diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 index 7dfbcc012e..c932e197fc 100644 --- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 +++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 @@ -16,6 +16,9 @@ frontend {{ service_name }}_front mode {{ service_mode }} {% endif %} {% if service_mode == 'http' %} + {% if external|bool %} + http-request deny if { path -i -m beg /server-status } + {% endif %} {# Delete any pre-populated XFP header #} http-request del-header X-Forwarded-Proto {% for http_option in frontend_http_extra %} diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 index b54591e563..d21aea26e3 100644 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ b/ansible/roles/horizon/templates/horizon.conf.j2 @@ -34,6 +34,10 @@ TraceEnable off Require all granted + + Require local + + {% if kolla_base_distro in ['debian', 'ubuntu'] and horizon_install_type == 'binary' %} Alias /static /var/lib/openstack-dashboard/static {% else %} diff --git a/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml new file mode 100644 index 0000000000..ebf0f8f782 --- /dev/null +++ b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Restrict the access to the http Openstack services exposed /server-status + by default through the HAProxy on the public endpoint. Fixes issue for + Ubuntu/Debian installations. RockyLinux/CentOS not affected. + `LP#1996913 `__