)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":34437,"name":"Alejandro Garcia","email":"agarcia@whitestack.com","username":"agarciaws"},"change_message_id":"35255d972f95afc63f67d312d4400eb15d78182d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"a1894cfd_7a4124ff","updated":"2023-07-27 19:13:26.000000000","message":"Hi Maksim Malchuk, we have just discovered this very same thing in our environments and were discussing how to address it.\n\nAs per my understanding, here you are blocking the /server-status endpoint directly on HAProxy. Is that correct?\n\nIf that is the case, I wonder, wouldn\u0027t it be better to just block the endpoint directly at the Apache level? That would block the endpoint in other cases, for instance with only 1 controller node and HAProxy disabled. This was the approach we were trying on https://review.opendev.org/c/openstack/kolla-ansible/+/889784","commit_id":"1e84aae46785fd6923fe40e5e7063cd81cf9b620"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"cc0501dd263cd16b71b70c0a481cb19981bd2aa3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"958b6657_329a4de8","updated":"2023-08-05 19:14:51.000000000","message":"frontend horizon_front\n    mode http\n    http-request del-header X-Forwarded-Proto\n    use_backend acme_client_back if { path_reg ^/.well-known/acme-challenge/.+ }\n    option httplog\n    option forwardfor\n    http-request set-header X-Forwarded-Proto https if { ssl_fc }\n    bind 192.0.2.10:443 ssl crt /etc/haproxy/haproxy-internal.pem\n    default_backend horizon_back\n\nbackend horizon_back\n    mode http\n    balance roundrobin\n    server primary 192.0.2.1:443 check check-ssl inter 2000 rise 2 fall 5 ssl verify required ca-file ca-certificates.crt \n\nfrontend horizon_redirect_front\n    mode http\n    bind 192.0.2.10:80\n    redirect scheme https code 301 if !{ ssl_fc }\n\nbackend acme_client_back\n    mode http\n    \nThis is services.d/horizon.cfg from zuul logs for this patchset, and I can\u0027t see deny for server-status, probably because no config for external vip.\n\nMoreover, you are adding frontend_extra_options but there is already frontend_http_extra, so you are adding what is already there.\n\n\nDrop your changes for haproxy template and just add line \n\n- \"http-request deny if { path -i -m beg /server-status }\"\n\nto frontend_http_extra for horizon external in defaults.\n\n!! Also , add frontend_http_extra option for deny server status also for all apache services below : \n\n(kolla-ansible)[root]# grep -r VirtualHost . | awk -F \u0027:\u0027 \u0027{print $1}\u0027 | sort | uniq | sort \n./ansible/roles/aodh/templates/wsgi-aodh.conf.j2\n./ansible/roles/cinder/templates/cinder-wsgi.conf.j2\n./ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2\n./ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2\n./ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2\n./ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2\n./ansible/roles/heat/templates/wsgi-heat-api.conf.j2\n./ansible/roles/horizon/templates/horizon.conf.j2\n./ansible/roles/ironic/templates/ironic-api-wsgi.conf.j2\n./ansible/roles/ironic/templates/ironic-http-httpd.conf.j2\n./ansible/roles/keystone/templates/wsgi-keystone.conf.j2\n./ansible/roles/letsencrypt/templates/letsencrypt-webserver.conf.j2\n./ansible/roles/masakari/templates/wsgi-masakari.conf.j2\n./ansible/roles/nova/templates/nova-api-wsgi.conf.j2\n./ansible/roles/octavia/templates/octavia-wsgi.conf.j2\n./ansible/roles/placement/templates/placement-api-wsgi.conf.j2\n./ansible/roles/trove/templates/trove-wsgi.conf.j2\n./ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2\n./ansible/roles/zun/templates/wsgi-zun.conf.j2","commit_id":"1e84aae46785fd6923fe40e5e7063cd81cf9b620"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"caa68a8f4f7d82a74a186ebbf70b58ccab097e65","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"f96c32a6_3bdbfde4","in_reply_to":"958b6657_329a4de8","updated":"2023-08-08 08:49:41.000000000","message":"thanks for comment. and yes, zuul didn\u0027t use external vip, so we didn\u0027t see the changes.","commit_id":"1e84aae46785fd6923fe40e5e7063cd81cf9b620"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"51505b0d9d8c791e6a29a7e7b5b5d5be4d88e39b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"e18a3787_c9634d66","in_reply_to":"a1894cfd_7a4124ff","updated":"2023-07-27 19:58:13.000000000","message":"answered in your change","commit_id":"1e84aae46785fd6923fe40e5e7063cd81cf9b620"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"7117be0f684a151333850550f869c22aa48c4189","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"994e3a09_309893b8","updated":"2023-08-08 14:21:47.000000000","message":"Can\u0027t reproduce on any of my production clouds, can somebody add reproduce steps to the bug?