Fresh install and can access Foreman Web UI from Smart proxy

Hi all,

I I have a fresh install of foreman with Katello and an external smart proxy. The proxy has successfully registered and is communicating with Foreman.

However, the Web UI is accessible from the smart proxy. Is it intended?

This doesnt bother me but other people in my team say this is a security risk (i dont think it is).

Thanks,
Conor

Its foreman 1.15.6 and Katello 3.4

I suspect you have incorrectly installed your smart proxy.

With Katello 3.5 (freshly installed) I have JUST installed 2 smart proxies into my architecture (more to come). When I attempt to hit either of them through:

https://<fqdn.system.name>

I get a 403 - Forbidden attempting to access / on the smart proxy, which I think is what I’m supposed to get.

Accessing 9090 on that port gives me a browser “import certificate” pop up (should be expecting a certificate signed by the Katello Root CA) which I haven’t tried to get past.

The correct installation of the smart proxy is seen by following this documentation: (For Katello 3.4 which is what you said you have installed).

https://theforeman.org/plugins/katello/3.4/installation/smart_proxy.html

NOTE: The proxy installation starts with:

foreman-installer --scenario foreman-proxy-content

NOT

foreman-installer --scenario katello

I wouldn’t know why you have access to your web UI through your smart proxy, but unless the smart proxy is in a DMZ you’re no less safe…whether you type in webserver1.domain.com or webserver2.domain.com is no different.

Can you try https://<fqdn.system.name>:8443 as this is the port im able to access it by. It appears to be able to manipulate the central foreman database, which leads me to believe its not its own foreman instance.

Also below is my install command i used. Note I used the foreman-proxy-content scenario.

foreman-installer --scenario foreman-proxy-content
–foreman-proxy-content-parent-fqdn “foreman.fqdn”
–foreman-proxy-register-in-foreman “true”
–foreman-proxy-foreman-base-url “https://foreman.fqdn”
–foreman-proxy-trusted-hosts “foreman.fqdn”
–foreman-proxy-trusted-hosts “proxy.fqdn”
–foreman-proxy-oauth-consumer-key “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
–foreman-proxy-oauth-consumer-secret “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
–foreman-proxy-content-pulp-oauth-secret “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
–foreman-proxy-content-certs-tar “/root/certs.tar”
–puppet-server-foreman-url “https://foreman.fqdn”
–foreman-proxy-dhcp “true”
–foreman-proxy-dhcp-interface “ens160”
–enable-foreman-proxy-plugin-discovery
–enable-foreman-proxy-plugin-ansible
–enable-foreman-proxy-plugin-remote-execution-ssh
–foreman-proxy-bmc “true”
–puppet-version “latest” \

Appears to be this bug: Bug #12646: Isolated Reverse proxy exposes all of Katello/Foreman - Katello - Foreman

2 Likes

OH YOU ARE RIGHT!!!

Yea, 8443 on a smart proxy definitely forwards me over to the web UI.

@katello are there any plans to work on #12646 in the near future? @magarvo doesn’t seem in a hurry, but clarifying status doesn’t hurt I guess :slight_smile:

1 Like

@Gwmngilfen It doesn’t look like we are as no one is assigned, but we can revisit it at our next triage and see if there are any takers :slight_smile:

2 Likes