On 2017-01-19 09:34:21 -0500 (-0500), Steve Gordon wrote: [...] > Does this configuration directive provide any mitigation for this > issue?: > > "use_forwarded_for = False (BoolOpt) Treat X-Forwarded-For > as the canonical remote address. Only enable this if you have a > sanitizing proxy." > > Just given its name and stated purpose it seems conspicuous by its > absence in this OSSN (that is, even if it provides no mitigation > at all I would have expected to see that noted)? [...]
I agree it's unfortunate this was omitted in the discussion. If you follow the original bug report[*], it's only applicable to environments which set use_forwarded_for = True. The report can be reduced to the following summary: If you configure nova's metadata service to rely on X-Forwarded-For (by setting use_forwarded_for = True) so that you can put a proxy in front of it, then you need to make sure your network is correctly designed such that untrusted systems are not allowed to connect directly to the service without going through your proxy (and also make sure your proxy correctly rewrites any existing X-Forwarded-For headers it may receive rather than passing them through untouched). [*] https://launchpad.net/bugs/1563954 -- Jeremy Stanley
signature.asc
Description: Digital signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
