2019-07-31, 05:09 PM
I'm re-reading all of the current MyBB Security Docs, and have a question about this one:
MyBB.com > Docs > Security > Protecting your MyBB Forum > Configure access to private hosts and IP addresses
https://docs.mybb.com/1.8/administration/security/protection/
The instructions seem to say, go in to your MyBB installation's inc/config.php file and add your server's IP address to 2 sections. My question is, am I understanding that correctly? I'm confused because it combines the word "disallowed" with the server's IP address, and I don't want to lock out the server! Thanks if anyone can clarify.
MyBB.com > Docs > Security > Protecting your MyBB Forum > Configure access to private hosts and IP addresses
https://docs.mybb.com/1.8/administration/security/protection/
The instructions seem to say, go in to your MyBB installation's inc/config.php file and add your server's IP address to 2 sections. My question is, am I understanding that correctly? I'm confused because it combines the word "disallowed" with the server's IP address, and I don't want to lock out the server! Thanks if anyone can clarify.
/**
* Disallowed Remote Hosts
* List of hosts the fetch_remote_file() function will not
* perform requests to.
* It is recommended that you enter hosts resolving to the
* forum server here to prevent Server Side Request
* Forgery attacks.
*/
$config['disallowed_remote_hosts'] = array(
'localhost',
);
/**
* Disallowed Remote Addresses
* List of IPv4 addresses the fetch_remote_file() function
* will not perform requests to.
* It is recommended that you enter addresses resolving to
* the forum server here to prevent Server Side Request
* Forgery attacks.
* Removing all values disables resolving hosts in that
* function.
*/
$config['disallowed_remote_addresses'] = array(
'127.0.0.1',
'10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16',
);