Project

General

Profile

Feature #969

Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)

Added by Marcello de Sousa about 8 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
TFTP
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When provisioning a machine, the client needs to access foreman unattended urls, such as:
http://foreman/unattended/kickstart
and
http://foreman/unattended/built

That means firewall open to foreman (and the API).
I think the architecture and security would improve if Foreman could be as isolated as possible, not depending on being open to the machines it manages... Those tasks should be left to the proxy.

The suggested solution:
Client communications directed to Foreman should me moved to proxy (in this case, the one running on the master) so you only need port 8140(puppetmaster) + 8443 (foreman-proxy) open.

Note:
The proxy doesn’t really need to simply forward the request (although this is also a valid initial solution). It could have some intelligence to validate them or serve the unattended itself (pre fetching template information or something like it)…

http://i.imgur.com/aJlN5.png

Foreman_Arch.png View Foreman_Arch.png 67.8 KB Foreman architecture change Marcello de Sousa, 06/09/2011 05:23 AM
Foreman arch

Related issues

Related to Foreman - Feature #1069: Unattended install behind firewall and built statusClosed2011-07-26
Related to Foreman - Bug #1208: Unauthenticated IP spoofing should not be allowedClosed2011-10-04
Related to Foreman - Feature #1970: Override the foreman_url hostnameNew2012-11-22
Related to Smart Proxy - Feature #11582: Implement proxy API for "built" commandRejected2015-08-27
Related to Foreman - Feature #17316: Proxy templating needs TFTP feature to be turned onClosed2016-11-11
Blocks Katello - Tracker #8172: Isolate Client Communication through a CapsuleNew2014-10-29

Blocks Discovery - Feature #8147: Support for HTTP proxyNew2014-10-29

Associated revisions

Revision 81159d4b (diff)
Added by Greg Sutcliffe almost 7 years ago

Use tokens for discovery of host identity during installation

- fixes #1069
- fixes #1720
- refs #969

Revision 2094e4e8 (diff)
Added by Greg Sutcliffe over 4 years ago

Refs #969 - Foreman-side changes for serving templates from the proxy

Revision a53d835a (diff)
Added by dustin tsang over 4 years ago

Refs #969 - Proxy-side changes for serving templates from the proxy

An update to @GregSutcliffe's original PR. Ports his original feature to the new
plugin api.

Revision 8e01bb10 (diff)
Added by Greg Sutcliffe over 4 years ago

Refs #969 - Foreman-side changes for serving templates from the proxy

(cherry picked from commit 2094e4e8b049e6cae32326c33a7ba73cc4047b9f)

History

#1 Updated by Ohad Levy almost 8 years ago

  • Target version deleted (0.3)

#2 Updated by Marcello de Sousa over 7 years ago

I can't use foreman in production with this issue so a workaround I'm using at the moment is to add to the vhost something like this:


  <Location />
    Order Deny,Allow
    Deny from all
        Allow from <my allowed nets ex: 192.168.0.0/24>
        Allow from 127.0.0.1
  </Location>
  <Location ~ "^/unattended/(kickstart|built)$" >
    Order Deny,Allow
    Deny from all
        Allow from <my client nets where only unattended should be available>
      </Location>

#3 Updated by Karl Vollmer almost 7 years ago

This is a barrier to my use of Foreman for provisioning due to my clients being on an internal non-routed network. As a short-term fix we've used iptables on the smart-proxy (only system with external access to the foreman) to forward requests from the internal clients, my configuration also requires https://github.com/theforeman/foreman/pull/102 as well to completely resolve the issue.

#4 Updated by Mike Doherty almost 7 years ago

I've tried my hand at allowing the Smart Proxy to manage the ACL for a Squid proxy, so hosts that can't reach Foreman directly can use the Squid proxy.

#5 Updated by Greg Sutcliffe almost 6 years ago

  • Category set to TFTP
  • Status changed from New to Assigned
  • Assignee set to Greg Sutcliffe

Here's an approach allowing the client to request it's template from the smart-proxy by adding new routes to the smart-proxy:

https://github.com/theforeman/foreman/pull/751
https://github.com/theforeman/smart-proxy/pull/100

Caveat: Proxy needs to be running in 'http' mode, not 'https' as it cannot currently listen on two ports.

#6 Updated by Ohad Levy almost 5 years ago

  • Legacy Backlogs Release (now unused) set to 21

#7 Updated by The Foreman Bot almost 5 years ago

  • Status changed from Assigned to Ready For Testing
  • Target version set to 1.7.2
  • Pull request https://github.com/theforeman/smart-proxy/pull/224 added

#8 Updated by Dominic Cleal over 4 years ago

  • Legacy Backlogs Release (now unused) deleted (21)

#9 Updated by Eric Helms over 4 years ago

  • Blocks Tracker #8172: Isolate Client Communication through a Capsule added

#10 Updated by Dominic Cleal over 4 years ago

  • Status changed from Ready For Testing to Closed
  • Assignee changed from Greg Sutcliffe to dustin tsang
  • % Done changed from 0 to 100
  • Legacy Backlogs Release (now unused) set to 21

#11 Updated by dustin tsang over 4 years ago

#12 Updated by Stephen Benjamin over 4 years ago

  • Bugzilla link set to 1197806

#13 Updated by Lukas Zapletal almost 4 years ago

For the record, it looks like clients still try to reach the Foreman server to do the "built" request. The ticket #1096 unfortunately did not solve what was in the subject text. Creating new ticket #11582 for this.

#14 Updated by Lukas Zapletal almost 4 years ago

  • Related to Feature #11582: Implement proxy API for "built" command added

#15 Updated by Dominic Cleal over 2 years ago

  • Related to Feature #17316: Proxy templating needs TFTP feature to be turned on added

Also available in: Atom PDF