The 'trusted_hosts' config key has an unintuitive (and potentially dangerous) behavior
According to the Foreman documentation:
[trusted_hosts] is the list of hosts from which the smart proxy will accept connections. If this list is empty then every verified SSL connection is allowed to access the API.
There are two issues:
- This behavior is unintuitive. An empty list of trusted hosts should imply that no hosts are trusted, not that all hosts are trusted. An implication of the current behavior is that I would need to enter in a bogus trusted host in order to disable all remote access.
- The proxy (at least in Foreman 1.4.2) accepts ALL connections when trusted_hosts is empty, not just verified connections. In a test deployment, we were able to access the API via curl without providing any credentials or certificates/keys when trusted_hosts was empty.
#1 Updated by Jon McKenzie about 9 years ago
So this seems to be a larger problem than I originally thought. It seems to be that regardless of whether SSL information is specified, only DNS checking is done to validate clients.
Inserting a logger statement into lib/smart_proxy.rb (https://github.com/theforeman/smart-proxy/blob/04148e799c23d7b2024dfb812d04f803f80449da/lib/smart_proxy.rb#L62), I can see that it's picking up my SSL certificates. Yet if I add a host into the trusted_hosts, I can use plain curl (with -k) from that host to query the API (no certs specified at all).
#2 Updated by Dominic Cleal over 8 years ago
- Is duplicate of Bug #7822: CVE-2014-3691 - Smart proxy doesn't perform verification of client SSL certificate on API requests added
#3 Updated by Dominic Cleal over 8 years ago
- Is duplicate of Bug #6589: Trusted host list seems to be ignored added
#4 Updated by Dominic Cleal over 8 years ago
- Status changed from New to Duplicate