maas-proxy is an open proxy with no ACLs; it should add networks automatically

Status changed to 'Confirmed' because the bug affects multiple users.

I've seen users complain that when we change this file it gets overwritten automatically. (I guess we should also move it to /var, if we're going to be automatically generating the configuration.)

Should every network MAAS knows about be included in the allow list? Or is finer control needed?

s/when we change this/when they change that/

I'm disappointed that maas being an open proxy isn't mentioned anywhere in the documentation, that I could find. It should be mentioned in big bold red letters, maybe blink or marquee. The, "not designed to be run on the internet" is fine, but it should be well documented and so should the reason why. Many corporate networks are just as sensitive to internal security issues as they are to exposing public internet. Having an open proxy in their private network may harm their intranet security design.

We (team yellow) are running maas on an host on the internet. I customized the squid config that maas-proxy uses to prevent it from proxying for internet source request. I suspect that the next maas update will replace those changes, so I also added iptables rules to block traffic to those ports from the internet.

I agree with the concerns about documentation.

Currently, maas-proxy is an optional package which does not depend on the MAAS region server (or any other MAAS component). It's analogous to squid-deb-proxy.

The squid-deb-proxy approach to security is to ship (in an autogenerated/ directory, which you are not supposed to edit) an allowed-networks-src.acl file, which contains the RFC 1918 IPv4 addresses, and the link-local IPv6 addresses by default.

We could add an additional dependency on the MAAS region (or at least, a URL to the MAAS region which allows us to figure out which networks are attached to MAAS), and try to be smart about which networks to add. But I'm not sure a solution that complex is worth the cost. For now, perhaps it would be sufficient to take the same approach that squid-deb-proxy uses, and then document how to ensure it's both secure, and able to allow any additional desired networks.

This also needs a 1.9 target as well. I just discovered this while investigating proxy issues on a customer MAAS server and found that they have an open maas proxy with a ton of external connections to it :/

For the 1.9 backport of this fix, rather than introduce a schema migration (as done for 2.0), we'll simply allow all known subnets to use the proxy, with a note in the proxy config to disable unwanted subnets with iptables.

maas-proxy was never meant to be used on internet facing scenarios. The maas-proxy configuration status that MAAS doesn't automatically add networks and that one that it would. This will be done for 2.0 and wont be done for any earlier release. MAAS documentation will be updated to state this information more clearly, but this fix wont be backported to earlier releases.

This bug was fixed in the package maas - 2.0.0~beta1+bzr4873-0ubuntu1

---------------
maas (2.0.0~beta1+bzr4873-0ubuntu1) xenial; urgency=medium

  * New upstream release, 2.0.0 beta 1 bzr4873 (Standing FFe LP: #1553261)
    - DHCP Snippets WebUI.
    - Ensure proxy configuration ACL's subnets MAAS knows about.
    - DNS High Availability.
  * debian/control: Move 'maascli' package install to
    python3-maas-client (LP: #1563859)
  * Improve way on how upgrades ensures correct permissions
    and ownership (LP: #1563799 , LP: #1563779)
  * Improve the way how removals clean the system (LP: #1563337)
  * Reflect new names and website for systemd units (LP: #1563807)
  * maas-proxy now uses a custom-built config, instead of a boilerplate.
    LP: #1379567

 -- Andres Rodriguez <email address hidden> Mon, 28 Mar 2016 16:47:58 -0400