Feature #969
closed
Direct Client->Foreman communication shouldn't be needed (and moved to the Proxy)
Added by Marcello de Sousa over 13 years ago.
Updated over 6 years ago.
Description
When provisioning a machine, the client needs to access foreman unattended urls, such as:
http://foreman/unattended/kickstart
and
http://foreman/unattended/built
That means firewall open to foreman (and the API).
I think the architecture and security would improve if Foreman could be as isolated as possible, not depending on being open to the machines it manages... Those tasks should be left to the proxy.
The suggested solution:
Client communications directed to Foreman should me moved to proxy (in this case, the one running on the master) so you only need port 8140(puppetmaster) + 8443 (foreman-proxy) open.
Note:
The proxy doesn’t really need to simply forward the request (although this is also a valid initial solution). It could have some intelligence to validate them or serve the unattended itself (pre fetching template information or something like it)…
http://i.imgur.com/aJlN5.png
Files
- Target version deleted (
0.3)
I can't use foreman in production with this issue so a workaround I'm using at the moment is to add to the vhost something like this:
<Location />
Order Deny,Allow
Deny from all
Allow from <my allowed nets ex: 192.168.0.0/24>
Allow from 127.0.0.1
</Location>
<Location ~ "^/unattended/(kickstart|built)$" >
Order Deny,Allow
Deny from all
Allow from <my client nets where only unattended should be available>
</Location>
This is a barrier to my use of Foreman for provisioning due to my clients being on an internal non-routed network. As a short-term fix we've used iptables on the smart-proxy (only system with external access to the foreman) to forward requests from the internal clients, my configuration also requires https://github.com/theforeman/foreman/pull/102 as well to completely resolve the issue.
I've tried my hand at allowing the Smart Proxy to manage the ACL for a Squid proxy, so hosts that can't reach Foreman directly can use the Squid proxy.
- Category set to TFTP
- Status changed from New to Assigned
- Assignee set to Greg Sutcliffe
- Translation missing: en.field_release set to 21
- Status changed from Assigned to Ready For Testing
- Target version set to 1.7.2
- Pull request https://github.com/theforeman/smart-proxy/pull/224 added
- Translation missing: en.field_release deleted (
21)
- Blocks Tracker #8172: Isolate Client Communication through a Capsule added
- Status changed from Ready For Testing to Closed
- Assignee changed from Greg Sutcliffe to dustin tsang
- % Done changed from 0 to 100
- Translation missing: en.field_release set to 21
- Bugzilla link set to 1197806
For the record, it looks like clients still try to reach the Foreman server to do the "built" request. The ticket #1096 unfortunately did not solve what was in the subject text. Creating new ticket #11582 for this.
- Related to Feature #11582: Implement proxy API for "built" command added
- Related to Feature #17316: Proxy templating needs TFTP feature to be turned on added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 