maas-proxy is an open proxy with no ACLs; it should add networks automatically

Bug #1379567 reported by James Troup
42
This bug affects 8 people
Affects Status Importance Assigned to Milestone
MAAS
Critical
LaMont Jones
maas (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

maas-proxy listens on all interfaces and has no ACLs, i.e. it's an
open proxy:

| root@gremlin:/etc/maas# netstat -anp | grep 3128
| tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 30951/squid3
| root@gremlin:/etc/maas# grep localnet /etc/maas/maas-proxy.conf
| acl localnet src all # TODO: We should auto-generate this with the networks MAAS manages/knows about.
| http_access allow localnet
| root@gremlin:/etc/maas#

This isn't reasonable behaviour, IMO.

Related branches

James Troup (elmo)
tags: added: canonical-is
no longer affects: maas
JuanJo Ciarlante (jjo)
tags: added: canonical-bootstack
Christian Reis (kiko)
Changed in maas:
milestone: none → 1.7.2
importance: Undecided → Critical
Changed in maas:
milestone: 1.7.2 → 1.7.3
Changed in maas:
milestone: 1.7.3 → 1.9.0
importance: Critical → Wishlist
status: New → Triaged
summary: - maas-proxy is an open proxy with no ACLs and listening on all interfaces
+ maas-proxy is an open proxy with no ACLs; it should add networks
+ automatically
Changed in maas:
milestone: 1.9.0 → 2.0.0
importance: Wishlist → Critical
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in maas (Ubuntu):
status: New → Confirmed
Revision history for this message
Mike Pontillo (mpontillo) wrote :

I've seen users complain that when we change this file it gets overwritten automatically. (I guess we should also move it to /var, if we're going to be automatically generating the configuration.)

Should every network MAAS knows about be included in the allow list? Or is finer control needed?

Revision history for this message
Mike Pontillo (mpontillo) wrote :

s/when we change this/when they change that/

Revision history for this message
Jay R. Wren (evarlast) wrote :

I'm disappointed that maas being an open proxy isn't mentioned anywhere in the documentation, that I could find. It should be mentioned in big bold red letters, maybe blink or marquee. The, "not designed to be run on the internet" is fine, but it should be well documented and so should the reason why. Many corporate networks are just as sensitive to internal security issues as they are to exposing public internet. Having an open proxy in their private network may harm their intranet security design.

We (team yellow) are running maas on an host on the internet. I customized the squid config that maas-proxy uses to prevent it from proxying for internet source request. I suspect that the next maas update will replace those changes, so I also added iptables rules to block traffic to those ports from the internet.

Revision history for this message
Mike Pontillo (mpontillo) wrote :

I agree with the concerns about documentation.

Currently, maas-proxy is an optional package which does not depend on the MAAS region server (or any other MAAS component). It's analogous to squid-deb-proxy.

The squid-deb-proxy approach to security is to ship (in an autogenerated/ directory, which you are not supposed to edit) an allowed-networks-src.acl file, which contains the RFC 1918 IPv4 addresses, and the link-local IPv6 addresses by default.

We could add an additional dependency on the MAAS region (or at least, a URL to the MAAS region which allows us to figure out which networks are attached to MAAS), and try to be smart about which networks to add. But I'm not sure a solution that complex is worth the cost. For now, perhaps it would be sufficient to take the same approach that squid-deb-proxy uses, and then document how to ensure it's both secure, and able to allow any additional desired networks.

LaMont Jones (lamont)
Changed in maas:
assignee: nobody → LaMont Jones (lamont)
Changed in maas:
status: Triaged → In Progress
Revision history for this message
Jeff Lane (bladernr) wrote :

This also needs a 1.9 target as well. I just discovered this while investigating proxy issues on a customer MAAS server and found that they have an open maas proxy with a ton of external connections to it :/

Jeff Lane (bladernr)
tags: added: hwcert-server
Revision history for this message
LaMont Jones (lamont) wrote :

For the 1.9 backport of this fix, rather than introduce a schema migration (as done for 2.0), we'll simply allow all known subnets to use the proxy, with a note in the proxy config to disable unwanted subnets with iptables.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

maas-proxy was never meant to be used on internet facing scenarios. The maas-proxy configuration status that MAAS doesn't automatically add networks and that one that it would. This will be done for 2.0 and wont be done for any earlier release. MAAS documentation will be updated to state this information more clearly, but this fix wont be backported to earlier releases.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 2.0.0~beta1+bzr4873-0ubuntu1

---------------
maas (2.0.0~beta1+bzr4873-0ubuntu1) xenial; urgency=medium

  * New upstream release, 2.0.0 beta 1 bzr4873 (Standing FFe LP: #1553261)
    - DHCP Snippets WebUI.
    - Ensure proxy configuration ACL's subnets MAAS knows about.
    - DNS High Availability.
  * debian/control: Move 'maascli' package install to
    python3-maas-client (LP: #1563859)
  * Improve way on how upgrades ensures correct permissions
    and ownership (LP: #1563799 , LP: #1563779)
  * Improve the way how removals clean the system (LP: #1563337)
  * Reflect new names and website for systemd units (LP: #1563807)
  * maas-proxy now uses a custom-built config, instead of a boilerplate.
    LP: #1379567

 -- Andres Rodriguez <email address hidden> Mon, 28 Mar 2016 16:47:58 -0400

Changed in maas (Ubuntu):
status: Confirmed → Fix Released
Changed in maas:
status: In Progress → Fix Committed
Changed in maas (Ubuntu Trusty):
status: New → Won't Fix
Jeff Lane (bladernr)
tags: removed: hwcert-server
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers