Satosa-Saml2Spid icon indicating copy to clipboard operation
Satosa-Saml2Spid copied to clipboard
verified publisher icon italia

Proposal: Reduce proxy surface

Open MdreW opened this issue 8 months ago • 0 comments

In production, every public server is continuously scanned and attacked. Most of these operations are performed by bots to analyze common vulnerabilities on common systems (WordPress, JBoss, etc.). These operations do not pose a risk to iam-proxy-italia, but they consume resources and are really tedious. In production, logs last for 1 year, and it's almost all spam, scanning of common paths that generate resource errors.

At this moment NGINX try to search the request in his root, if there is no match send everything to satosa. We could reduce these noise requests by limiting the proxy to only the paths required. Each path required from a plugin start with the plugin name (es: Saml2, Saml2IDP, OIDC, CieSaml2, ecc.), we colud proxy only theese base paths.

what do you think?

MdreW avatar Jul 28 '25 10:07 MdreW