Web UI redirection policy can invalidate HAProxy and/or TLS setup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Medium
|
Alberto Donato | ||
3.2 |
Fix Released
|
Medium
|
Anton Troyanov | ||
3.3 |
Fix Released
|
Medium
|
Anton Troyanov |
Bug Description
When MAAS is behind haproxy, accessing the web UI is problematic because when it redirects, the protocol and port are lost, replaced with http and port 5240.
It's going to be obvious in the following scenario.
[user] -> [firewall with TCP/80 allowed] -> [haproxy: TCP/80] -> [MAAS TCP/5240]
The initial request with http://<VIP/FQDN>:80/ of HAProxy succeeds and reaches to MAAS, then MAAS returns with a redirection directive to http://<VIP/FQDN>:5240/. It means that MAAS is requesting users to by-pass a reverse proxy such as HAProxy in the middle, and the access is going to be blocked especially when there is a firewall in font of a reverse proxy.
An example to reproduce:
1. deploy maas
2. configure haproxy in front with a VIP, listening on port 80, proxying to regiond on port 5240
3. `curl -i http://<VIP>:80/` and note that the 301 redirect is to `http://<VIP>:5240/MAAS/r/` (which is invalid)
4. note that accessing `http://<VIP>:80/MAAS/r/` works fine
The complete reproduction steps with a realistic scenario is in the comment #2.
This issue is also visible when following the instructions from https:/
Related branches
- MAAS Lander: Approve
- Jerzy Husakowski: Approve
-
Diff: 13 lines (+2/-0)1 file modifiedsrc/maasserver/templates/http/regiond.nginx.conf.template (+2/-0)
- MAAS Lander: Approve
- Jerzy Husakowski: Approve
-
Diff: 13 lines (+2/-0)1 file modifiedsrc/maasserver/templates/http/regiond.nginx.conf.template (+2/-0)
- Adam Collard (community): Approve
- MAAS Lander: Approve
-
Diff: 13 lines (+2/-0)1 file modifiedsrc/maasserver/templates/http/regiond.nginx.conf.template (+2/-0)
description: | updated |
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in maas: | |
milestone: | none → 3.4.0 |
Changed in maas: | |
assignee: | nobody → Alberto Donato (ack) |
Changed in maas: | |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
milestone: | 3.4.0 → 3.4.0-beta1 |
Changed in maas: | |
status: | Fix Committed → Fix Released |
It appears that the problem comes from these redirects in regiond.nginx.conf:
```
location = / {
return 301 /MAAS/r/;
}
location ~ ^/MAAS/?$ {
return 301 /MAAS/r/;
}
```
A potential fix could be to turn off absolute redirects, so that redirects will be automatically interpreted in the context of the requesting url:
``` r/templates/ http/regiond. nginx.conf. template b/src/maasserve r/templates/ http/regiond. nginx.conf. template .d9593ccc9 100644 r/templates/ http/regiond. nginx.conf. template r/templates/ http/regiond. nginx.conf. template
diff --git a/src/maasserve
index b45a7fff9.
--- a/src/maasserve
+++ b/src/maasserve
@@ -30,6 +30,9 @@ server {
listen {{http_port}};
{{endif}}
+ absolute_redirect off;
+ port_in_redirect off;
+
location = / {
return 301 /MAAS/r/;
}
```