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"ba3c137131ec792f95c9da860e4f3dfc01971274","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"d6ba2b29_5d0cd7bf","updated":"2023-08-08 11:35:39.000000000","message":"Michal Arbet: https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_051/890758/1/check/kolla-ansible-ubuntu-kvm/051d542/primary/logs/kolla_configs/haproxy/services.d/","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"1b597a261f0b1485f2b1a1fd7bc63e3406c0beef","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"374ad235_275e7b09","updated":"2023-08-09 07:48:51.000000000","message":"Ok, first of all - mod_status should be either disabled on all distributions or enabled on all - currently it\u0027s only enabled on Debian/Ubuntu.\nSecond of all - I don\u0027t like editing role defaults for some services and not allowing users to override that - can we globally deny that path?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"6fbd58db96551d7b9feb925e784456bc07cdbbc3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"9126c724_1b0c53ae","updated":"2023-08-08 14:48:53.000000000","message":"server-status is a very usefull and should be disabled completely imho. it still needed localy, am I wrong?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"21db6fe789b2e005b473b8008d5539e8610ae7e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"3cc30e60_9b4f6ecb","updated":"2023-08-09 07:51:43.000000000","message":"so my reasoning for +1 would be:\n\n- this does the job\n- nobody came up with something better\n- it does not break the usecase for internal admins/monitoring which want to track server-status\n\nit only could be argued, that - even if it\u0027s a security fix, it breaks the workflow where someone is monitoring this stuff via haproxy/external network (which you really shouldn\u0027t without auth).\n\nanother solution might be to require auth for all available haproxy routes instead. But I don\u0027t know if that\u0027s feasible, it sounds like a lot of work.\n\nthis is also not just a necessary setting from the security but also the GDPR perspective, because commonly server-status exposes PII like ip addresses.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"7710a932d29ceb10bbca867208ef227d90b03b17","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7a1ca097_f08e80d6","in_reply_to":"11668e79_c9bcffdc","updated":"2023-08-08 14:38:52.000000000","message":"Sorry, don\u0027t have Rocky/Centos cloud to test. Does it matter? need mention in the relno?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"7a968a7090f505f88b5db9504325631743346f5d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"28692c12_8f617c74","in_reply_to":"11668e79_c9bcffdc","updated":"2023-08-08 14:38:06.000000000","message":"nah, yeah - fixed here, but here is not fixed https://horizon.octavia.ultimum.cloud/server-status \u003c\u003c","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"26ebe488f8effbdecea144e334ec62b4b08c99c8","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"7343f973_0ab25e69","in_reply_to":"1aeb08ad_a3daf8ba","updated":"2023-08-08 14:24:23.000000000","message":"example my test env : \n\nhttps://horizon.master.ultimum.cloud:9292/server-status","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4d784e6d570c354eaae93392f19b65ea8da7e409","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"a7979b58_be65c31b","in_reply_to":"1e007207_b5c23895","updated":"2023-08-08 14:33:46.000000000","message":"Michal Nasiadka may be your clouds on Rocky/Centos ? there is a problem on Ubuntu only.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"181bf8cb8451ca2f4eaf6e4d82187daa85dce9b7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"5cacb047_d5460d2d","in_reply_to":"1e007207_b5c23895","updated":"2023-08-08 14:32:27.000000000","message":"Sorry :), https://api.master.ultimum.cloud:8774/server-status \u003c\u003c nova","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b37bf6775a9a1945d2a5844036b2157c06bf23d7","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"590d8ce8_1232f5fc","in_reply_to":"28692c12_8f617c74","updated":"2023-08-08 14:40:00.000000000","message":"So why the bug doesn\u0027t say that it\u0027s only applicable on Debian/Ubuntu? Please update it.