This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.8 by this push:
new 4d2a279dc94 [doc][proxy] Document how to mitigate CVE-2022-24280
(#17825)
4d2a279dc94 is described below
commit 4d2a279dc9429b14c08776f438c7f7564c8182e2
Author: Lari Hotari <[email protected]>
AuthorDate: Fri Sep 23 21:25:57 2022 +0300
[doc][proxy] Document how to mitigate CVE-2022-24280 (#17825)
(cherry picked from commit 0c0984a81488f6da0cf46576b50345bb08e78be7)
(cherry picked from commit 5ffd0b9da7b64a8157222243573c93a2b9d4195c)
---
site2/docs/administration-proxy.md | 77 +++++++++++++++++++++++++++++++-------
1 file changed, 63 insertions(+), 14 deletions(-)
diff --git a/site2/docs/administration-proxy.md
b/site2/docs/administration-proxy.md
index 07d1aab4ccc..704c84a6e1d 100644
--- a/site2/docs/administration-proxy.md
+++ b/site2/docs/administration-proxy.md
@@ -1,26 +1,20 @@
---
id: administration-proxy
title: Pulsar proxy
-sidebar_label: Pulsar proxy
+sidebar_label: "Pulsar proxy"
---
-Pulsar proxy is an optional gateway. Pulsar proxy is used when direction
connections between clients and Pulsar brokers are either infeasible or
undesirable. For example, when you run Pulsar in a cloud environment or on
[Kubernetes](https://kubernetes.io) or an analogous platform, you can run
Pulsar proxy.
+Pulsar proxy is an optional gateway. Pulsar proxy is used when direct
connections between clients and Pulsar brokers are either infeasible or
undesirable. For example, when you run Pulsar in a cloud environment or on
[Kubernetes](https://kubernetes.io) or an analogous platform, you can run
Pulsar proxy.
-## Configure the proxy
-
-Before using the proxy, you need to configure it with the brokers addresses in
the cluster. You can configure the proxy to connect directly to service
discovery, or specify a broker URL in the configuration.
+The Pulsar proxy is not intended to be exposed on the public internet. The
security considerations in the current design expect network perimeter
security. The requirement of network perimeter security can be achieved with
private networks.
-### Use service discovery
+If a proxy deployment cannot be protected with network perimeter security, the
alternative would be to use [Pulsar's "Proxy SNI routing"
feature](concepts-proxy-sni-routing.md) with a properly secured and audited
solution. In that case Pulsar proxy component is not used at all.
-Pulsar uses [ZooKeeper](https://zookeeper.apache.org) for service discovery.
To connect the proxy to ZooKeeper, specify the following in `conf/proxy.conf`.
-```properties
-zookeeperServers=zk-0,zk-1,zk-2
-configurationStoreServers=zk-0:2184,zk-remote:2184
-```
+## Configure the proxy
-> To use service discovery, you need to open the network ACLs, so the proxy
can connects to the ZooKeeper nodes through the ZooKeeper client port (port
`2181`) and the configuration store client port (port `2184`).
+Before using a proxy, you need to configure it with a broker's address in the
cluster. You can configure the broker URL in the proxy configuration, or the
proxy to connect directly using service discovery.
-> However, it is not secure to use service discovery. Because if the network
ACL is open, when someone compromises a proxy, they have full access to
ZooKeeper.
+> In a production environment service discovery is not recommended.
### Use broker URLs
@@ -37,25 +31,80 @@
functionWorkerWebServiceURL=http://function-workers.example.com:8080
```
If you use TLS, configure the broker URLs in the following way:
+
```properties
brokerServiceURLTLS=pulsar+ssl://brokers.example.com:6651
brokerWebServiceURLTLS=https://brokers.example.com:8443
functionWorkerWebServiceURL=https://function-workers.example.com:8443
```
-The hostname in the URLs provided should be a DNS entry which points to
multiple brokers or a virtual IP address, which is backed by multiple broker IP
addresses, so that the proxy does not lose connectivity to Pulsar cluster if a
single broker becomes unavailable.
