Backport CGP and Lightsquid access on port 980

filippo_carletti · October 11, 2016, 4:49pm

In the last days, I worked to backport to 6.8 a useful feature introduced in NethServer 7: access to CGP graphs and Lightsquid reports through the standard server-manager port (980).
Now, I’ve uploaded three updated packages to the nethserver-testing repository and I’d like to widen the test base.
If you’d like to help testing, these are the commands:

yum --enablerepo=nethserver-testing update nethserver-httpd-admin
yum --enablerepo=nethserver-testing install nethserver-lightsquid nethserver-cgp

More details here: http://dev.nethserver.org/issues/3426

stephdl · October 11, 2016, 5:55pm

Some concerns against security, even if nethserver-cgp is not the most vulnerable module. I can see that there is no password, nor authentication, of course if I’m wrong, please shout.

For what I can see it is just a random URL who is used to do a reverse proxy in the server-manager

vi /etc/httpd/admin-conf.d/cgp.conf

ProxyPass /064f728c3c47ad6d911cd915673a08a95dd715cb http://localhost/064f728c3c47ad6d911cd915673a08a95dd715cb
ProxyPassReverse /064f728c3c47ad6d911cd915673a08a95dd715cb http://localhost/064f728c3c47ad6d911cd915673a08a95dd715cb

Therefore I can see the usage of the server when I use directly the url

https://ns7dev2:980/064f728c3c47ad6d911cd915673a08a95dd715cb

sure for CGP it is fun, but a real authentication should/must be used.

Just some food for thoughts ???

alefattorini · October 11, 2016, 6:20pm

that’s a job for our awesome @quality_team

filippo_carletti · October 12, 2016, 7:27am

The idea behind the long hash url to access read-only reports it’s similar to the google docs share with a link: only who has the link can read the reports (usually the boss).
By default, port 980 is only accessible from lan/green.

All server-manager pages are password protected except these two read-only reports which also are anonymized: I can’t see a big security hole.

I’d prefer not to change things on the interface, but we could announce in advance that 6.9 will move reports behind a password access (i.e.fully backport 7 code).

davidep · October 12, 2016, 8:18am

Are you sure?

I thought it was “public” (green and red)

filippo_carletti · October 12, 2016, 8:28am

Not sure, you’re probably right indeed.
My best practice is having httpd-admin allowed from green and from selected ip addresses on red.

stephdl · October 12, 2016, 10:10am

I guess you are right @davidep the port 980 is pubic

Francenildo · April 6, 2019, 11:52pm

Hello guys, can anyone tell me why the hash of the lightsquid eg: 064f728c3c47ad6d911cd915673a08a95dd715cb is the same for all firewall installations? That is, if I install 1000 firewalls this key will always be the same. Should not it be at least one for each firewall? How can I change it?

giacomo · April 8, 2019, 7:11am

The hash is generated for each installation: see relevant code.

But it’s saved inside the configuration backup, so do not use the same backup as template for multiple machines.

If you need to change it:

config setprop lightsquid alias xxxx
signal-event nethserver-lightsquid-update

Francenildo · April 8, 2019, 11:34am

Thanks for the feedback.