maintaining “free” access for the players to connect without the need to have static public IP for instance.

is there any good practice for WAF rules (such as cloudflare) for Xibo Public hosted CMS ?

levynger · October 25, 2023, 7:32am

I have started to look into the access.log of the apache which perform the reverse proxy,

noticed that the communication of the players targeting always with “/xmds.php”
also when changing layouts, grabbing screenshots ect.

so having WAF rule to allow access /xmds.php, and blocking the rest of the paths i.e (/login, /tfa, /schedule, /displays ect…), will allow to block management login users with GEO location, client certificates and additional security methods that are not only 2fa methods.

system · January 24, 2024, 1:33pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.