MAAS

maas-proxy.conf should have an include line

Bug #1939180 reported by Craig Bender
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Expired
Undecided
Unassigned

Bug Description

Customer has their own proxy, but requires per-host authentication, which is fine to get for a few MAAS servers, but a lot of work to do all the nodes maas will deploy.

When double proxied (maas squid -> customer squid), we get an 403 access denied error fetching anything external from a node that MAAS is deploying.

Adding 'never direct allow localnet' solves this and allows minimal proxy configuration on maas deployed nodes, while keeping the security the customer desires.

While we can edit /usr/lib/python3/dist-packages/provisioningserver/templates/proxy/maas-proxy.conf.template on a deb-based deployment, the template is on a RO file system in the snap.

maas-proxy.conf.template should be updated to have an include line that points to:

/etc/maas/proxy/conf.d/ for deb-based installs
/var/snap/maas/current/proxy/conf.d/ for snap-based installs

Craig Bender (craig-bender)
tags: added: feature
Revision history for this message
Björn Tillenius (bjornt) wrote :

Thanks for the use case. We've had requests for "proxy snippets", but couldn't actually tell us what they actually wanted to do.

I'm a bit confused, though. You say that the upstream proxy requires per-host authentication, but then says that 'never direct allow localnet' is enough. Where is the per-host authentication for the MAAS servers configured?

Changed in maas:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status: Incomplete → Expired
Revision history for this message
Christian Grabowski (cgrabowski) wrote :

Circling back on this, MAAS currently configures a `never_direct allow all` when a peer is present, `never_direct allow localnet` would already be included in that. Is it the case that the server(s) running MAAS itself are authenticated with the proxy? I've created an environment with a single rack+region controller and an external peer proxy requiring basic auth, and the existing configuration works as of the basic auth additions for peers landing. A tcpdump shows all of the nodes are proxied through MAAS' proxy and source IP to the external proxy ends up being the MAAS server. If an auth method other than basic auth is used, it still should require the MAAS server's proxy to be authenticated based on the testing.

Is the external proxy being set as a peer in MAAS or is being set on the node using HTTP_PROXY, HTTPS_PROXY, etc?

Changed in maas:
status: Expired → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.