\nWondering - wouldn\u0027t it be better to disable mod_status instead of this hack?\n\n\n\u003e\u003e\u003e\n\nNo, server-status is helpful for operators, and also maybe some exporter is reading from server-status ?? ... This is not hack, it\u0027s proper haproxy config to deny url...","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"8245f407bc6dbe005240a1fb62816cfaae2f9eaa","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"413ad5db_ea84966b","in_reply_to":"2ecce29e_a95b4ea1","updated":"2023-08-09 09:30:24.000000000","message":"this is really OT, but afaik this is just a cultural misunderstanding, as - I think - an exclamation mark is not always used to indicate \"shouting\" in all cultures.\n\nfwiw the part of the internet I grew up with considered it shouting when you wrote in ALL CAPS, which was considered to be very impolite.\n\nlet\u0027s get back to work, shall we? 😊","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"ac9982d435bdbe1dbed9c5a158fe9b00793a2060","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"c2194056_d8373598","in_reply_to":"374ad235_275e7b09","updated":"2023-08-09 07:57:15.000000000","message":"globaly no, because not all haproxy backends is apache2","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"403a1cab1d62624a5493cc437265cbe0ad0ab66e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"15aeeccb_e0723fd2","in_reply_to":"374ad235_275e7b09","updated":"2023-08-09 07:57:01.000000000","message":"tripleo limits server-status to localhost - maybe that\u0027s a sane approach and allowing the user to set an allowlist?\n\nhttps://opendev.org/openstack/tripleo-ansible/src/branch/master/tripleo_ansible/roles/tripleo_httpd_config/files/apache-status.conf","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"16979dd0a16e2e78ed5b9e369afda20b76f62b3c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"87abecb7_a6bf568b","in_reply_to":"3bd209e6_567ba20f","updated":"2023-08-08 14:43:58.000000000","message":"so we can merge it? or I should mention Ubuntu/Debian in releasenote?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"ac9982d435bdbe1dbed9c5a158fe9b00793a2060","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"b9799e40_afb601a4","in_reply_to":"3cc30e60_9b4f6ecb","updated":"2023-08-09 07:57:15.000000000","message":"enabble+configure mod_status for centos/rocky can be made as a followup.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"c1c36a1d611193c325bc72d09aafdbd94754fab3","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"4aedd353_007248ce","in_reply_to":"438719e0_9dc2dfb9","updated":"2023-08-08 14:47:51.000000000","message":"any reasonable reason?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"9fb70a8241e4ca3149dbbaf11a6a501b49cd7a1c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"588fbf05_95068dcd","in_reply_to":"438719e0_9dc2dfb9","updated":"2023-08-08 14:47:23.000000000","message":"what is a good one?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"0070380c7b93270e20fd752275b430b61c2be4a1","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"ea5f3596_28fcd2d9","in_reply_to":"5346a18d_35e925e2","updated":"2023-08-09 08:20:52.000000000","message":"sorry, again, but how to put an accent without an exclamation mark?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"2f46c67082b346b4bac3be8e6cdebe27d0a926a3","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"1e007207_b5c23895","in_reply_to":"7343f973_0ab25e69","updated":"2023-08-08 14:29:27.000000000","message":"Michal, glance not affected because don\u0027t use apache2.\ngive another example. I\u0027see horizon on this fqdn fixed.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"cb4e0a55b62a1242c2bcb369e4f36b8487b7f07c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"5346a18d_35e925e2","in_reply_to":"78ba942d_d53b830b","updated":"2023-08-09 08:00:18.000000000","message":"Can you finally learn to provide comments in a friendly manner without exclamation marks?