+The hostname in the URLs provided should be a DNS entry that points to
multiple brokers or a virtual IP address, which is backed by multiple broker IP
addresses, so that the proxy does not lose connectivity to Pulsar cluster if a
single broker becomes unavailable.
The ports to connect to the brokers (6650 and 8080, or in the case of TLS,
6651 and 8443) should be open in the network ACLs.
Note that if you do not use functions, you do not need to configure
`functionWorkerWebServiceURL`.
+### Use service discovery
+
+Pulsar uses [ZooKeeper](https://zookeeper.apache.org) for service discovery.
To connect the proxy to ZooKeeper, specify the following in `conf/proxy.conf`.
+
+```properties
+zookeeperServers=zk-0,zk-1,zk-2
+configurationStoreServers=zk-0:2184,zk-remote:2184
+```
+
+> To use service discovery, you need to open the network ACLs, so the proxy
can connects to the ZooKeeper nodes through the ZooKeeper client port (port
`2181`) and the configuration store client port (port `2184`).
+
+> However, it is not secure to use service discovery. Because if the network
ACL is open, when someone compromises a proxy, they have full access to
ZooKeeper.
+
+### Restricting target broker addresses to mitigate CVE-2022-24280
+
+The Pulsar Proxy trusts clients to provide valid target broker addresses to
connect to.
+Unless the Pulsar Proxy is explicitly configured to limit access, the Pulsar
Proxy is vulnerable as described in the security advisory [Apache Pulsar Proxy
target broker address isn't validated
(CVE-2022-24280)](https://github.com/apache/pulsar/wiki/CVE-2022-24280).
+
+It is necessary to limit proxied broker connections to known broker addresses
by specifying `brokerProxyAllowedHostNames` and `brokerProxyAllowedIPAddresses`
settings.
+
+When specifying `brokerProxyAllowedHostNames`, it's possible to use a
wildcard.
+Please notice that `*` is a wildcard that matches any character in the
hostname. It also matches dot `.` characters.
+
+It is recommended to use a pattern that matches only the desired brokers and
no other hosts in the local network. Pulsar lookups will use the default host
name of the broker by default. This can be overridden with the
`advertisedAddress` setting in `broker.conf`.
+
+To increase security, it is also possible to restrict access with the
`brokerProxyAllowedIPAddresses` setting. It is not mandatory to configure
`brokerProxyAllowedIPAddresses` when `brokerProxyAllowedHostNames` is properly
configured so that the pattern matches only the target brokers.
+`brokerProxyAllowedIPAddresses` setting supports a comma separate list of IP
address, IP address ranges and IP address networks [(supported format
reference)](https://seancfoley.github.io/IPAddress/IPAddress/apidocs/inet/ipaddr/IPAddressString.html).
+
+Example: limiting by host name in a Kubernetes deployment
+```yaml
+ # example of limiting to Kubernetes statefulset hostnames that contain
"broker-"
+ PULSAR_PREFIX_brokerProxyAllowedHostNames: '*broker-*.*.*.svc.cluster.local'
+```
+
+Example: limiting by both host name and ip address in a `proxy.conf` file for
host deployment.
+```properties
+# require "broker" in host name
+brokerProxyAllowedHostNames=*broker*.localdomain
+# limit target ip addresses to a specific network
+brokerProxyAllowedIPAddresses=10.0.0.0/8
+```
+
+Example: limiting by multiple host name patterns and multiple ip address
ranges in a `proxy.conf` file for host deployment.
+```properties
+```properties
+# require "broker" in host name
+brokerProxyAllowedHostNames=*broker*.localdomain,*broker*.otherdomain
+# limit target ip addresses to a specific network or range demonstrating
multiple supported formats
+brokerProxyAllowedIPAddresses=10.10.0.0/16,192.168.1.100-120,172.16.2.*,10.1.2.3
+```
+
+
## Start the proxy
To start the proxy:
```bash
+
$ cd /path/to/pulsar/directory
$ bin/pulsar proxy
+
```
> You can run multiple instances of the Pulsar proxy in a cluster.
