Backport CGP and Lightsquid access on port 980

v6.8

(Filippo Carletti) #1

In the last days, I worked to backport to 6.8 a useful feature introduced in NethServer 7: access to CGP graphs and Lightsquid reports through the standard server-manager port (980).
Now, I’ve uploaded three updated packages to the nethserver-testing repository and I’d like to widen the test base.
If you’d like to help testing, these are the commands:

yum --enablerepo=nethserver-testing update nethserver-httpd-admin
yum --enablerepo=nethserver-testing install nethserver-lightsquid nethserver-cgp

More details here: http://dev.nethserver.org/issues/3426


(Stéphane de Labrusse) #2

Some concerns against security, even if nethserver-cgp is not the most vulnerable module. I can see that there is no password, nor authentication, of course if I’m wrong, please shout.

For what I can see it is just a random URL who is used to do a reverse proxy in the server-manager

vi /etc/httpd/admin-conf.d/cgp.conf

ProxyPass /064f728c3c47ad6d911cd915673a08a95dd715cb http://localhost/064f728c3c47ad6d911cd915673a08a95dd715cb
ProxyPassReverse /064f728c3c47ad6d911cd915673a08a95dd715cb http://localhost/064f728c3c47ad6d911cd915673a08a95dd715cb

Therefore I can see the usage of the server when I use directly the url

https://ns7dev2:980/064f728c3c47ad6d911cd915673a08a95dd715cb

sure for CGP it is fun, but a real authentication should/must be used.

Just some food for thoughts ???


(Alessio Fattorini) #3

that’s a job for our awesome @quality_team


(Filippo Carletti) #4

The idea behind the long hash url to access read-only reports it’s similar to the google docs share with a link: only who has the link can read the reports (usually the boss).
By default, port 980 is only accessible from lan/green.

All server-manager pages are password protected except these two read-only reports which also are anonymized: I can’t see a big security hole.

I’d prefer not to change things on the interface, but we could announce in advance that 6.9 will move reports behind a password access (i.e.fully backport 7 code).


(Davide Principi) #5

Are you sure?

I thought it was “public” (green and red) :astonished:


(Filippo Carletti) #6

Not sure, you’re probably right indeed.
My best practice is having httpd-admin allowed from green and from selected ip addresses on red.


(Stéphane de Labrusse) #7

I guess you are right @davidep the port 980 is pubic


(Francenildo) #8

Hello guys, can anyone tell me why the hash of the lightsquid eg: 064f728c3c47ad6d911cd915673a08a95dd715cb is the same for all firewall installations? That is, if I install 1000 firewalls this key will always be the same. Should not it be at least one for each firewall? How can I change it?


(Giacomo Sanchietti) #9

The hash is generated for each installation: see relevant code.

But it’s saved inside the configuration backup, so do not use the same backup as template for multiple machines.

If you need to change it:

config setprop lightsquid alias xxxx
signal-event nethserver-lightsquid-update

(Francenildo) #10

Thanks for the feedback.