OpenStack Glance Charm

Apache should disable (or provide the option to disable) http port 80

Bug #1845665 reported by Nick Niehoff on 2019-09-27

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
Charm Helpers	Invalid	Medium	Tiago Pasqualini da Silva
OpenStack Cinder Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Cinder Charm 20.01
OpenStack Glance Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Glance Charm 20.01
OpenStack Heat Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Heat Charm 20.01
OpenStack Keystone Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Keystone Charm 20.01
OpenStack Neutron API Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Neutron API Charm 20.01
OpenStack Nova Cloud Controller Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Nova Cloud Controller Charm 20.01
OpenStack Placement Charm	Triaged	Medium	Unassigned
OpenStack Swift Proxy Charm	Fix Released	Medium	Tiago Pasqualini da Silva	OpenStack Swift Proxy Charm 20.01

Bug Description

In many environments security requirements dictate SSL be enabled and specifically require http be disabled. The apache hardening should either disable http by default if ssl is enabled or should provide a configuration parameter allowing http to be disabled. Adding an HSTS header is also a good idea as Trent suggested here https://github.com/juju/charm-helpers/issues/129

Tags:

Revision history for this message

Rodrigo Barbieri (rodrigo-barbieri2010) wrote on 2019-10-24:

I believe regardless of hardening, if SSL is used, we could perhaps disable access to port 80 entirely.

I checked in my lab that the only way to effectively prevent port 80 from being open is to comment out or remove "Listen 80" from ports.conf.

Currently we do not handle that file. Perhaps we could manage through the charm and add:

<IfModule !ssl_module>
Listen 80
</IfModule>

Therefore, whenever ssl_module is not present, it will use port 80. I tested this in my lab, in one HTTP and one HTTPS deployment. With the above condition added in favor of the default "Listen 80", port 80 was open only in the HTTP env.

Alex Kavanagh (ajkavanagh) on 2019-10-28

Changed in charm-helpers:
status:	New → Confirmed
importance:	Undecided → Medium

Edward Hope-Morley (hopem) on 2019-10-28

Changed in charm-cinder:
milestone:	none → 20.01
Changed in charm-glance:
milestone:	none → 20.01
Changed in charm-keystone:
milestone:	none → 20.01
Changed in charm-neutron-api:
milestone:	none → 20.01
Changed in charm-nova-cloud-controller:
milestone:	none → 20.01
Changed in charm-swift-proxy:
milestone:	none → 20.01

Alex Kavanagh (ajkavanagh) on 2019-10-28

Changed in charm-cinder:
status:	New → Confirmed
Changed in charm-glance:
status:	New → Confirmed
Changed in charm-keystone:
status:	New → Confirmed
Changed in charm-neutron-api:
status:	New → Confirmed
Changed in charm-nova-cloud-controller:
status:	New → Confirmed
Changed in charm-swift-proxy:
status:	New → Confirmed
Changed in charm-placement:
status:	New → Triaged
Changed in charm-swift-proxy:
status:	Confirmed → Triaged
Changed in charm-nova-cloud-controller:
status:	Confirmed → Triaged
Changed in charm-neutron-api:
status:	Confirmed → Triaged
Changed in charm-keystone:
status:	Confirmed → Triaged
Changed in charm-glance:
status:	Confirmed → Triaged
Changed in charm-cinder:
status:	Confirmed → Triaged
Changed in charm-helpers:
status:	Confirmed → Triaged
Changed in charm-cinder:
importance:	Undecided → Medium
Changed in charm-glance:
importance:	Undecided → Medium
Changed in charm-keystone:
importance:	Undecided → Medium
Changed in charm-neutron-api:
importance:	Undecided → Medium
Changed in charm-nova-cloud-controller:
importance:	Undecided → Medium
Changed in charm-placement:
importance:	Undecided → Medium
Changed in charm-swift-proxy:
importance:	Undecided → Medium

Tiago Pasqualini da Silva (tiago.pasqualini) on 2019-11-02

tags:	added: sts
Changed in charm-helpers:
status:	Triaged → Opinion
status:	Opinion → Invalid

Tiago Pasqualini da Silva (tiago.pasqualini) on 2019-11-02

summary:

- Apache hardening should disable (or provide the option to disable) http
- port 80
+ Apache should disable (or provide the option to disable) http port 80

Tiago Pasqualini da Silva (tiago.pasqualini) on 2019-11-07

Changed in charm-helpers:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-glance:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-placement:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-swift-proxy:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-cinder:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-heat:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-keystone:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-neutron-api:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)
Changed in charm-nova-cloud-controller:
assignee:	nobody → Tiago Pasqualini da Silva (tiago.pasqualini)

Alex Kavanagh (ajkavanagh) on 2019-11-08

Changed in charm-heat:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2019-11-27:

Patches:

