Katello isolated capsule subscription management

Travis_Camechis · November 27, 2015, 10:41pm

We are attempting to setup an isolated capsule server for content and
subscriptions. The capsule server is setup for reverse proxy to support
subscription management. The reverse proxy seems to expose the entire
foreman/katello application if you actually hit https://host:8443. This
seems like a big security whole for people not wanting to expose foreman
but just the isolated capsule. Is this correct? If so is there a way to
prevent this?

Thanks
Travis

Mario_Gamboa · November 28, 2015, 2:39pm

The documentation is wrong

The katello server is communicate with the capsule server in port 9090
only no 8443 as per the diagram said

The capsule to katello server is comunicate in 2 back to katello server
porrts 443/tcp 5647/tcp

All the clients need the capsule port open for communication 8443/tcp
443/tcp 8000/tcp 8140/tcp 5647/tcp 67/udp 68/udp 69/udp

now if you are talking about you have katello and the capsule integrated in
the same server well yes you are expose you foreman instance because
foreman can deploy on same ports as the capsule and need to be open the
capsule isolation is just about the communication that exist between
katello server and capsule in the final both expose the same ports for
provisioning pulp puppet and subcription manager is no something that the
capsule is going to contain all the connection of the client on port 443
for example

[image: Diagram of Communication]

···

On Saturday, November 28, 2015 at 6:54:25 PM UTC+11, Travis Camechis wrote: > > We are attempting to setup an isolated capsule server for content and > subscriptions. The capsule server is setup for reverse proxy to support > subscription management. The reverse proxy seems to expose the entire > foreman/katello application if you actually hit https://host:8443. This > seems like a big security whole for people not wanting to expose foreman > but just the isolated capsule. Is this correct? If so is there a way to > prevent this? > > Thanks > Travis >

Travis_Camechis · December 1, 2015, 1:51pm

Thanks Justin, I will do that.

···

On Saturday, November 28, 2015 at 2:54:25 AM UTC-5, Travis Camechis wrote: > > We are attempting to setup an isolated capsule server for content and > subscriptions. The capsule server is setup for reverse proxy to support > subscription management. The reverse proxy seems to expose the entire > foreman/katello application if you actually hit https://host:8443. This > seems like a big security whole for people not wanting to expose foreman > but just the isolated capsule. Is this correct? If so is there a way to > prevent this? > > Thanks > Travis >

Travis_Camechis · November 28, 2015, 4:13pm

After doing some investigation, The Client hits hits the reverse proxy on
the capsule at 8443 and it gets proxied to the backend Katello instance.
If from a browser I actually hit the url for instance (
https://capsule:8443/ ); It actually takes me directly to the foreman box
and that looks to be how the reverse proxy is setup on an isolated capsule.
That seems to be somewhat of a security hole since your exposing the full
Katello instance to the outside. I modified to the reverse proxy to only
proxy /rhsm urls and that seems to be a little better and subscription
management still works.

···

On Saturday, November 28, 2015 at 9:39:41 AM UTC-5, Mario Gamboa wrote: > > The documentation is wrong > > The katello server is communicate with the capsule server in port 9090 > only no 8443 as per the diagram said > > The capsule to katello server is comunicate in 2 back to katello server > porrts 443/tcp 5647/tcp > > All the clients need the capsule port open for communication 8443/tcp > 443/tcp 8000/tcp 8140/tcp 5647/tcp 67/udp 68/udp 69/udp > > now if you are talking about you have katello and the capsule integrated > in the same server well yes you are expose you foreman instance because > foreman can deploy on same ports as the capsule and need to be open the > capsule isolation is just about the communication that exist between > katello server and capsule in the final both expose the same ports for > provisioning pulp puppet and subcription manager is no something that the > capsule is going to contain all the connection of the client on port 443 > for example > > [image: Diagram of Communication] > > > On Saturday, November 28, 2015 at 6:54:25 PM UTC+11, Travis Camechis wrote: >> >> We are attempting to setup an isolated capsule server for content and >> subscriptions. The capsule server is setup for reverse proxy to support >> subscription management. The reverse proxy seems to expose the entire >> foreman/katello application if you actually hit https://host:8443. This >> seems like a big security whole for people not wanting to expose foreman >> but just the isolated capsule. Is this correct? If so is there a way to >> prevent this? >> >> Thanks >> Travis >> >

Justin_Sherrill · November 30, 2015, 4:18am

> After doing some investigation, The Client hits hits the reverse proxy
> on the capsule at 8443 and it gets proxied to the backend Katello
> instance. If from a browser I actually hit the url for instance (
> https://capsule:8443/ ); It actually takes me directly to the foreman
> box and that looks to be how the reverse proxy is setup on an isolated
> capsule. That seems to be somewhat of a security hole since your
> exposing the full Katello instance to the outside. I modified to the
> reverse proxy to only proxy /rhsm urls and that seems to be a little
> better and subscription management still works.

Hi Travis,

I do think that we should at a minimum make this configurable and more
conservative by default. Do you mind filing an issue here:

If you can provide the config changes you made to proxy just /rhsm that
may speedup the fix as well.

Thanks!

···

On 11/28/2015 11:13 AM, Travis Camechis wrote:

On Saturday, November 28, 2015 at 9:39:41 AM UTC-5, Mario Gamboa wrote:

The documentation is wrong

The katello server is communicate with the capsule server in port
9090  only no 8443 as per the diagram said

The capsule to katello server is comunicate in 2 back to katello
server porrts 443/tcp  5647/tcp

All the clients need the capsule port open for communication
8443/tcp  443/tcp 8000/tcp 8140/tcp 5647/tcp 67/udp 68/udp 69/udp

now if you are talking about you have katello and the capsule
integrated in the same server well yes you  are expose you foreman
instance because foreman can deploy on same ports as the capsule 
and need to be open the capsule isolation is just about the
communication that exist between katello server and capsule in the
final both expose the same ports for provisioning pulp puppet and
subcription manager is no something that the capsule is going to
contain all the connection of the client on port 443 for example

Diagram of Communication


On Saturday, November 28, 2015 at 6:54:25 PM UTC+11, Travis >     Camechis wrote:

    We are attempting to setup an isolated capsule server for
    content and subscriptions.  The capsule server is setup for
    reverse proxy to support subscription management.  The reverse
    proxy seems to expose the entire foreman/katello application
    if you actually hit https://host:8443.  This seems like a big
    security whole for people not wanting to expose foreman but
    just the isolated capsule. Is this correct?  If so is there a
    way to prevent this?

    Thanks
    Travis

–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com
mailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
mailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.