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"a029d75a030d01552113090b6607af4ea2008ae0","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"f8fc411a_43f374fc","in_reply_to":"7a1ca097_f08e80d6","updated":"2023-08-08 14:40:16.000000000","message":"cool. https://horizon.octavia.ultimum.cloud/server-status Debian affected too.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"782ef3c51f6655fe6b1b06f269e30ac70f7094ee","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"438719e0_9dc2dfb9","in_reply_to":"87abecb7_a6bf568b","updated":"2023-08-08 14:45:39.000000000","message":"I still am not convinced this is a good method to prevent this from showing up.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"093c2967081b561840ef15c32707b98ccd3be167","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"8b55e032_42651593","in_reply_to":"9126c724_1b0c53ae","updated":"2023-08-08 14:53:02.000000000","message":"shouldn\u0027t sorry)","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"2a14e2fd043bef13e61dc1559246bd38c6ca2656","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"1aeb08ad_a3daf8ba","in_reply_to":"994e3a09_309893b8","updated":"2023-08-08 14:23:22.000000000","message":"Share your test and globals.. I\u0027ve normally reproduced ..","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"b530b438dbccbc63dc9cbe730e3c37d801ffdd16","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"79210fa1_db6426d1","in_reply_to":"a7979b58_be65c31b","updated":"2023-08-08 14:36:25.000000000","message":"Michal Arbet, Forbidden, looks like you have fixed already?! on the not affected there should be 404 error.","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"de3d2a8d5956a3efc6890b567238edc20d6b9ea2","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"11668e79_c9bcffdc","in_reply_to":"a7979b58_be65c31b","updated":"2023-08-08 14:36:27.000000000","message":"So why the bug doesn\u0027t say that it\u0027s only applicable on Debian/Ubuntu? Please update it.\nWondering - wouldn\u0027t it be better to disable mod_status instead of this hack?","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"432679f9f35425925c04fd6ac92dccbda13c79d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"78ba942d_d53b830b","in_reply_to":"c2194056_d8373598","updated":"2023-08-09 07:58:38.000000000","message":"it limited to localhost but this didn\u0027t work because of haproxy, which made local proxy requests. so the fix is right!","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"34bf41213dfbeb15cb2fa7aaa32ae75a26bb6341","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"2ecce29e_a95b4ea1","in_reply_to":"ea5f3596_28fcd2d9","updated":"2023-08-09 09:23:36.000000000","message":"just no need to put an accent...","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"99c89db3c4ea05a93bb6b3c6b982bc78123d26fc","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":7,"id":"3bd209e6_567ba20f","in_reply_to":"f8fc411a_43f374fc","updated":"2023-08-08 14:41:27.000000000","message":"yeah, all apache services as i mentioned in comments above... master is fixed as i reviewed your patch there...","commit_id":"f720afc3e96f250a9e5631e548a198378032e16b"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"90666eaed6e9d2bfaddf4bb5c4210e875131d15a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"3dd4fd89_f6bb1d52","updated":"2023-08-09 13:22:03.000000000","message":"LGTM now 😊","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"b66e2e92d4289d22fecb8332fe3680feff275973","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"d3ec7bec_0afc4233","updated":"2023-08-09 17:53:53.000000000","message":"Hmm, you should decide how you want to fix this issue.\n\n1. You added forbidden config to haproxy for /server-status\n2. Added server-status functionality and restrict access to 127.0.0.1 \n3. You\u0027ve added server-status only for horizon ...\n\nSooo, currently you can show server-status for every service across the internal network, but horizon only on 127.0.0.1.\n\nSoooo, I think we should remove forbidden clause from haproxy and go with apache config modification - and for all services, not only horizon.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"3e04f4672a1f584e892a11bac1d007d0eac2d97c","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":9,"id":"4d3b9344_91164431","in_reply_to":"112b5f13_6a6c732f","updated":"2023-08-09 20:36:44.000000000","message":"Dear public cloud owners, if you don\u0027t like that we are adding deny clause for /server-status in haproxy, feel free to use our config override :) \n\nMoreover, I can\u0027t imagine what kind of idiot would depend on /server-status which is served by the load balancer, every time he would have a different result from a different backend server :D\n\nSo, this is not argument.