[Bug 1379567] Re: maas-proxy is an open proxy with no ACLs; it should add networks automatically
Mike Pontillo
mike.pontillo at canonical.com
Wed Mar 9 20:47:55 UTC 2016
I agree with the concerns about documentation.
Currently, maas-proxy is an optional package which does not depend on
the MAAS region server (or any other MAAS component). It's analogous to
squid-deb-proxy.
The squid-deb-proxy approach to security is to ship (in an
autogenerated/ directory, which you are not supposed to edit) an
allowed-networks-src.acl file, which contains the RFC 1918 IPv4
addresses, and the link-local IPv6 addresses by default.
We could add an additional dependency on the MAAS region (or at least, a
URL to the MAAS region which allows us to figure out which networks are
attached to MAAS), and try to be smart about which networks to add. But
I'm not sure a solution that complex is worth the cost. For now, perhaps
it would be sufficient to take the same approach that squid-deb-proxy
uses, and then document how to ensure it's both secure, and able to
allow any additional desired networks.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to maas in Ubuntu.
https://bugs.launchpad.net/bugs/1379567
Title:
maas-proxy is an open proxy with no ACLs; it should add networks
automatically
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions
More information about the Ubuntu-server-bugs
mailing list