OpenStack Security Guide Documentation

http_proxy_to_wsgi middleware shouldn't be disabled by default

Bug #1590635 reported by Jamie Lennox
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Security Guide Documentation
New
Undecided
Unassigned
oslo.middleware
Won't Fix
Undecided
Unassigned

Bug Description

The http-proxy-to-wsgi middleware has a config option enable_proxy_headers_parsing which is False by default. This is a bad default.

For anyone behind a load balancer we will always want to have the Forwarded values set in the request, for anyone not behind a load balancer the cost of the code is two environment lookups (so, negligible) and being middleware anyone that is really desperate to not suffer those two dict lookups can simply remove it from their pipeline.

We should deprecate the enable_proxy_headers_parsing config option and just always run the middleware if it's in the pipeline.

Revision history for this message
Adrien Cunin (adri2000) wrote :

I agree!

https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=f62c3a74c07238d91efb17e9ac64373f08894490 explains it is disabled by default for security reasons. The rationale seems to be: headers are supposed to be saner behind a reverse proxy, so the risk of malformed malicious headers is lower. This rationale is valid in case of a security vulnerability in the parsing code.

On the other hand, keeping this option disabled by default means that almost all OpenStack deployments (because almost all of them use a reverse proxy in front of the APIs) need to set that option for all the OpenStack services using oslo.middleware.

So I guess there is a decision to make here. My opinion is that should ease the life of deployers with sensible defaults.

Revision history for this message
Pierre Riteau (priteau) wrote :

At the very least this setting should be documented in https://docs.openstack.org/security-guide/secure-communication/tls-proxies-and-http-services.html

Revision history for this message
Ben Nemec (bnemec) wrote :

We cannot change the default, due to https://bugs.launchpad.net/oslo.middleware/+bug/1548280

However, I do agree that this should be called out in the security guide so I've added what I believe is the appropriate project for making that change.

Changed in oslo.middleware:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.