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"27de024c7015e495cc666781bb8d41bf84a0540d","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":9,"id":"cd22a79e_0c6d6690","in_reply_to":"183fc9af_99fe36ca","updated":"2023-08-09 20:27:47.000000000","message":"I understand, but this services\u0027s server-status shouldn\u0027t be served by public haproxy interface.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"e1defab41a1c5acc7a77c21db2782529784f05a4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"7a39c84e_b6a7b6de","in_reply_to":"330adc00_dbb60a35","updated":"2023-08-09 19:25:01.000000000","message":"Well,\n\nI think the best would be : \n\n1, Render \u003cLocation \"/server-status\"\u003e to apache services if not enable_haproxy | bool   [haproxyless scenario]\n2. Deny in haproxy [current frontend_extra - i think better would be to do it in haproxy directly]\n3. Add 1. to all apache services - not only horizon\n\nWith above steps you can be sure that if you have haproxy enabled, you will get deny from haproxy (apache config not needed - then you can access server-status across internal network). If you don\u0027t have haproxy enabled, configuration for deny will be rendered in apache config...so you are OK.\n\nBtw, wouldn\u0027t be better to add deny for server status directly into haproxy template ? Then, there is no need to amend default  for every apache service.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"d9a5f5c31850074027a5add277d75a32b8678579","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"507800b7_4e8022df","in_reply_to":"4156ff45_4a22b174","updated":"2023-08-09 20:08:43.000000000","message":"we do this on public interface (external_vip) because we configure only external backends. also this mentioned in the topic of the commit message.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"d9ee83ffe24d41f7b901d1633b3c6a5b3a8b19ad","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"733af092_f086cb51","in_reply_to":"4d3b9344_91164431","updated":"2023-08-09 20:55:02.000000000","message":"Done","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"edb6acb03cb14377024a080e74a5a749be6985f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"6de7ffc6_177dd3dd","in_reply_to":"507800b7_4e8022df","updated":"2023-08-09 20:12:28.000000000","message":"My comment was regarding this \"But it is a bad idea to deny all for services because we can break something potentially.\" ..\n\nSo why we would break something potentionally, if something whatever it is , is checking public/server-status - it\u0027s bad.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"ab04fbdb2c8bba2f072cceedd7875557aa4a3e63","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"183fc9af_99fe36ca","in_reply_to":"6de7ffc6_177dd3dd","updated":"2023-08-09 20:23:23.000000000","message":"I mean some other openstack service api can use /server-status (for example) and we didn\u0027t catch the issue because this particular service don\u0027t fronted by apache.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"94918c8703d416b11e58e97695cbcc4cfed1b8fa","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"f4f7aba5_a1e3cae0","in_reply_to":"7a39c84e_b6a7b6de","updated":"2023-08-09 19:49:02.000000000","message":"I\u0027m ok with \u0027if case\u0027. Will do. But it is a bad idea to deny all for services because we can break something potentially.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"8ca7425bb658b86f96c4f3e2ef32297c2eb365a4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"330adc00_dbb60a35","in_reply_to":"b48ef1d4_fc8ff47c","updated":"2023-08-09 18:18:53.000000000","message":"just for sure in the container there is a file /etc/apache2/mods-enabled/status.conf\nwith \u0027Require local\u0027 already\nand it has no priority above 000-default.conf file created by kolla-ansible.