[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
maas-proxy was never meant to be used on internet facing scenarios. The maas-proxy configuration status that MAAS doesn't automatically add networks and that one that it would. This will be done for 2.0 and wont be done for any earlier release. MAAS documentation will be updated to state this information more clearly, but this fix wont be backported to earlier releases. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
For the 1.9 backport of this fix, rather than introduce a schema migration (as done for 2.0), we'll simply allow all known subnets to use the proxy, with a note in the proxy config to disable unwanted subnets with iptables. ** Also affects: maas (Ubuntu Trusty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
** Tags added: hwcert-server -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
This also needs a 1.9 target as well. I just discovered this while investigating proxy issues on a customer MAAS server and found that they have an open maas proxy with a ton of external connections to it :/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
** Branch linked: lp:~lamont/maas/create-maas-proxy.conf-packaging -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
** Changed in: maas Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
** Changed in: maas Assignee: (unassigned) => LaMont Jones (lamont) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
I agree with the concerns about documentation. Currently, maas-proxy is an optional package which does not depend on the MAAS region server (or any other MAAS component). It's analogous to squid-deb-proxy. The squid-deb-proxy approach to security is to ship (in an autogenerated/ directory, which you are not supposed to edit) an allowed-networks-src.acl file, which contains the RFC 1918 IPv4 addresses, and the link-local IPv6 addresses by default. We could add an additional dependency on the MAAS region (or at least, a URL to the MAAS region which allows us to figure out which networks are attached to MAAS), and try to be smart about which networks to add. But I'm not sure a solution that complex is worth the cost. For now, perhaps it would be sufficient to take the same approach that squid-deb-proxy uses, and then document how to ensure it's both secure, and able to allow any additional desired networks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
I'm disappointed that maas being an open proxy isn't mentioned anywhere in the documentation, that I could find. It should be mentioned in big bold red letters, maybe blink or marquee. The, "not designed to be run on the internet" is fine, but it should be well documented and so should the reason why. Many corporate networks are just as sensitive to internal security issues as they are to exposing public internet. Having an open proxy in their private network may harm their intranet security design. We (team yellow) are running maas on an host on the internet. I customized the squid config that maas-proxy uses to prevent it from proxying for internet source request. I suspect that the next maas update will replace those changes, so I also added iptables rules to block traffic to those ports from the internet. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
I've seen users complain that when we change this file it gets overwritten automatically. (I guess we should also move it to /var, if we're going to be automatically generating the configuration.) Should every network MAAS knows about be included in the allow list? Or is finer control needed? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
s/when we change this/when they change that/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: maas (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
** Changed in: maas Milestone: 1.9.0 => 2.0.0 ** Changed in: maas Importance: Wishlist => Critical -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to maas in Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