(cinder) https://review.opendev.org/692649
(glance) https://review.opendev.org/692651
(heat) https://review.opendev.org/692660
(keystone) https://review.opendev.org/692654
(neutron-api) https://review.opendev.org/692656
(nova-cc) https://review.opendev.org/692658
(swift-proxy) https://review.opendev.org/692659

Changed in charm-heat:
milestone:	none → 20.01
Changed in charm-cinder:
status:	Triaged → In Progress
Changed in charm-glance:
status:	Triaged → In Progress
Changed in charm-heat:
status:	Triaged → In Progress
Changed in charm-keystone:
status:	Triaged → In Progress
Changed in charm-neutron-api:
status:	Triaged → In Progress
Changed in charm-nova-cloud-controller:
status:	Triaged → In Progress
Changed in charm-swift-proxy:
status:	Triaged → In Progress
Changed in charm-placement:
assignee:	Tiago Pasqualini da Silva (tiago.pasqualini) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to charm-glance (master)

Reviewed: https://review.opendev.org/692651
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=dcd9a269dc95c504983935a16372db4e7a021426
Submitter: Zuul
Branch: master

commit dcd9a269dc95c504983935a16372db4e7a021426
Author: tpsilva <email address hidden>
Date: Sat Nov 2 06:22:47 2019 -0300

Disable Apache default ports

Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.

Change-Id: I543e3309c5522d7bc865133f8ec5ecc79542112c
Closes-bug: #1845665

Changed in charm-glance:
status:	In Progress → Fix Committed
Changed in charm-cinder:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to charm-cinder (master)

Reviewed: https://review.opendev.org/692649
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=2b251b093f839c1b44c79d5427801359c3d704ff
Submitter: Zuul
Branch: master

commit 2b251b093f839c1b44c79d5427801359c3d704ff
Author: tpsilva <email address hidden>
Date: Fri Nov 1 17:19:06 2019 -0300

Disable Apache default ports

Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.

Change-Id: I896334b232589baacb48da2285829f9e9f0963f9
Closes-bug: #1845665

Changed in charm-keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/692654
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=25562b842e0f67101c5e901090857b3f06cc4cbe
Submitter: Zuul
Branch: master

commit 25562b842e0f67101c5e901090857b3f06cc4cbe
Author: tpsilva <email address hidden>
Date: Sat Nov 2 06:31:06 2019 -0300

Disable Apache default ports

Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.

Change-Id: I394e03de59e1d8f8e65197509dcf95fa05727afa
Closes-bug: #1845665

Changed in charm-nova-cloud-controller:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to charm-nova-cloud-controller (master)

Reviewed: https://review.opendev.org/692658
Committed: https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=0bf9812bc1bd2fe26d23a49ac972c9fbbc03edcd
Submitter: Zuul
Branch: master

commit 0bf9812bc1bd2fe26d23a49ac972c9fbbc03edcd
Author: tpsilva <email address hidden>
Date: Sat Nov 2 07:24:27 2019 -0300

Disable Apache default ports

Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.

Change-Id: I518465cd2d6f53e229ab81ebd751f311f8627f83
Closes-bug: #1845665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to charm-swift-proxy (master)

Reviewed: https://review.opendev.org/692659
Committed: https://git.openstack.org/cgit/openstack/charm-swift-proxy/commit/?id=235ef232df3f67d0d091800510df81f05f5c0198
Submitter: Zuul
Branch: master

commit 235ef232df3f67d0d091800510df81f05f5c0198
Author: tpsilva <email address hidden>
Date: Sat Nov 2 07:30:20 2019 -0300

Disable Apache default ports

Openstack services don't use the default ports (80 and 443), so
change Apache to not open them.

Change-Id: Iebde91ae780ab50e61ec5ad49961214ac2a137c4
Closes-bug: #1845665

Changed in charm-swift-proxy:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-20: Fix proposed to charm-cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/700210

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-21: Fix proposed to charm-glance (master)

Fix proposed to branch: master
Review: https://review.opendev.org/700277

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-21: Fix proposed to charm-keystone (master)

#10

Fix proposed to branch: master
Review: https://review.opendev.org/700278

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-21: Fix proposed to charm-swift-proxy (master)

#11

Fix proposed to branch: master
Review: https://review.opendev.org/700279

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-21: Fix proposed to charm-nova-cloud-controller (master)

#12

Fix proposed to branch: master
Review: https://review.opendev.org/700280

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Fix proposed to charm-glance (master)

#13

Fix proposed to branch: master
Review: https://review.opendev.org/703433

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Change abandoned on charm-glance (master)

#14

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: master
Review: https://review.opendev.org/700277
Reason: Changed approach

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Fix proposed to charm-cinder (master)

#15

Fix proposed to branch: master
Review: https://review.opendev.org/703435

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Change abandoned on charm-cinder (master)

#16

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: master
Review: https://review.opendev.org/700210

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Fix proposed to charm-keystone (master)

#17

Fix proposed to branch: master
Review: https://review.opendev.org/703436

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Change abandoned on charm-keystone (master)

