Hi All,
We are using forklift to deploy Foreman with Katello plugin. By default, it uses port 443 which we want to change with some other unused port.
Kindly suggest a way forward to achieve this using a forklift installation method.
PS: We tried editing forklifts playbook replacing 443 with a random port number, but still, it is using port 443. We looked at this RPM and found references of port 443.
RPM Name: katello-ca-consumer-XXX.-1.0-2.noarch.rpm
There are plans to have a look at this so things are configurable, but there are assumptions built into many places so we need to carefully look at many places which will take time. Right now with Katello there’s also a fair amount of coupling to the system’s hostname as well. This must be decoupled for HA scenarios as well. That’s probably the best time to look at a configurable port number.
As @ekohl mentioned, there are some places that assume that is the port being used. I’m curious as to the reasoning of why you wish to change the port number?
Hi, Thanks for quick info.
As per our security guidelines, we have been asked to change the port from 443 to any ephemeral unused port.
We are now in a position to either change the required port or else go for a deviation (in terms of security advisory).
We have been trying way hard to accomplish this, but no luck.
Let us know if there is any workaround/permanent fix for this.
Changing the port leads to no security benefit. Any attacker can easily and quickly enumerate all open ports on your server and identify apache running on any of them. This is security by obscurity, which is no security at all.
Changing the port will likely cause many unexpected results as discussed above, as some subsystems make assumptions regarding the ports communication is done over, and no testing is done to verify anything works with the ports changed.
Another reason we saw (can’t find the downstream BZ number right now) was to run Apache unpriviledged but our installer is not set up to be able to do this.
We are working on setting up Apache as a reverse proxy only which splits the responsibilities. It may be possible to run the reverse proxy on another machine and only run Puma on an application server. We will need to investigate the hosting of static files though.
I say this to emphasize that we’re working on making this easier, but there’s no known (supportable) workaround. You’ll have to choose between doing it all yourself and run into potential upgrade issues and getting an exception to the policy. Since I don’t know your organization I can’t say which is easier 