Landscape Charm

Merge lp:~ack/landscape-charm/block-metrics-through-haproxy into lp:~landscape/landscape-charm/trunk

  1. block-metrics-through-haproxy
  2. Merge into trunk
Proposed by Alberto Donato
Status: Merged
Approved by: Alberto Donato
Approved revision: 386
Merged at revision: 384
Proposed branch: lp:~ack/landscape-charm/block-metrics-through-haproxy
Merge into: lp:~landscape/landscape-charm/trunk
Diff against target: 319 lines (+8/-255)
6 files modified
config/vhost.tmpl (+0/-66)
config/vhost.tmpl.legacy (+0/-66)
config/vhostssl.tmpl (+0/-62)
config/vhostssl.tmpl.legacy (+0/-61)
lib/relations/haproxy.py (+2/-0)
lib/relations/tests/test_haproxy.py (+6/-0)
To merge this branch: bzr merge lp:~ack/landscape-charm/block-metrics-through-haproxy
Reviewer Review Type Date Requested Status
Francis Ginther (community) Approve
Adam Collard (community) Approve
🤖 Landscape Builder test results Approve
Review via email: mp+320342@code.launchpad.net

Commit message

Change the haproxy configuration to prevent access to the /metrics endpoint on the landscape unit.

Description of the change

Change the haproxy configuration to prevent access to the /metrics endpoint on the landscape unit.

Testing instructions:

- CHARM_BRANCH='lp:~ack/landscape-charm/block-metrics-through-haproxy' make stage-landscape-charm
- deploy
- accesssing https://<url>/metrics should give a 403 error

To post a comment you must log in.
Revision history for this message
Alberto Donato (ack) :
Revision history for this message
🤖 Landscape Builder (landscape-builder) :
review: Abstain (executing tests)
Revision history for this message
🤖 Landscape Builder (landscape-builder) wrote :

Command: make ci-test
Result: Success
Revno: 386
Branch: lp:~ack/landscape-charm/block-metrics-through-haproxy
Jenkins: https://ci.lscape.net/job/latch-test-xenial/3640/

review: Approve (test results)
Revision history for this message
Adam Collard (adam-collard) wrote :

LGTM, +1

review: Approve
Revision history for this message
Francis Ginther (fginther) wrote :

As this endpoint is only exposed on hosted deployments, this is sufficient to block it via the haproxy. So +1 on the change.

If/When we want to expose this for OPL deployments, we should have a way to turn it off for customers not wishing to expose this data unauthenticated. Probably worth a bug unless we already have some other way of tracking this.

review: Approve
Revision history for this message
Alberto Donato (ack) wrote :

> As this endpoint is only exposed on hosted deployments, this is sufficient to
> block it via the haproxy. So +1 on the change.
>
> If/When we want to expose this for OPL deployments, we should have a way to
> turn it off for customers not wishing to expose this data unauthenticated.
> Probably worth a bug unless we already have some other way of tracking this.

On OPL deployments we would tell the user to deploy prometheus in the model, and expose it.
There's no need to expose metrics through haproxy (and it's actually bad because it would prevent prometheus from scraping endpoints individually, which is a problem for unit metrics).

