Isolated Reverse proxy exposes all of Katello/Foreman
After doing some investigation, The Client hits hits the reverse proxy on the capsule at 8443 and it gets proxied to the backend Katello instance. If from a browser I actually hit the url for instance ( https://capsule:8443/ ); It actually takes me directly to the foreman box and that looks to be how the reverse proxy is setup on an isolated capsule. That seems to be somewhat of a security hole since your exposing the full Katello instance to the outside. I modified to the reverse proxy to only proxy /rhsm urls and that seems to be a little better and subscription management still works. There are apis that are displayed in JSON format when I hit the URL now but at least its not the foreman application itself. I am not sure if there is a better solution to this? Would it be possible maybe to host a small RHSM client on the capsule that forwards the request back to Katello? Just thoughts
I have attached the proxy config I used.