#18

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: master
Review: https://review.opendev.org/700278

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Fix proposed to charm-swift-proxy (master)

#19

Fix proposed to branch: master
Review: https://review.opendev.org/703437

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Change abandoned on charm-swift-proxy (master)

#20

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: master
Review: https://review.opendev.org/700279

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Fix proposed to charm-nova-cloud-controller (master)

#21

Fix proposed to branch: master
Review: https://review.opendev.org/703438

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-20: Change abandoned on charm-nova-cloud-controller (master)

#22

Change abandoned by Tiago Pasqualini da Silva (<email address hidden>) on branch: master
Review: https://review.opendev.org/700280

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-keystone (master)

#23

Reviewed: https://review.opendev.org/703436
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=92e75b5aad36a557f769dc2106e49af25ef98cc8
Submitter: Zuul
Branch: master

commit 92e75b5aad36a557f769dc2106e49af25ef98cc8
Author: tpsilva <email address hidden>
Date: Sat Nov 2 06:31:06 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: I35ba6bb31af6d795d02d90d0d127ac5c6c129d0f
Closes-bug: #1845665

Changed in charm-neutron-api:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-neutron-api (master)

#24

Reviewed: https://review.opendev.org/692656
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-api/commit/?id=b972488ad2630790a956d132546afc7102c71524
Submitter: Zuul
Branch: master

commit b972488ad2630790a956d132546afc7102c71524
Author: tpsilva <email address hidden>
Date: Sat Nov 2 06:44:52 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: I0d935de2eada861b986e2f17ead6a5674afd2969
Closes-bug: #1845665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-swift-proxy (master)

#25

Reviewed: https://review.opendev.org/703437
Committed: https://git.openstack.org/cgit/openstack/charm-swift-proxy/commit/?id=2d8d80e47e792c93d0158a0c82d45d5f66caba97
Submitter: Zuul
Branch: master

commit 2d8d80e47e792c93d0158a0c82d45d5f66caba97
Author: tpsilva <email address hidden>
Date: Sat Nov 2 07:30:20 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: I63f46223c64f2561f505828491a482dea79dc39a
Closes-bug: #1845665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-glance (master)

#26

Reviewed: https://review.opendev.org/703433
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=8eb305f3f1da565d909cd4beb8992322a1a36892
Submitter: Zuul
Branch: master

commit 8eb305f3f1da565d909cd4beb8992322a1a36892
Author: tpsilva <email address hidden>
Date: Sat Nov 2 06:22:47 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: I3f8eb69813058a9291540634ad262bfdaa7b8731
Closes-bug: #1845665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-cinder (master)

#27

Reviewed: https://review.opendev.org/703435
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=962225eccae57e45af2df69541aab0b60340c8c7
Submitter: Zuul
Branch: master

commit 962225eccae57e45af2df69541aab0b60340c8c7
Author: tpsilva <email address hidden>
Date: Fri Nov 1 17:19:06 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: Iaa80573dc2661089093c4c87ab100bf941f8b3b8
Closes-bug: #1845665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-nova-cloud-controller (master)

#28

Reviewed: https://review.opendev.org/703438
Committed: https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=56c70d055a3949c7fe150ff2aed83c052fe4c232
Submitter: Zuul
Branch: master

commit 56c70d055a3949c7fe150ff2aed83c052fe4c232
Author: tpsilva <email address hidden>
Date: Sat Nov 2 07:24:27 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments..

Change-Id: Id0b3ce106e2779ce6a44b59c0b08fb1011dfdd54
Closes-bug: #1845665

Changed in charm-heat:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-01-31: Fix merged to charm-heat (master)

#29

Reviewed: https://review.opendev.org/692660
Committed: https://git.openstack.org/cgit/openstack/charm-heat/commit/?id=0ef0ebb9b08ebe5692f870a6bb20528c4ac1dd0c
Submitter: Zuul
Branch: master

commit 0ef0ebb9b08ebe5692f870a6bb20528c4ac1dd0c
Author: tpsilva <email address hidden>
Date: Sat Nov 2 07:46:22 2019 -0300

Disable Apache port 80

    Currently, Apache ports.conf file is not being configured by this
    charm. This patch changes the ports.conf default file with another one
    that does not open port 80 on SSL environments.

Change-Id: I881c3569a25c0f0a84c14ee086b3f3adfdbc97f9
Closes-bug: #1845665

James Page (james-page) on 2020-03-02

Changed in charm-keystone:
status:	Fix Committed → Fix Released
Changed in charm-neutron-api:
status:	Fix Committed → Fix Released
Changed in charm-cinder:
status:	Fix Committed → Fix Released
Changed in charm-nova-cloud-controller:
status:	Fix Committed → Fix Released
Changed in charm-glance:
status:	Fix Committed → Fix Released
Changed in charm-swift-proxy:
status:	Fix Committed → Fix Released
Changed in charm-heat:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.