Apache should disable (or provide the option to disable) http port 80
Bug #1845665 reported by
Nick Niehoff
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Invalid
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Cinder Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Glance Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Heat Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Keystone Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Neutron API Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Nova Cloud Controller Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva | ||
OpenStack Placement Charm |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Swift Proxy Charm |
Fix Released
|
Medium
|
Tiago Pasqualini da Silva |
Bug Description
In many environments security requirements dictate SSL be enabled and specifically require http be disabled. The apache hardening should either disable http by default if ssl is enabled or should provide a configuration parameter allowing http to be disabled. Adding an HSTS header is also a good idea as Trent suggested here https:/
Changed in charm-helpers: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in charm-cinder: | |
milestone: | none → 20.01 |
Changed in charm-glance: | |
milestone: | none → 20.01 |
Changed in charm-keystone: | |
milestone: | none → 20.01 |
Changed in charm-neutron-api: | |
milestone: | none → 20.01 |
Changed in charm-nova-cloud-controller: | |
milestone: | none → 20.01 |
Changed in charm-swift-proxy: | |
milestone: | none → 20.01 |
Changed in charm-cinder: | |
status: | New → Confirmed |
Changed in charm-glance: | |
status: | New → Confirmed |
Changed in charm-keystone: | |
status: | New → Confirmed |
Changed in charm-neutron-api: | |
status: | New → Confirmed |
Changed in charm-nova-cloud-controller: | |
status: | New → Confirmed |
Changed in charm-swift-proxy: | |
status: | New → Confirmed |
Changed in charm-placement: | |
status: | New → Triaged |
Changed in charm-swift-proxy: | |
status: | Confirmed → Triaged |
Changed in charm-nova-cloud-controller: | |
status: | Confirmed → Triaged |
Changed in charm-neutron-api: | |
status: | Confirmed → Triaged |
Changed in charm-keystone: | |
status: | Confirmed → Triaged |
Changed in charm-glance: | |
status: | Confirmed → Triaged |
Changed in charm-cinder: | |
status: | Confirmed → Triaged |
Changed in charm-helpers: | |
status: | Confirmed → Triaged |
Changed in charm-cinder: | |
importance: | Undecided → Medium |
Changed in charm-glance: | |
importance: | Undecided → Medium |
Changed in charm-keystone: | |
importance: | Undecided → Medium |
Changed in charm-neutron-api: | |
importance: | Undecided → Medium |
Changed in charm-nova-cloud-controller: | |
importance: | Undecided → Medium |
Changed in charm-placement: | |
importance: | Undecided → Medium |
Changed in charm-swift-proxy: | |
importance: | Undecided → Medium |
tags: | added: sts |
Changed in charm-helpers: | |
status: | Triaged → Opinion |
status: | Opinion → Invalid |
summary: |
- Apache hardening should disable (or provide the option to disable) http - port 80 + Apache should disable (or provide the option to disable) http port 80 |
Changed in charm-helpers: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-glance: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-placement: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-swift-proxy: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-cinder: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-heat: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-keystone: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-neutron-api: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-nova-cloud-controller: | |
assignee: | nobody → Tiago Pasqualini da Silva (tiago.pasqualini) |
Changed in charm-heat: | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
Changed in charm-neutron-api: | |
status: | Fix Committed → Fix Released |
Changed in charm-cinder: | |
status: | Fix Committed → Fix Released |
Changed in charm-nova-cloud-controller: | |
status: | Fix Committed → Fix Released |
Changed in charm-glance: | |
status: | Fix Committed → Fix Released |
Changed in charm-swift-proxy: | |
status: | Fix Committed → Fix Released |
Changed in charm-heat: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I believe regardless of hardening, if SSL is used, we could perhaps disable access to port 80 entirely.
I checked in my lab that the only way to effectively prevent port 80 from being open is to comment out or remove "Listen 80" from ports.conf.
Currently we do not handle that file. Perhaps we could manage through the charm and add:
<IfModule !ssl_module>
Listen 80
</IfModule>
Therefore, whenever ssl_module is not present, it will use port 80. I tested this in my lab, in one HTTP and one HTTPS deployment. With the above condition added in favor of the default "Listen 80", port 80 was open only in the HTTP env.