Bug #12646
openIsolated Reverse proxy exposes all of Katello/Foreman
Description
After doing some investigation, The Client hits hits the reverse proxy on the capsule at 8443 and it gets proxied to the backend Katello instance. If from a browser I actually hit the url for instance ( https://capsule:8443/ ); It actually takes me directly to the foreman box and that looks to be how the reverse proxy is setup on an isolated capsule. That seems to be somewhat of a security hole since your exposing the full Katello instance to the outside. I modified to the reverse proxy to only proxy /rhsm urls and that seems to be a little better and subscription management still works. There are apis that are displayed in JSON format when I hit the URL now but at least its not the foreman application itself. I am not sure if there is a better solution to this? Would it be possible maybe to host a small RHSM client on the capsule that forwards the request back to Katello? Just thoughts
I have attached the proxy config I used.
Files
Updated by Eric Helms almost 9 years ago
- Translation missing: en.field_release set to 86
- Triaged changed from No to Yes
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release changed from 86 to 143
Updated by Justin Sherrill over 8 years ago
- Category set to Installer
- Translation missing: en.field_release changed from 143 to 114
- Difficulty set to easy
This is expected behavior, but i could see allowing the user to specify a slimmed down set of actions to allow, possibly defaulting to that.
Updated by Justin Sherrill almost 7 years ago
- Translation missing: en.field_release changed from 114 to 338
Updated by Stephen Benjamin over 6 years ago
- Related to Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite does added
Updated by Stephen Benjamin over 6 years ago
Updated by Justin Sherrill over 6 years ago
- Target version changed from Katello 3.7.0 to Katello 3.8.0
- Triaged set to No
Updated by Eric Helms over 6 years ago
- Target version deleted (
Katello 3.8.0) - Triaged changed from Yes to No
Updated by Andrew Kofink over 6 years ago
- Target version set to Katello Backlog
- Triaged changed from No to Yes
Updated by Anthony Chevalet almost 5 years ago
Hi there, any news about this "security hole"?
Updated by Eric Helms over 3 years ago
We have assessed this bug and there are a few considerations. The reverse proxy on the content proxy grants both UI and API access which in our view has the same security implications. In order to lock down just to the API we would have to build an access list of all API paths needed in order to not break functionality. Given there is no single rooted endpoint this is difficult and has the potential to miss an endpoint and break functionality. Additionally, some users see this as a feature that they use in order to access the application from clients or the content proxy itself. Given all of this, it is our recommendation that we close this bug as rejected.
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
- Project changed from Katello to Installer
- Category deleted (
Installer) - Target version deleted (
Katello Backlog)
We've merged katello-installer into foreman-installer and for better visibility I'm moving it over to the installer project.