openstack/openstack-ansible
Code Issues Proposed changes

Deny access to any paths including /. for console proxies.

Browse Source 
This prevents serving files in the .git subdirectory.

Change-Id: I8b294747100ffad92fd7dba884b2bfcd386e00ff
This commit is contained in:
Jonathan Rosser 2024-11-11 12:00:20 +00:00
parent 56a970a588
commit 7603b53145
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
inventory/group_vars/nova_all/haproxy_service.yml
View File

@ -71,6 +71,8 @@ haproxy_nova_spice_console_service:
haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'spice' in nova_console_proxy_types }}"
haproxy_frontend_raw:
- "http-request deny if { path -m sub /. }"
haproxy_nova_serial_console_service:
haproxy_service_name: nova_serial_console
@ -88,6 +90,8 @@ haproxy_nova_serial_console_service:
haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) or
(groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) }}"
haproxy_frontend_raw:
- "http-request deny if { path -m sub /. }"
haproxy_nova_novnc_console_service:
haproxy_service_name: nova_novnc_console
@ -104,6 +108,8 @@ haproxy_nova_novnc_console_service:
haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'novnc' in nova_console_proxy_types }}"
haproxy_frontend_raw:
- "http-request deny if { path -m sub /. }"
# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
haproxy_nova_console_service: