horizon is configured with Directory Options Indexes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Undecided
|
Andreas Karis |
Bug Description
Some security scanners may complain that directory listings are enabled in tripleo based
deployments.
The default in apache::vhost is
~~~
cat /etc/puppet/
define apache::vhost(
(...)
$options = ['Indexes'
(...)
~~~
I can change this in the templates with
~~~
parameter_defaults:
(...)
controllerExt
horizon:
options : ['FollowSymLink
priority: 10
add_listen: false
~~~
but if directory listings aren't necessary, particularly because tripleo configures the /var/www directory as a "dummy directory".
The problem is that both /var/www/html and /var/www/cgi-bin can be listed:
~~~
[root@undercloud-6 ~]# curl http://
% Total % Received % Xferd Average Speed Time Time Time Current
100 1254 100 1254 0 0 24155 0 --:--:-- --:--:-- --:--:-- 24588
<title>Index of /cgi-bin</title>
<h1>Index of /cgi-bin</h1>
[root@undercloud-6 ~]# curl http://
% Total % Received % Xferd Average Speed Time Time Time Current
100 664 100 664 0 0 6154 0 --:--:-- --:--:-- --:--:-- 6148
<title>Index of /html</title>
<h1>Index of /html</h1>
~~~
Changed in tripleo: | |
assignee: | nobody → Andreas Karis (akaris) |
Running another test to get rid of the docroot altogether as /var/www as docroot is not needed according to horizon documentation: docs.openstack. org/liberty/ config- reference/ content/ configure- dashboard. html
http://
~~~
##### `docroot`
**Required**. Sets the [`DocumentRoot`][] location, from which Apache serves files.
If `docroot` and [`manage_ docroot` ][] are both set to `false`, no [`DocumentRoot`][] will be set and the accompanying `<Directory /path/to/ directory> ` block will not be created.
~~~
~~~
define apache::vhost(
$docroot,
$manage_docroot = true,
~~~
~~~ raConfig: :vhost_ extra_params: docroot: false
controllerExt
horizon:
docroot: false
manage_
add_listen: false
~~~
The end result removed any reference to /var/www -controller- 0 ~]# cat /etc/httpd/ conf.d/ 12-horizon_ vhost.conf ******* ******* ******* ******* * ******* ******* ******* ******* *
~~~
[root@overcloud
# *******
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# *******
<VirtualHost 172.16.2.9:80> controller- 0.localdomain openstack- dashboard/ static"
ServerName overcloud-
## Alias declarations for resources outside the DocumentRoot
Alias /dashboard/static "/usr/share/
## Logging httpd/horizon_ error.log" httpd/horizon_ access. log" combined
ErrorLog "/var/log/
ServerSignature Off
CustomLog "/var/log/
## RedirectMatch rules
RedirectMatch permanent ^/$ /dashboard
## Server aliases controller- 0.localdomain openstack- dashboard/ openstack_ dashboard/ wsgi/django. wsgi"
ServerAlias overcloud-
WSGIDaemonProcess dashboard group=apache processes=3 threads=10 user=apache
WSGIProcessGroup dashboard
WSGIScriptAlias /dashboard "/usr/share/
</VirtualHost>
~~~
Before, this created the following issue: 10.0.0. 4/cgi-bin/ | grep Index
Dload Upload Total Spent Left Speed
~~~
[root@undercloud-6 ~]# curl http://
% Total % Received % Xferd Average Speed Time Time Time Current
100 1254 100 1254 0 0 24155 0 --:--:-- --:--:-- --:--:-- 24588
<title>Index of /cgi-bin</title>
<h1>Index of /cgi-bin</h1>
~~~
After, the issue is gone:
However, this will default to "PREFIX/htdocs/ where PREFIX is set when you build apache". serverfault. com/questions/ 705169/ how-to- disable- the-default- document- root-in- apache
http://
So it may be preferrable to keep control over this value, keep it at /var/www, and simply disable the Indexes option