From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Thu, 12 Mar 2026 12:31:53 +0000 (+0100)
Subject: Some advice: only expose web server on a as-needed basis
X-Git-Tag: auth-5.1.0-alpha1~7^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2bb3c60d71a8badeaf2a233e8ca2ab0757afb9a3;p=thirdparty%2Fpdns.git

Some advice: only expose web server on a as-needed basis

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/docs/http-api/index.rst b/pdns/recursordist/docs/http-api/index.rst
index ff18543f2e..a4ef51b512 100644
--- a/pdns/recursordist/docs/http-api/index.rst
+++ b/pdns/recursordist/docs/http-api/index.rst
@@ -21,9 +21,11 @@ Webserver
 
 To launch the internal webserver, set :ref:`setting-yaml-webservice.webserver` to ``true`` the configuration file.
 This will instruct PowerDNS to start a webserver on localhost at port 8081, without password protection.
-By default the webserver listens on localhost, meaning only local users (on the same host) will be able to access the webserver. Since the default ACL before 4.1.0 allows access from everywhere if :ref:`setting-yaml-webservice.address` is set to a different value, we strongly advise the use of a password protection.
+By default the webserver listens on localhost, meaning only local users (on the same host) will be able to access the webserver.
+
 The webserver lists a lot of potentially sensitive information about the PowerDNS process, including frequent queries, frequently failing queries, lists of remote hosts sending queries, hosts sending corrupt queries etc.
-The webserver does not allow remote management.
+The webserver does allow very limited remote management.
+
 The following webserver related configuration items are available:
 
 * :ref:`setting-yaml-webservice.webserver`: If set to ``yes`` a webserver is launched.
@@ -32,6 +34,11 @@ The following webserver related configuration items are available:
 * :ref:`setting-yaml-webservice.port`: Port to bind the webserver to.
 * :ref:`setting-yaml-webservice.allow_from`: Netmasks that are allowed to connect to the webserver
 
+.. warning::
+
+   To achieve defense-in-depth, expose the webserver only to clients addresses that need to access it.
+   Network access is configured by setting :ref:`setting-yaml-webservice.address` and :ref:`setting-yaml-webservice.allow_from`. Starting with version 5.3.0 :ref:`setting-yaml-webservice.listen` has been introduced, superseding :ref:`setting-yaml-webservice.address` if set.
+
 .. warning::
 
    Not setting a password will allow passwordless access to the frontpage showing statistics, the :doc:`endpoint-jsonstat`, the :doc:`../common/api/endpoint-statistics` and the ``localhost`` specific endpoint of the :doc:`../common/api/endpoint-servers`.