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"af9d85ec2778deae2fa2042183570cf8961358be","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":9,"id":"112b5f13_6a6c732f","in_reply_to":"cd22a79e_0c6d6690","updated":"2023-08-09 20:31:29.000000000","message":"shouldn\u0027t) say this to public cloud owners)","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"2a81daa5b1c905484ad414eaaf467e04e515f6a2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"b48ef1d4_fc8ff47c","in_reply_to":"d3ec7bec_0afc4233","updated":"2023-08-09 18:13:00.000000000","message":"Michal, did you miss discussion on the meeting today? this can\u0027t be fixed by restricting access to 127.0.0.1, because of internal_vip_address in apache listen and haproxy. Horizon fixed only for haproxyless configuration where \u0027Require all granted\u0027 in the same file gives full access to any URL including /server-status.","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"47ad900541d466669534600f2a58f69766a0f44d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":9,"id":"4156ff45_4a22b174","in_reply_to":"f4f7aba5_a1e3cae0","updated":"2023-08-09 20:03:57.000000000","message":"I think it\u0027s safe to deny on public interface (external_vip) - because normally you don\u0027t want to expose such urls to public endpoint (/server-status, /health, etc etc...). Every openstack/non-openstack service should go to internal interface ...\n\nBut I am open to discuss..","commit_id":"31de8a72ecb8a6ce67e0bd4611e4ba5b7a159c3b"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"debb0f0c3592da54eb3de90645c552382c664bc8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"17baaed7_9bdb1b81","updated":"2023-08-09 22:01:05.000000000","message":"https://3a6f3232053d79c8ec4a-8317af439e76bee5b0b71e78f082054c.ssl.cf1.rackcdn.com/890758/5/check/kolla-ansible-ubuntu-kvm/5366653/primary/logs/kolla_configs/haproxy/services.d/\nit work as expected.","commit_id":"07204392959fb3164b449caaae281d46d50bf097"}],"ansible/roles/horizon/templates/horizon.conf.j2":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"db0f929173fdba2e3eb0886f9bade00f835e6663","unresolved":true,"context_lines":[{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"    Alias /static {{ python_path }}/static"}],"source_content_type":"text/x-jinja2","patch_set":8,"id":"2e8bc69a_52d25922","line":34,"updated":"2023-08-09 13:36:31.000000000","message":"This will enable /server-status on Rocky/CentOS now - are we sure we want to introduce it to all users?","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"5d390f2c5fc0e2377dfa8689d24d9d381c6ab429","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"    Alias /static {{ python_path }}/static"}],"source_content_type":"text/x-jinja2","patch_set":8,"id":"80dc0563_4782c3a7","line":34,"in_reply_to":"2e8bc69a_52d25922","updated":"2023-08-09 13:39:31.000000000","message":"ok, no SetHandler, so it won\u0027t.","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"74b63e80441d81b72c1aadeedb671a765dd7a36c","unresolved":false,"context_lines":[{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":""},{"line_number":37,"context_line":"    Alias /static {{ python_path }}/static"}],"source_content_type":"text/x-jinja2","patch_set":8,"id":"72556a22_b0ada3e2","line":34,"in_reply_to":"80dc0563_4782c3a7","updated":"2023-08-09 13:40:31.000000000","message":"yep.","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"246acd2f293876cf186a43df8eb3ec709fd35b48","unresolved":true,"context_lines":[{"line_number":29,"context_line":"    \u003cLocation \"/\"\u003e"},{"line_number":30,"context_line":"        Require all granted"},{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":"    {% if not enable_haproxy | bool %}"},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":"    {% endif %}"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    Alias /static {{ python_path }}/static"},{"line_number":39,"context_line":"    \u003cLocation \"/static\"\u003e"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"713dc3f9_a18abdae","line":36,"range":{"start_line":32,"start_character":0,"end_line":36,"end_character":15},"updated":"2023-08-09 20:13:24.000000000","message":"what about other apache services ?","commit_id":"24298594dfe4b529f0d9b2ce578e6011715ff5c8"},{"author":{"_account_id":27339,"name":"Michal Arbet","email":"michal.arbet@ultimum.io","username":"michalarbet"},"change_message_id":"c67f55f32ffeb5a7668dd48adeff7266730357c4","unresolved":true,"context_lines":[{"line_number":29,"context_line":"    \u003cLocation \"/\"\u003e"},{"line_number":30,"context_line":"        