Project

General

Profile

Bug #12646

Isolated Reverse proxy exposes all of Katello/Foreman

Added by Travis Camechis almost 4 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
easy
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

After doing some investigation, The Client hits hits the reverse proxy on the capsule at 8443 and it gets proxied to the backend Katello instance. If from a browser I actually hit the url for instance ( https://capsule:8443/ ); It actually takes me directly to the foreman box and that looks to be how the reverse proxy is setup on an isolated capsule. That seems to be somewhat of a security hole since your exposing the full Katello instance to the outside. I modified to the reverse proxy to only proxy /rhsm urls and that seems to be a little better and subscription management still works. There are apis that are displayed in JSON format when I hit the URL now but at least its not the foreman application itself. I am not sure if there is a better solution to this? Would it be possible maybe to host a small RHSM client on the capsule that forwards the request back to Katello? Just thoughts

I have attached the proxy config I used.

28-katello-reverse-proxy.conf 28-katello-reverse-proxy.conf 1.96 KB Travis Camechis, 12/01/2015 09:31 AM

Related issues

Related to Katello - Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite doesNew2016-11-16

History

#1 Updated by Eric Helms almost 4 years ago

  • Legacy Backlogs Release (now unused) set to 86
  • Triaged changed from No to Yes

#2 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 86 to 143

#3 Updated by Justin Sherrill about 3 years ago

  • Category set to Installer
  • Legacy Backlogs Release (now unused) changed from 143 to 114
  • Difficulty set to easy

This is expected behavior, but i could see allowing the user to specify a slimmed down set of actions to allow, possibly defaulting to that.

#4 Updated by Justin Sherrill over 1 year ago

  • Legacy Backlogs Release (now unused) changed from 114 to 338

#5 Updated by Stephen Benjamin over 1 year ago

  • Related to Feature #17367: Capsule should listen for RHSM requests on port 443, like Satellite does added

#6 Updated by Stephen Benjamin over 1 year ago

If #17367 were fixed in the proposed way (only proxy /rhsm on 443), it would also solve this and I think #17367 has had more complaints.

#7 Updated by Justin Sherrill about 1 year ago

  • Triaged set to No
  • Target version changed from Katello 3.7.0 to Katello 3.8.0

#8 Updated by Eric Helms about 1 year ago

  • Triaged changed from Yes to No
  • Target version deleted (Katello 3.8.0)

#9 Updated by Andrew Kofink about 1 year ago

  • Triaged changed from No to Yes
  • Target version set to Katello Backlog

Also available in: Atom PDF