Bug 1652450

Summary: Capsule port 8443 reverse proxy opens up Satellite UI
Product: Red Hat Satellite Reporter: Tsai Li Ming <ltsai>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Roman Plevka <rplevka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4CC: ehelms, fgarciad, kkinge, lzap, mhulan, molasaga, pkthakur, tbrisker, vhernand
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 19:32:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tsai Li Ming 2018-11-22 06:55:08 UTC 
Description of problem:
https://capsule:8443/ reverse proxy into the Satellite UI. 

1. This opens up Satelliet UI to all clients that Capsule is deployed in, which has security implications
2. There is no mention of this in the documentation. Documentation only mention this for Client to Capsule communication:
8443 TCP HTTPS Subscription Management Services and Telemetry Services

28-katello-reverse-proxy.conf
<VirtualHost *:8443>
  ServerName sat6-capsule1.example.com

## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass / https://sat6.example.com/
  ProxyPassReverse / /
  ProxyPassReverse / https://sat6.example.com/

Expected Result:
- Capsule should not gives users an indirect access to Satellite UI at all.
Comment 5 Eric Helms 2021-05-17 22:58:47 UTC 
We have assessed this BZ and there are a few considerations. The reverse proxy on the Capsule grants both UI and API access which in our view has the same security implications. In order to lock down just to the API we would have to build an access list of *all* API paths needed in order to not break functionality. Given there is no single rooted endpoint this is difficult and has the potential to miss an endpoint and break functionality. Additionally, some users see this as a feature that they use in order to access the application from clients or the Capsule itself. Given all of this, it is our recommendation that we close this BZ as wontfix. We would then opt to address https://bugzilla.redhat.com/show_bug.cgi?id=1743839 .