Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-5832

Restrict ALLOWED_HOSTS for Horizon access

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Normal Normal
    • rhos-18.0.0
    • None
    • horizon-operator
    • None
    • Restrict ALLOWED_HOSTS for Horizon access
    • False
    • Hide

      None

      Show
      None
    • False
    • OSPRH-811Red Hat OpenStack 18.0 Greenfield Deployment
    • Not Selected
    • Proposed
    • No Docs Impact
    • To Do
    • OSPRH-811 - Red Hat OpenStack 18.0 Greenfield Deployment
    • Proposed
    • Proposed
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      .Host spoofing protective measure

      Before this update, the hosts configuration option was not populated with the minimum hosts necessary to protect against host spoofing.

      With this update, the hosts configuration option is now correctly populated.
      Show
      .Host spoofing protective measure Before this update, the hosts configuration option was not populated with the minimum hosts necessary to protect against host spoofing. With this update, the hosts configuration option is now correctly populated.
    • Bug Fix
    • Done
    • Rejected

      We currently set `ALLOWED_HOSTS=*`. This is a vulnerability regression and should be limited to only the hosts that should be served by Django:
      https://docs.djangoproject.com/en/5.0/ref/settings/#allowed-hosts

      This was originally changed to ensure that the liveness check would not fail, since the liveness check accesses the server using the IP address of the pod and is random each time a pod is created:
      https://github.com/openstack-k8s-operators/horizon-operator/commit/842186a5d26a96c1b78be8e7925ee6f9b74aa7de

            rhn-support-bshephar Brendan Shephard
            rhn-support-bshephar Brendan Shephard
            rhos-dfg-ui
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: