Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration to restrict the hosts and ports accessible by the http proxy servlet #7326

Merged
merged 3 commits into from
Jan 5, 2024
Merged

Configuration to restrict the hosts and ports accessible by the http proxy servlet #7326

merged 3 commits into from
Jan 5, 2024

Conversation

josegar74
Copy link
Member

This change request adds configuration to restrict the hosts and ports accessible by the http proxy servlet, independently of the security mode configured.

  • proxy.excludeHosts: Regular expression to match a set of host names / IP's that should not be allowed to access by the http proxy, for example, the ones related to localhost.

  • By default, has been changed to only allow the proxy to access ports 80 and 443, additional ports can be configured in proxy.allowPorts

These properties can be configured using multiple methods, not only as init parameter
in web.xml servlet's config, but also as environment variable, system property or config.properties
entry.

@josegar74 josegar74 added this to the 4.4.0 milestone Sep 8, 2023
@ianwallen
Copy link
Contributor

@josegar74
Would this change also affect/replace the following configuration used ro map services?

core-geonetwork/web/src/main/webResources/WEB-INF/config-spring-geonetwork.xml

Lines 257 to 264 in 6f2819a

<util:list id="securedMapServices" value-type="org.fao.geonet.domain.mapservices.MapService">
<!-- Sample secured map services -->
<!--bean class="org.fao.geonet.domain.mapservices.MapService"
p:url="http://map1.com" p:useProxy="true" p:authType="BEARER"/-->
<!--bean class="org.fao.geonet.domain.mapservices.MapService"
p:url="http:\/\/map1[A-Z].com" p:useProxy="true" p:authType="BASIC" p:urlType="REGEXP" p:username="test" p:password="testpass"/-->
</util:list>

It would be nice to only have to apply the proxy configuration in one location.

@josegar74 josegar74 modified the milestones: 4.4.0, 4.4.1 Sep 29, 2023
fxprunayre
fxprunayre reviewed Nov 20, 2023
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@fxprunayre fxprunayre modified the milestones: 4.4.1, 4.4.2 Nov 22, 2023
@josegar74 @fxprunayre
Update pom.xml
33237fa 
Co-authored-by: François Prunayre <fx.prunayre@gmail.com>
fxprunayre
fxprunayre reviewed Jan 5, 2024
View reviewed changes
pom.xml Outdated Show resolved Hide resolved
@fxprunayre fxprunayre marked this pull request as ready for review January 5, 2024 11:55
@josegar74 @fxprunayre
Update pom.xml
71953a2 
Co-authored-by: François Prunayre <fx.prunayre@gmail.com>
@fxprunayre
Copy link
Member

Would this change also affect/replace the following configuration used ro map services?

Not really @ianwallen. It is 2 different things. Here we want to limit proxy access to local resources for security reason. The mapservice config is about accessing remote resources with custom auth.

It would be nice to only have to apply the proxy configuration in one location.

Sure we can work on that in another PR. I propose to merge this one as it is for next release.

@fxprunayre fxprunayre merged commit 802e098 into geonetwork:main Jan 5, 2024
6 checks passed
juanluisrp pushed a commit that referenced this pull request Mar 12, 2024
@josegar74 @fxprunayre @juanluisrp
[Backport 4.2.x] Configuration to restrict the hosts and ports access…
6cb603c 
…ible by the http proxy servlet (#7326)

* Configuration to restrict the hosts and ports accessible by the http proxy servlet

---------

Co-authored-by: François Prunayre <fx.prunayre@gmail.com>
josegar74 added a commit to GeoCat/core-geonetwork that referenced this pull request May 2, 2024
@josegar74
HTTP proxy servlet / update error messages.
f59016d 
Follow up of geonetwork#7326
@josegar74 josegar74 mentioned this pull request May 2, 2024
Merged
10 tasks
juanluisrp pushed a commit that referenced this pull request May 23, 2024
@josegar74
HTTP proxy servlet / update error messages. (#8009)
88d7b13 
Follow up of #7326 (Configuration to restrict the hosts and ports accessible 
by the http proxy servlet)
geonetworkbuild pushed a commit that referenced this pull request May 23, 2024
@josegar74 @github-actions
HTTP proxy servlet / update error messages.
b4652b5 
Follow up of #7326
juanluisrp pushed a commit that referenced this pull request May 23, 2024
@geonetworkbuild @josegar74
[Backport 4.2.x] HTTP proxy servlet / update error messages. (#8084)
b0e3be9 
Follow up of #7326

Co-authored-by: Jose García <josegar74@gmail.com>
@juanluisrp juanluisrp deleted the excludehosts-proxy branch June 12, 2024 10:15
fxprunayre pushed a commit to SPW-DIG/metawal-core-geonetwork that referenced this pull request Jul 18, 2024
@josegar74 @fxprunayre
HTTP proxy servlet / update error messages. (geonetwork#8009)
1e0ee6c 
Follow up of geonetwork#7326 (Configuration to restrict the hosts and ports accessible 
by the http proxy servlet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fxprunayre fxprunayre fxprunayre approved these changes

@juanluisrp juanluisrp Awaiting requested review from juanluisrp

Assignees
No one assigned
Labels
backport 4.2.x changelog
Projects
None yet
Milestone
4.4.2
Development

Successfully merging this pull request may close these issues.
3 participants
@josegar74 @ianwallen @fxprunayre