Bug 1655433 - Need to restrict few services port from outside access to web-admin
Summary: Need to restrict few services port from outside access to web-admin
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: web-admin-tendrl-ansible
Version: rhgs-3.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: RHGS 3.4.z Batch Update 3
Assignee: Nishanth Thomas
QA Contact: Elena Bondarenko
URL:
Whiteboard:
Depends On:
Blocks: 1658718
TreeView+ depends on / blocked
 
Reported: 2018-12-03 07:24 UTC by gowtham
Modified: 2019-02-04 07:44 UTC (History)
5 users (show)

Fixed In Version: tendrl-ansible-1.6.3-11.el7rhgs
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-04 07:43:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0265 None None None 2019-02-04 07:44:07 UTC
Github Tendrl tendrl-ansible pull 136 None None None 2018-12-07 10:29:04 UTC

Description gowtham 2018-12-03 07:24:14 UTC
Description of problem:
We need to restrict some services or daemons ports form the outside access to tendrl-server. Few services in web-admin-server are internal use only so for some security concern we don't want to open that for outside access.

For example:
   grafana 3000
   graphite-web 10080

Version-Release number of selected component (if applicable):
tendrl-ansible-1.6.3-10.el7rhgs

How reproducible:
After enabling SSL for web-admin also we can access some services using http protocol from outside.

Those services are not necessary to access for outside users, this can be restricted for outside use.

Steps to Reproduce:
1.
2.
3.

Actual results:
After enabling SSL all web-admin related services are accessible with http protocol. 

Expected results:
Few services should not accessible for outside user for some security concern, after enabling SSL all request for the web-admin server should be encrypted. no need to open ports for the services which are only for internal use. 

Additional info:

Comment 2 gowtham 2018-12-05 06:48:13 UTC
Looks like we already closed port 3000 for outside access, we need to restrict 10080 also

Comment 3 gowtham 2018-12-07 10:29:05 UTC
PR is under review: https://github.com/Tendrl/tendrl-ansible/pull/136

Comment 4 Martin Bukatovic 2018-12-10 19:19:23 UTC
Do you mean that this BZ is about not opening port tcp 10080 on WA server no matter if ssl is enabled or not?

Comment 5 gowtham 2018-12-11 11:57:59 UTC
Yes, that is correct

Comment 6 Martin Bukatovic 2018-12-12 18:20:30 UTC
Providing QA ack, assuming that the purpose of this BZ is described in comment 4, as validated by comment 5.

Comment 9 Nishanth Thomas 2018-12-18 12:39:10 UTC
@Martin, We need

Comment 11 Elena Bondarenko 2019-01-22 17:10:10 UTC
Port 10080 has been closed for outside access.

Comment 13 errata-xmlrpc 2019-02-04 07:43:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0265


Note You need to log in before you can comment on or make changes to this bug.