Require all granted"},{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":"    {% if not enable_haproxy | bool %}"},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":"    {% endif %}"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    Alias /static {{ python_path }}/static"},{"line_number":39,"context_line":"    \u003cLocation \"/static\"\u003e"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"9bde9f8a_13b22b9d","line":36,"range":{"start_line":32,"start_character":0,"end_line":36,"end_character":15},"in_reply_to":"4cd7e4b0_f2782361","updated":"2023-08-09 21:14:47.000000000","message":"my assumption of this condition was based on the fact that we also have other services \"required all\" for server-status, since this is not the case, simply discard the condition - so we will have same setup for all services. (sorry)\n\nThen I am finally OK with this change.","commit_id":"24298594dfe4b529f0d9b2ce578e6011715ff5c8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"bd2a241b150b667755e4ba94fb398f6820c62f57","unresolved":true,"context_lines":[{"line_number":29,"context_line":"    \u003cLocation \"/\"\u003e"},{"line_number":30,"context_line":"        Require all granted"},{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":"    {% if not enable_haproxy | bool %}"},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":"    {% endif %}"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    Alias /static {{ python_path }}/static"},{"line_number":39,"context_line":"    \u003cLocation \"/static\"\u003e"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"4cd7e4b0_f2782361","line":36,"range":{"start_line":32,"start_character":0,"end_line":36,"end_character":15},"in_reply_to":"713dc3f9_a18abdae","updated":"2023-08-09 20:19:07.000000000","message":"other apache services doesn\u0027t contain \u0027Require all granted\u0027 for \u0027/\u0027 so settings from /etc/apache2/mods-enabled/status.conf take place, and all work as expected.\nthe horizon only is affected, this also mentioned in commit message.","commit_id":"24298594dfe4b529f0d9b2ce578e6011715ff5c8"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"8154a0fdfd7a6cd84292f6a8e69d8cb27db5fd40","unresolved":false,"context_lines":[{"line_number":29,"context_line":"    \u003cLocation \"/\"\u003e"},{"line_number":30,"context_line":"        Require all granted"},{"line_number":31,"context_line":"    \u003c/Location\u003e"},{"line_number":32,"context_line":"    {% if not enable_haproxy | bool %}"},{"line_number":33,"context_line":"    \u003cLocation \"/server-status\"\u003e"},{"line_number":34,"context_line":"        Require local"},{"line_number":35,"context_line":"    \u003c/Location\u003e"},{"line_number":36,"context_line":"    {% endif %}"},{"line_number":37,"context_line":""},{"line_number":38,"context_line":"    Alias /static {{ python_path }}/static"},{"line_number":39,"context_line":"    \u003cLocation \"/static\"\u003e"}],"source_content_type":"text/x-jinja2","patch_set":11,"id":"cbcfd315_cc125403","line":36,"range":{"start_line":32,"start_character":0,"end_line":36,"end_character":15},"in_reply_to":"9bde9f8a_13b22b9d","updated":"2023-08-09 21:19:20.000000000","message":"Done","commit_id":"24298594dfe4b529f0d9b2ce578e6011715ff5c8"}],"releasenotes/notes/horizon-deny-server-status-e96be2810b127a49.yaml":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"9f3962c0c3816f9dc3e63f5b355565f997492443","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the Horizon /server-status by default acceessed"},{"line_number":5,"context_line":"    through the HAProxy on the public endpoint."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"4a293786_37604fcf","line":4,"range":{"start_line":4,"start_character":65,"end_line":4,"end_character":74},"updated":"2023-07-27 16:44:54.000000000","message":"accessed","commit_id":"32520bd4f1a0f036a9f7e45cca8c4c81800eb80e"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"032b1ffbe0790353c21daf44e9857979d3c1a72b","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the Horizon /server-status by default acceessed"},{"line_number":5,"context_line":"    through the HAProxy on the public endpoint."