openstack/kolla-ansible
Code Issues Proposed changes

Deny access to server-status via single frontend

Browse Source 
This change denies access to `server-status` when the using `single
frontend` configuration for public API services with `HAProxy`.

Closes-Bug: #2121626
Change-Id: I447212df92c0da4248e44f652fc66c7381a404bb
Signed-off-by: Jack Hodgkiss <jack@stackhpc.com>
This commit is contained in:
Jack Hodgkiss
2025-08-28 22:48:01 +01:00
committed by Michal Nasiadka
parent b086ee9b38
commit 6eae55b584
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/roles/loadbalancer/templates/haproxy/haproxy_external_frontend.cfg.j2
View File

@@ -9,3 +9,4 @@ frontend external_frontend
http-request set-header X-Forwarded-Proto https if { ssl_fc }
bind {{ kolla_external_vip_address }}:{{ haproxy_external_single_frontend_public_port }} {{ external_tls_bind_info }}
use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/external-frontend-map,{{ haproxy_external_single_frontend_default_backend }})]
http-request deny if { path -i -m beg /server-status }

5
releasenotes/notes/deny-server-status-via-single-frontend-33bbf3b9688a9ae4.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
security:
- |
Deny access to /server-status via the single frontend.
`LP#2121626 <https://bugs.launchpad.net/kolla-ansible/+bug/2121626>`__