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== removed directory 'config'
2=== removed file 'config/vhost.tmpl'
3--- config/vhost.tmpl 2014-01-21 18:06:37 +0000
4+++ config/vhost.tmpl 1970-01-01 00:00:00 +0000
5@@ -1,66 +0,0 @@
6-<VirtualHost *:80>
7- ServerName {{ servername }}
8- ServerAdmin webmaster@%{SERVER_NAME}
9- DocumentRoot /var/www
10-
11- ErrorLog /var/log/apache2/vhost_http_error.log
12- CustomLog /var/log/apache2/vhost_http_access.log combined
13-
14- # Set a Via header in outbound requests to the proxy, so proxied apps can
15- # know who the actual client is
16- ProxyVia on
17- ProxyTimeout 10
18-
19- <Location "/">
20- Options -Indexes
21- Order allow,deny
22- Allow from all
23- </Location>
24- <Location "/r">
25- FileETag none
26- ExpiresActive on
27- ExpiresDefault "access plus 10 years"
28- Header append Cache-Control "public"
29- </Location>
30- <Location "/repository">
31- Options +Indexes
32- </Location>
33-
34- <Files "*.woff">
35- FileETag None
36- Header append Cache-Control "max-age=2592000,public"
37- Header unset Last-Modified
38- </Files>
39-
40- RewriteEngine On
41-
42- # Pings can always go unencrypted
43- RewriteRule ^/ping$ http://{{ haproxy_pingserver }}/ping [P,L]
44-
45- RewriteRule ^/r/([^/]+)/(.*) /$2
46-
47- # bug #685958
48- # Map the internal lowercase function so we can use it below.
49- RewriteMap lowercase int:tolower
50- # Only lookup skin name in cookie value for the favicon.
51- RewriteCond %{REQUEST_URI} ^/favicon.ico$
52- # If there's a 'skin' selected in the cookie...
53- RewriteCond %{HTTP_COOKIE} skin=([^;\ ]+) [OR]
54- # Else, use the default skin.
55- RewriteCond manx ^(.+)$
56- # If the skin name is a valid one...
57- RewriteCond ${lowercase:%1} ^(manx|hokan)$
58- # Then rewrite the url to be relative to the specified skin.
59- RewriteRule ^/(.*) /static/skin/%1/$1
60-
61- # The following resources are remote and fine to go over http
62- RewriteRule ^/(static.*) http://{{ haproxy_static }}/$1 [P,L]
63- RewriteRule ^/(repository.*) http://{{ haproxy_static }}/$1 [P,L]
64-
65- # local resources, don't redirect anywhere not even to switch to https
66- RewriteCond %{REQUEST_URI} !/server-status
67- RewriteCond %{REQUEST_URI} !/icons
68- RewriteCond %{REQUEST_URI} !/robots.txt
69- # Everything else needs to go over https
70- RewriteRule ^/(.*) https://{{ servername }}/$1 [R=permanent]
71-</VirtualHost>
72
73=== removed file 'config/vhost.tmpl.legacy'
74--- config/vhost.tmpl.legacy 2015-01-16 10:18:47 +0000
75+++ config/vhost.tmpl.legacy 1970-01-01 00:00:00 +0000
76@@ -1,66 +0,0 @@
77-<VirtualHost *:80>
78- ServerName {{ servername }}
79- ServerAdmin webmaster@%{SERVER_NAME}
80- DocumentRoot /var/www
81-
82- ErrorLog /var/log/apache2/vhost_http_error.log
83- CustomLog /var/log/apache2/vhost_http_access.log combined
84-
85- # Set a Via header in outbound requests to the proxy, so proxied apps can
86- # know who the actual client is
87- ProxyVia on
88- ProxyTimeout 10
89-
90- <Location "/">
91- Options -Indexes
92- Order allow,deny
93- Allow from all
94- </Location>
95- <Location "/r">
96- FileETag none
97- ExpiresActive on
98- ExpiresDefault "access plus 10 years"
99- Header append Cache-Control "public"
100- </Location>
101- <Location "/repository">
102- Options +Indexes
103- </Location>
104-
105- <Files "*.woff">
106- FileETag None
107- Header append Cache-Control "max-age=2592000,public"
108- Header unset Last-Modified
109- </Files>
110-
111- RewriteEngine On
112-
113- # Pings can always go unencrypted
114- RewriteRule ^/ping$ http://{{ haproxy_pingserver }}/ping [P,L]
115-
116- RewriteRule ^/r/([^/]+)/(.*) /$2
117-
118- # bug #685958
119- # Map the internal lowercase function so we can use it below.
120- RewriteMap lowercase int:tolower
121- # Only lookup skin name in cookie value for the favicon.
122- RewriteCond %{REQUEST_URI} ^/favicon.ico$
123- # If there's a 'skin' selected in the cookie...
124- RewriteCond %{HTTP_COOKIE} skin=([^;\ ]+) [OR]
125- # Else, use the default skin.
126- RewriteCond manx ^(.+)$
