Merge pull request #413 from stackhpc/upstream/yoga-2023-08-21

Synchronise yoga with upstream
stackhpc · Aug 21, 2023 · 036a2c1 · 036a2c1
2 parents 0e5908c + 15fdf1b
commit 036a2c1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -16,6 +16,9 @@ frontend {{ service_name }}_front
     mode {{ service_mode }}
     {% endif %}
     {% if service_mode == 'http' %}
+    {% if external|bool %}
+    http-request deny if { path -i -m beg /server-status }
+    {% endif %}
     {# Delete any pre-populated XFP header #}
     http-request del-header X-Forwarded-Proto
         {% for http_option in frontend_http_extra %}

diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -34,6 +34,10 @@ TraceEnable off
         Require all granted
     </Location>
 
+    <Location "/server-status">
+        Require local
+    </Location>
+
 {% if kolla_base_distro in ['debian', 'ubuntu'] and horizon_install_type == 'binary' %}
     Alias /static /var/lib/openstack-dashboard/static
 {% else %}

diff --git a/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Restrict the access to the http Openstack services exposed /server-status
+    by default through the HAProxy on the public endpoint. Fixes issue for
+    Ubuntu/Debian installations. RockyLinux/CentOS not affected.
+    `LP#1996913 <https://bugs.launchpad.net/kolla-ansible/+bug/1996913>`__