Project

General

Profile

Refactor #34236

Drop require_ssl_smart_proxies setting

Added by Ewoud Kohl van Wijngaarden 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
Smart Proxy
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

From https://community.theforeman.org/t/drop-require-ssl-and-require-ssl-smart-proxies-settings/26772

If this setting is true (the default) The Smart Proxies authenticate using SSL client certificates.

If it’s false, other means can be used. Today reverse DNS can be used (foreman/smart_proxy_auth.rb at bde7047acb8a68a899f60585f751093c9713bb92 · theforeman/foreman · GitHub). I’d argue this is unsafe and we should not have this code at all.

It should also be noted that prior to Feature #30779: Use ActionDispatch::RemoteIp when working as a reverse proxy - Foreman users could spoof the remote IP if they came from the local network. That in combination with reverse DNS checks means it’s easy to bypass these security checks. After this, it may actually be that the Katello HTTP reverse proxy setup that it ships opens this security risk. Removing the option for users to shoot themselves in the foot makes the project more secure.


Related issues

Related to Salt - Refactor #34273: Drop usage of require_ssl_smart_proxies setting from testsClosed

Associated revisions

Revision 9690f3ae (diff)
Added by Ewoud Kohl van Wijngaarden 4 months ago

Fixes #34236 - Drop require_ssl_smart_proxies setting

This defaults to true and setting it to false can create security
problems. Mandating client SSL certificates creates a more secure
environment.

Previously when require_ssl_smart_proxies was false, reverse DNS was
used. This code is dropped as it is insecure. Requests are now denied.

History

#1 Updated by The Foreman Bot 4 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/9021 added

#2 Updated by The Foreman Bot 4 months ago

  • Fixed in Releases 3.2.0 added

#3 Updated by Ewoud Kohl van Wijngaarden 4 months ago

  • Status changed from Ready For Testing to Closed

#4 Updated by Ondřej Ezr 4 months ago

  • Related to Refactor #34273: Drop usage of require_ssl_smart_proxies setting from tests added

Also available in: Atom PDF