127- # If the skin name is a valid one...
128- RewriteCond ${lowercase:%1} ^(manx|hokan)$
129- # Then rewrite the url to be relative to the specified skin.
130- RewriteRule ^/(.*) /static/skin/%1/$1
131-
132- # The following resources are remote and fine to go over http
133- RewriteRule ^/(static.*) http://{{ haproxy_static }}/$1 [P,L]
134- RewriteRule ^/(repository.*) http://{{ haproxy_static }}/$1 [P,L]
135-
136- # local resources, don't redirect anywhere not even to switch to https
137- RewriteCond %{REQUEST_URI} !/server-status
138- RewriteCond %{REQUEST_URI} !/icons
139- RewriteCond %{REQUEST_URI} !/robots.txt
140- # Everything else needs to go over https
141- RewriteRule ^/(.*) https://{{ servername }}/$1 [R=permanent]
142-</VirtualHost>
143
144=== removed file 'config/vhostssl.tmpl'
145--- config/vhostssl.tmpl 2015-01-12 15:08:18 +0000
146+++ config/vhostssl.tmpl 1970-01-01 00:00:00 +0000
147@@ -1,62 +0,0 @@
148-<VirtualHost *:443>
149- ServerName {{ servername }}
150- ServerAdmin webmaster@%{SERVER_NAME}
151- DocumentRoot /var/www
152-
153- ErrorLog /var/log/apache2/vhost_error.log
154- CustomLog /var/log/apache2/vhost_access.log combined
155-
156- SSLEngine On
157- SSLProxyEngine On
158- SSLProtocol all -SSLv3 -SSLv2
159- SSLCertificateFile /etc/ssl/certs/apache2.cert
160- SSLCertificateKeyFile /etc/ssl/private/apache2.key
161-
162- <Files "*.woff">
163- FileETag None
164- Header append Cache-Control "max-age=2592000,public"
165- Header unset Last-Modified
166- </Files>
167-
168- ProxyRequests off
169-
170- ProxyPreserveHost On
171- ProxyPassReverse / http://{{ haproxy_static }}/
172-
173- RewriteEngine On
174-
175- RewriteRule ^/.*\+\+.* / [F]
176- RewriteRule ^/r/([^/]+)/(.*) /$2
177-
178- # bug #685958
179- # Map the internal lowercase function so we can use it below.
180- RewriteMap lowercase int:tolower
181- # Only lookup skin name in cookie value for the favicon.
182- RewriteCond %{REQUEST_URI} ^/favicon.ico$
183- # If there's a 'skin' selected in the cookie...
184- RewriteCond %{HTTP_COOKIE} skin=([^;\ ]+) [OR]
185- # Else, use the default skin.
186- RewriteCond manx ^(.+)$
187- # If the skin name is a valid one...
188- RewriteCond ${lowercase:%1} ^(manx|hokan)$
189- # Then rewrite the url to be relative to the specified skin.
190- RewriteRule ^/(.*) /static/skin/%1/$1
191-
192- RewriteRule ^/message-system http://{{ haproxy_msgserver }}/++vh++https:%{SERVER_NAME}:443/++/ [P,L]
193- RewriteRule ^/ajax http://{{ haproxy_asyncfrontend }}/ [P,L]
194- RewriteRule ^/combo http://{{ haproxy_comboloader }}/ [P,L]
195- RewriteRule ^/api http://{{ haproxy_apiserver }}/ [P,L]
196- RewriteRule ^/attachment/(.*) http://{{ haproxy_msgserver }}/attachment/$1 [P,L]
197- RewriteRule ^/upload/(.*) http://{{ haproxy_packageupload }}/$1 [P,L]
198- RewriteRule ^/(static.*) http://{{ haproxy_static }}/$1 [P,L]
199- RewriteRule ^/(offline.*) http://{{ haproxy_static }}/$1 [P,L]
200- RewriteRule ^/(config.*) http://{{ haproxy_static }}/$1 [P,L]
201- RewriteRule ^/(hash-id-databases.*) http://{{ haproxy_static }}/$1 [P,L]
202- RewriteRule ^/(repository.*) http://{{ haproxy_static }}/$1 [P,L]
203- # The rest goes to the application server, with a few exceptions
204- RewriteCond %{REQUEST_URI} !/icons
205- RewriteCond %{REQUEST_URI} !/robots.txt
206- RewriteCond %{REQUEST_URI} !/server-status
207- RewriteRule ^/(.*) http://{{ haproxy_appserver }}/++vh++https:%{SERVER_NAME}:443/++/$1 [P]
208-
209-</VirtualHost>
210
211=== removed file 'config/vhostssl.tmpl.legacy'
212--- config/vhostssl.tmpl.legacy 2015-01-16 10:18:47 +0000
213+++ config/vhostssl.tmpl.legacy 1970-01-01 00:00:00 +0000
214@@ -1,61 +0,0 @@
215-<VirtualHost *:443>
216- ServerName {{ servername }}
217- ServerAdmin webmaster@%{SERVER_NAME}
218- DocumentRoot /var/www
219-
220- ErrorLog /var/log/apache2/vhost_error.log
221- CustomLog /var/log/apache2/vhost_access.log combined
222-
223- SSLEngine On
224- SSLProxyEngine On
225- SSLProtocol all -SSLv3 -SSLv2
226- SSLCertificateFile /etc/ssl/certs/apache2.cert
