Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openstack contrib: WSGI endpoints listen on all interfaces #916

Open
pengwyn opened this issue Jan 20, 2025 · 0 comments
Open

Openstack contrib: WSGI endpoints listen on all interfaces #916

pengwyn opened this issue Jan 20, 2025 · 0 comments

Comments

@pengwyn
Copy link
Contributor

pengwyn commented Jan 20, 2025

I believe there is an unnecessary open port in the current configuration for the openstack helpers. The current configuration seems to be:

  • haproxy balances TCP traffic to each unit limiting to only the appropriate subnet
  • apache2 openstack_https_frontend.conf terminates the TLS traffic and limits to only the appropriate incoming subnet
  • apache2 wsgi-openstack-api.conf then runs the openstack API processes, but does not limit to any subnet/interface

The last part is due to the lines in wsgi-openstack-api.conf which read:

<VirtualHost *:{{ port }}>

Although this is not the public endpoint exposed via HTTPS, this is a HTTP endpoint which is available to anyone on the network connected to where these servers are running. Without additional security layers, this is then exposed globally.

Is my summary above correct or have I missed something?

Because the TLS terminating layer is reverse proxying to the WSGI HTTP endpoint on localhost only, is it possible to hardcode the interface in wsgi-openstack-api.conf to listen on localhost only?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pengwyn