Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)
That means firewall open to foreman (and the API).
I think the architecture and security would improve if Foreman could be as isolated as possible, not depending on being open to the machines it manages... Those tasks should be left to the proxy.
The suggested solution:
Client communications directed to Foreman should me moved to proxy (in this case, the one running on the master) so you only need port 8140(puppetmaster) + 8443 (foreman-proxy) open.
The proxy doesn’t really need to simply forward the request (although this is also a valid initial solution). It could have some intelligence to validate them or serve the unattended itself (pre fetching template information or something like it)…
Refs #969 - Proxy-side changes for serving templates from the proxy
An update to @GregSutcliffe's original PR. Ports his original feature to the new
#2 Updated by Marcello de Sousa over 7 years ago
I can't use foreman in production with this issue so a workaround I'm using at the moment is to add to the vhost something like this:
<Location /> Order Deny,Allow Deny from all Allow from <my allowed nets ex: 192.168.0.0/24> Allow from 127.0.0.1 </Location> <Location ~ "^/unattended/(kickstart|built)$" > Order Deny,Allow Deny from all Allow from <my client nets where only unattended should be available> </Location>
#3 Updated by Karl Vollmer almost 7 years ago
This is a barrier to my use of Foreman for provisioning due to my clients being on an internal non-routed network. As a short-term fix we've used iptables on the smart-proxy (only system with external access to the foreman) to forward requests from the internal clients, my configuration also requires https://github.com/theforeman/foreman/pull/102 as well to completely resolve the issue.
#5 Updated by Greg Sutcliffe almost 6 years ago
- Category set to TFTP
- Status changed from New to Assigned
- Assignee set to Greg Sutcliffe
Here's an approach allowing the client to request it's template from the smart-proxy by adding new routes to the smart-proxy:
Caveat: Proxy needs to be running in 'http' mode, not 'https' as it cannot currently listen on two ports.