Project

General

Profile

Bug #12646

Isolated Reverse proxy exposes all of Katello/Foreman

Added by Travis Camechis almost 6 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

After doing some investigation, The Client hits hits the reverse proxy on the capsule at 8443 and it gets proxied to the backend Katello instance. If from a browser I actually hit the url for instance ( https://capsule:8443/ ); It actually takes me directly to the foreman box and that looks to be how the reverse proxy is setup on an isolated capsule. That seems to be somewhat of a security hole since your exposing the full Katello instance to the outside. I modified to the reverse proxy to only proxy /rhsm urls and that seems to be a little better and subscription management still works. There are apis that are displayed in JSON format when I hit the URL now but at least its not the foreman application itself. I am not sure if there is a better solution to this? Would it be possible maybe to host a small RHSM client on the capsule that forwards the request back to Katello? Just thoughts

I have attached the proxy config I used.

28-katello-reverse-proxy.conf 28-katello-reverse-proxy.conf 1.96 KB Travis Camechis, 12/01/2015 09:31 AM

Related issues

Related to Katello - Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite doesNew2016-11-16

History

#1 Updated by Eric Helms almost 6 years ago

  • Legacy Backlogs Release (now unused) set to 86
  • Triaged changed from No to Yes

#2 Updated by Eric Helms over 5 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 143

#3 Updated by Justin Sherrill about 5 years ago

  • Category set to Installer
  • Legacy Backlogs Release (now unused) changed from 143 to 114
  • Difficulty set to easy

This is expected behavior, but i could see allowing the user to specify a slimmed down set of actions to allow, possibly defaulting to that.

#4 Updated by Justin Sherrill over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 114 to 338

#5 Updated by Stephen Benjamin over 3 years ago

  • Related to Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite does added

#6 Updated by Stephen Benjamin over 3 years ago

If #17367 were fixed in the proposed way (only proxy /rhsm on 443), it would also solve this and I think #17367 has had more complaints.

#7 Updated by Justin Sherrill about 3 years ago

  • Triaged set to No
  • Target version changed from Katello 3.7.0 to Katello 3.8.0

#8 Updated by Eric Helms about 3 years ago

  • Triaged changed from Yes to No
  • Target version deleted (Katello 3.8.0)

#9 Updated by Andrew Kofink about 3 years ago

  • Triaged changed from No to Yes
  • Target version set to Katello Backlog

#10 Updated by Anthony Chevalet over 1 year ago

Hi there, any news about this "security hole"?

#11 Updated by Eric Helms 4 months ago

We have assessed this bug and there are a few considerations. The reverse proxy on the content proxy grants both UI and API access which in our view has the same security implications. In order to lock down just to the API we would have to build an access list of all API paths needed in order to not break functionality. Given there is no single rooted endpoint this is difficult and has the potential to miss an endpoint and break functionality. Additionally, some users see this as a feature that they use in order to access the application from clients or the content proxy itself. Given all of this, it is our recommendation that we close this bug as rejected.

Also available in: Atom PDF