Fuel for OpenStack

External available web services show version info

Bug #1349360 reported by Timur Nurlygayanov on 2014-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	Medium	Sergii Golovatiuk	Fuel for OpenStack 6.0

Bug Description

Fuel master node and controllers with Horizon dashboard have default configurations files for Web services, and web services show the version info, we need to avoid this in production, when Fuel master or Horizon dashboard can be available from the external network.

This is minor security issue.

How to fix:

1) set in /etc/httpd/httpd.conf 'ServerTokens Prod' instead of 'ServerTokens OS'.
2) add 'server_tokens off;' to http section in /etc/nginx/nginx.conf

Example of fix:
# Set production mode for Apache and nginx services
sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/httpd/conf/httpd.conf
sed -i 's/http {/http {\n server_tokens off;/' /etc/nginx/nginx.conf
service httpd restart ; service nginx restart

Tags:

Dmitry Pyzhov (dpyzhov) on 2014-08-18

Changed in fuel:
assignee:	nobody → Fuel Library Team (fuel-library)

Bogdan Dobrelya (bogdando) on 2014-08-18

Changed in fuel:
status:	Confirmed → Triaged

Stanislaw Bogatkin (sbogatkin) on 2014-09-03

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-04: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119019

Changed in fuel:
status:	Triaged → In Progress

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2014-09-04:

Timur, how can we confirm that this helps reduce exposure to version details on external networks? I can still see http://$ip:8000/api/version if I enable this feature.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2014-09-15:

Matthew,

we need to hide version of Apache and nginx, but it is ok to show version of MOS.

OpenStack Infra (hudson-openstack) on 2014-10-30

Changed in fuel:
assignee:	Stanislaw Bogatkin (sbogatkin) → Sergii Golovatiuk (sgolovatiuk)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-30: Change abandoned on fuel-library (master)

Change abandoned by Stanislaw Bogatkin (<email address hidden>) on branch: master
Review: https://review.openstack.org/119019
Reason: due to: https://review.openstack.org/#/c/131672/4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-03: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/131672
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=9ea5104a432b0303f35606a3d7dc880f48f76d2f
Submitter: Jenkins
Branch: master

commit 9ea5104a432b0303f35606a3d7dc880f48f76d2f
Author: Sergii Golovatiuk <email address hidden>
Date: Wed Oct 29 09:56:02 2014 +0100

Set nginx default settings for master node

    - increase number of workers from 2 to half available CPUs.
    - enable epoll by default
    - enable tcpnopush
    - enable tcpnodelay
    - disable server_token

These settings allow to bootstrap many nodes in parallel allowing
anaconda and debian installer to get all files without timeout.

Partial-Bug: 1384510
Partial-Bug: 1349360

    Change-Id: I44054cf2afa1fa5a70ba064f4957b964947b2b2c
    Implements: blueprint 100-nodes-support
    Signed-off-by: Sergii Golovatiuk <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-13: Fix proposed to fuel-library (stable/5.1)

Fix proposed to branch: stable/5.1
Review: https://review.openstack.org/134223

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-13: Fix merged to fuel-library (stable/5.1)

Reviewed: https://review.openstack.org/134223
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=9ee34175ffd0070fd5041ef3bc052d452f009654
Submitter: Jenkins
Branch: stable/5.1

commit 9ee34175ffd0070fd5041ef3bc052d452f009654
Author: Sergii Golovatiuk <email address hidden>
Date: Wed Oct 29 09:56:02 2014 +0100

Set nginx default settings for master node

    - increase number of workers from 2 to half available CPUs.
    - enable epoll by default
    - enable tcpnopush
    - enable tcpnodelay
    - disable server_token

These settings allow to bootstrap many nodes in parallel allowing
anaconda and debian installer to get all files without timeout.

Partial-Bug: 1384510
Partial-Bug: 1349360

    Change-Id: I44054cf2afa1fa5a70ba064f4957b964947b2b2c
    Implements: blueprint 100-nodes-support
    Signed-off-by: Sergii Golovatiuk <email address hidden>

Sergii Golovatiuk (sgolovatiuk) on 2014-11-24

Changed in fuel:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.