227- SSLCertificateKeyFile /etc/ssl/private/apache2.key
228-
229- <Files "*.woff">
230- FileETag None
231- Header append Cache-Control "max-age=2592000,public"
232- Header unset Last-Modified
233- </Files>
234-
235- ProxyRequests off
236-
237- ProxyPreserveHost On
238- ProxyPassReverse / http://{{ haproxy_static }}/
239-
240- RewriteEngine On
241-
242- RewriteRule ^/.*\+\+.* / [F]
243- RewriteRule ^/r/([^/]+)/(.*) /$2
244-
245- # bug #685958
246- # Map the internal lowercase function so we can use it below.
247- RewriteMap lowercase int:tolower
248- # Only lookup skin name in cookie value for the favicon.
249- RewriteCond %{REQUEST_URI} ^/favicon.ico$
250- # If there's a 'skin' selected in the cookie...
251- RewriteCond %{HTTP_COOKIE} skin=([^;\ ]+) [OR]
252- # Else, use the default skin.
253- RewriteCond manx ^(.+)$
254- # If the skin name is a valid one...
255- RewriteCond ${lowercase:%1} ^(manx|hokan)$
256- # Then rewrite the url to be relative to the specified skin.
257- RewriteRule ^/(.*) /static/skin/%1/$1
258-
259- RewriteRule ^/message-system http://{{ haproxy_msgserver }}/++vh++https:%{SERVER_NAME}:443/++/ [P,L]
260- RewriteRule ^/ajax http://{{ haproxy_asyncfrontend }}/ [P,L]
261- RewriteRule ^/combo http://{{ haproxy_comboloader }}/ [P,L]
262- RewriteRule ^/api http://{{ haproxy_apiserver }}/ [P,L]
263- RewriteRule ^/attachment/(.*) http://{{ haproxy_msgserver }}/attachment/$1 [P,L]
264- RewriteRule ^/upload/(.*) http://{{ haproxy_packageupload }}/$1 [P,L]
265- RewriteRule ^/(static.*) http://{{ haproxy_static }}/$1 [P,L]
266- RewriteRule ^/(config.*) http://{{ haproxy_static }}/$1 [P,L]
267- RewriteRule ^/(hash-id-databases.*) http://{{ haproxy_static }}/$1 [P,L]
268- RewriteRule ^/(repository.*) http://{{ haproxy_static }}/$1 [P,L]
269- # The rest goes to the application server, with a few exceptions
270- RewriteCond %{REQUEST_URI} !/icons
271- RewriteCond %{REQUEST_URI} !/robots.txt
272- RewriteCond %{REQUEST_URI} !/server-status
273- RewriteRule ^/(.*) http://{{ haproxy_appserver }}/++vh++https:%{SERVER_NAME}:443/++/$1 [P]
274-
275-</VirtualHost>
276
277=== modified file 'lib/relations/haproxy.py'
278--- lib/relations/haproxy.py 2017-02-28 08:50:43 +0000
279+++ lib/relations/haproxy.py 2017-03-20 12:16:50 +0000
280@@ -42,6 +42,8 @@
281 "acl message path_beg -i /message-system",
282 "acl attachment path_beg -i /attachment",
283 "acl api path_beg -i /api",
284+ "acl prometheus_metrics path_beg -i /metrics",
285+ "http-request deny if prometheus_metrics",
286 "use_backend landscape-message if message",
287 "use_backend landscape-message if attachment",
288 "use_backend landscape-api if api",
289
290=== modified file 'lib/relations/tests/test_haproxy.py'
291--- lib/relations/tests/test_haproxy.py 2017-02-27 09:47:31 +0000
292+++ lib/relations/tests/test_haproxy.py 2017-03-20 12:16:50 +0000
293@@ -106,6 +106,8 @@
294 "acl message path_beg -i /message-system",
295 "acl attachment path_beg -i /attachment",
296 "acl api path_beg -i /api",
297+ "acl prometheus_metrics path_beg -i /metrics",
298+ "http-request deny if prometheus_metrics",
299 "use_backend landscape-message if message",
300 "use_backend landscape-message if attachment",
301 "use_backend landscape-api if api"],
302@@ -430,6 +432,8 @@
303 "acl message path_beg -i /message-system",
304 "acl attachment path_beg -i /attachment",
305 "acl api path_beg -i /api",
306+ "acl prometheus_metrics path_beg -i /metrics",
307+ "http-request deny if prometheus_metrics",
308 "use_backend landscape-message if message",
309 "use_backend landscape-message if attachment",
310 "use_backend landscape-api if api",
311@@ -485,6 +489,8 @@
312 "acl message path_beg -i /message-system",
313 "acl attachment path_beg -i /attachment",
314 "acl api path_beg -i /api",
315+ "acl prometheus_metrics path_beg -i /metrics",
316+ "http-request deny if prometheus_metrics",
317 "use_backend landscape-message if message",
318 "use_backend landscape-message if attachment",
319 "use_backend landscape-api if api",

Subscribers

People subscribed via source and target branches