apache server-status is open on almost all http openstack services
Bug #1996913 reported by
Cyril Lopez
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
kolla-ansible | Status tracked in Bobcat | |||||
Antelope |
Fix Committed
|
High
|
Maksim Malchuk | |||
Bobcat |
Fix Released
|
High
|
Maksim Malchuk | |||
Wallaby |
Won't Fix
|
High
|
Maksim Malchuk | |||
Xena |
Fix Released
|
High
|
Maksim Malchuk | |||
Yoga |
Fix Committed
|
High
|
Maksim Malchuk | |||
Zed |
Fix Committed
|
High
|
Maksim Malchuk |
Bug Description
By default, in docker server-status is restricted to local network but as HAPROXY is in local network, it make it available for everyone.
if you google kolla server-status, you will find some kolla deployment indexed....
server-status should restricted to localhost.
Apache2 config applied :
<Location /server-status>
SetHandler server-status
Require local
#Require ip 192.0.2.0/24
</Location>
Affected only Ubuntu/Debian installations.
summary: |
- apache server-status is open on horizon + apache server-status is open on almost all http openstack services |
description: | updated |
To post a comment you must log in.
I did a quick fix by adding a rule in haproxy public horizon :
frontend horizon_ external_ front known/acme- challenge/ .+ } haproxy. pem external_ back
mode http
http-request del-header X-Forwarded-Proto
use_backend acme_client_back if { path_reg ^/.well-
option httplog
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
bind XXXXXXXX:443 ssl crt /etc/haproxy/
default_backend horizon_
+ http-request deny if { path -i -m beg /server-status }