From e365f4b70dc9d4871c8dfbab3c0f1fee50d6fee9 Mon Sep 17 00:00:00 2001
From: Maksim Malchuk <maksim.malchuk@gmail.com>
Date: Tue, 8 Aug 2023 11:35:55 +0300
Subject: [PATCH] Deny access to public /server-status in http Openstack
 services

This change block access to the public /server-status url on all
http services exposed by HAProxy, also fixes an issue with Horizon
where 'Require all granted' open access to the /server-status in
the HAProxy-less configurations. Without this change the issue
affects only Ubuntu/Debian installations where mod_status in Apache2
enabled by default.

Closes-Bug: #1996913
Change-Id: I3ec1af6353c3ecc64589599abe375b0ae9b14d5c
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
---
 .../templates/haproxy_single_service_split.cfg.j2          | 3 +++
 ansible/roles/horizon/templates/horizon.conf.j2            | 4 ++++
 .../http-services-deny-server-status-39d0259664053e59.yaml | 7 +++++++
 3 files changed, 14 insertions(+)
 create mode 100644 releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml

diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
index 0da0a511c..c795ce267 100644
--- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
+++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -16,6 +16,9 @@ frontend {{ service_name }}_front
     mode {{ service_mode }}
     {% endif %}
     {% if service_mode == 'http' %}
+    {% if external|bool %}
+    http-request deny if { path -i -m beg /server-status }
+    {% endif %}
     {# Delete any pre-populated XFP header #}
     http-request del-header X-Forwarded-Proto
         {% for http_option in frontend_http_extra %}
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index 953d070b5..0c6cc0eb2 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -30,6 +30,10 @@ TraceEnable off
         Require all granted
     </Location>
 
+    <Location "/server-status">
+        Require local
+    </Location>
+
     Alias /static {{ python_path }}/static
     <Location "/static">
         SetHandler None
diff --git a/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
new file mode 100644
index 000000000..ebf0f8f78
--- /dev/null
+++ b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Restrict the access to the http Openstack services exposed /server-status
+    by default through the HAProxy on the public endpoint. Fixes issue for
+    Ubuntu/Debian installations. RockyLinux/CentOS not affected.
+    `LP#1996913 <https://bugs.launchpad.net/kolla-ansible/+bug/1996913>`__
-- 
GitLab