Project

General

Profile

Actions

Bug #12646

open

Isolated Reverse proxy exposes all of Katello/Foreman

Added by Travis Camechis about 9 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
easy
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

After doing some investigation, The Client hits hits the reverse proxy on the capsule at 8443 and it gets proxied to the backend Katello instance. If from a browser I actually hit the url for instance ( https://capsule:8443/ ); It actually takes me directly to the foreman box and that looks to be how the reverse proxy is setup on an isolated capsule. That seems to be somewhat of a security hole since your exposing the full Katello instance to the outside. I modified to the reverse proxy to only proxy /rhsm urls and that seems to be a little better and subscription management still works. There are apis that are displayed in JSON format when I hit the URL now but at least its not the foreman application itself. I am not sure if there is a better solution to this? Would it be possible maybe to host a small RHSM client on the capsule that forwards the request back to Katello? Just thoughts

I have attached the proxy config I used.


Files

28-katello-reverse-proxy.conf 28-katello-reverse-proxy.conf 1.96 KB Travis Camechis, 12/01/2015 09:31 AM

Related issues 1 (0 open1 closed)

Related to Katello - Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite doesClosedActions
Actions #1

Updated by Eric Helms almost 9 years ago

  • Translation missing: en.field_release set to 86
  • Triaged changed from No to Yes
Actions #2

Updated by Eric Helms over 8 years ago

  • Translation missing: en.field_release changed from 86 to 143
Actions #3

Updated by Justin Sherrill over 8 years ago

  • Category set to Installer
  • Translation missing: en.field_release changed from 143 to 114
  • Difficulty set to easy

This is expected behavior, but i could see allowing the user to specify a slimmed down set of actions to allow, possibly defaulting to that.

Actions #4

Updated by Justin Sherrill almost 7 years ago

  • Translation missing: en.field_release changed from 114 to 338
Actions #5

Updated by Stephen Benjamin over 6 years ago

  • Related to Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite does added
Actions #6

Updated by Stephen Benjamin over 6 years ago

If #17367 were fixed in the proposed way (only proxy /rhsm on 443), it would also solve this and I think #17367 has had more complaints.

Actions #7

Updated by Justin Sherrill over 6 years ago

  • Target version changed from Katello 3.7.0 to Katello 3.8.0
  • Triaged set to No
Actions #8

Updated by Eric Helms over 6 years ago

  • Target version deleted (Katello 3.8.0)
  • Triaged changed from Yes to No
Actions #9

Updated by Andrew Kofink over 6 years ago

  • Target version set to Katello Backlog
  • Triaged changed from No to Yes
Actions #10

Updated by Anthony Chevalet almost 5 years ago

Hi there, any news about this "security hole"?

Actions #11

Updated by Eric Helms over 3 years ago

We have assessed this bug and there are a few considerations. The reverse proxy on the content proxy grants both UI and API access which in our view has the same security implications. In order to lock down just to the API we would have to build an access list of all API paths needed in order to not break functionality. Given there is no single rooted endpoint this is difficult and has the potential to miss an endpoint and break functionality. Additionally, some users see this as a feature that they use in order to access the application from clients or the content proxy itself. Given all of this, it is our recommendation that we close this bug as rejected.

Actions #12

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Project changed from Katello to Installer
  • Category deleted (Installer)
  • Target version deleted (Katello Backlog)

We've merged katello-installer into foreman-installer and for better visibility I'm moving it over to the installer project.

Actions

Also available in: Atom PDF