I agree with the concerns about documentation. Currently, maas-proxy is an optional package which does not depend on the MAAS region server (or any other MAAS component). It's analogous to squid-deb-proxy.
The squid-deb-proxy approach to security is to ship (in an autogenerated/ directory, which you are not supposed to edit) an allowed-networks-src.acl file, which contains the RFC 1918 IPv4 addresses, and the link-local IPv6 addresses by default. We could add an additional dependency on the MAAS region (or at least, a URL to the MAAS region which allows us to figure out which networks are attached to MAAS), and try to be smart about which networks to add. But I'm not sure a solution that complex is worth the cost. For now, perhaps it would be sufficient to take the same approach that squid-deb-proxy uses, and then document how to ensure it's both secure, and able to allow any additional desired networks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1379567 Title: maas-proxy is an open proxy with no ACLs; it should add networks automatically To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1379567/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