}],"source_content_type":"text/x-yaml","patch_set":3,"id":"62972c56_66d8e4ad","line":4,"range":{"start_line":4,"start_character":65,"end_line":4,"end_character":74},"in_reply_to":"4a293786_37604fcf","updated":"2023-07-27 17:26:57.000000000","message":"Done","commit_id":"32520bd4f1a0f036a9f7e45cca8c4c81800eb80e"}],"releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml":[{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"6d81c6d0c829735293269b50522151152aeb2ded","unresolved":true,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"},{"line_number":6,"context_line":"    Ubuntu/Debian installations. RockyLinux/Centos not affected."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"426af81b_70164109","line":6,"range":{"start_line":5,"start_character":59,"end_line":6,"end_character":64},"updated":"2023-08-09 13:40:56.000000000","message":"That should be in the bug, not in reno.","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"dc0a28c0fdedadd82d92ee6d1a54a34934a87553","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"},{"line_number":6,"context_line":"    Ubuntu/Debian installations. RockyLinux/Centos not affected."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"e58da4e6_8d43ade9","line":6,"range":{"start_line":5,"start_character":59,"end_line":6,"end_character":64},"in_reply_to":"1e331fbc_fb608716","updated":"2023-08-09 13:47:04.000000000","message":"Ack","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"d245ab02b6b05746c8607aad0932e3842d4241ce","unresolved":true,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"},{"line_number":6,"context_line":"    Ubuntu/Debian installations. RockyLinux/Centos not affected."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"1e331fbc_fb608716","line":6,"range":{"start_line":5,"start_character":59,"end_line":6,"end_character":64},"in_reply_to":"426af81b_70164109","updated":"2023-08-09 13:41:17.000000000","message":"and a link to the bug in LP please","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"24c4f65fd6ea849bb510cbf1af4bd38e42bb264c","unresolved":false,"context_lines":[{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"},{"line_number":6,"context_line":"    Ubuntu/Debian installations. RockyLinux/Centos not affected."}],"source_content_type":"text/x-yaml","patch_set":8,"id":"219bbe1d_f6c6ccb1","line":6,"range":{"start_line":5,"start_character":59,"end_line":6,"end_character":64},"in_reply_to":"e58da4e6_8d43ade9","updated":"2023-08-09 13:50:46.000000000","message":"Done","commit_id":"dd248c6e9273b1bd22f7d592c343b59b8003bfaa"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"2e700446e8955becc626d56fa5757c7699753f04","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"d01f1abf_39a12c21","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"updated":"2023-08-10 08:57:31.000000000","message":"imho this shoud be highlighted as a \"security\" fix because the exposed information can clearly be used for reconnaissance/information gathering in targeted attacks, e.g. for ddos.","commit_id":"07204392959fb3164b449caaae281d46d50bf097"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"69285469ec3d55ce5e56fe0ba6399d3cf63d2757","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"50367a06_7d8c1fab","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"in_reply_to":"1433f7b6_385f6cf9","updated":"2023-08-10 11:59:32.000000000","message":"Done","commit_id":"07204392959fb3164b449caaae281d46d50bf097"},{"author":{"_account_id":14200,"name":"Maksim Malchuk","email":"maksim.malchuk@gmail.com","username":"mmalchuk"},"change_message_id":"4ff769fb55301cc99742660c1bc69d1331b4fc98","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"d48f7262_5eab344d","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"in_reply_to":"d01f1abf_39a12c21","updated":"2023-08-10 09:10:35.000000000","message":"it was as security, but changed to bug fix as requested in patchset 8","commit_id":"07204392959fb3164b449caaae281d46d50bf097"},{"author":{"_account_id":32553,"name":"Sven Kieske","email":"sven_oss@posteo.de","username":"skieske"},"change_message_id":"5cdcf9d1375e94e99655f2c4bd79a44216921c62","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Restrict the access to the http Openstack services exposed /server-status"},{"line_number":5,"context_line":"    by default through the HAProxy on the public endpoint. Fixes issue for"}],"source_content_type":"text/x-yaml","patch_set":13,"id":"1433f7b6_385f6cf9","line":2,"range":{"start_line":2,"start_character":0,"end_line":2,"end_character":5},"in_reply_to":"d48f7262_5eab344d","updated":"2023-08-10 11:58:27.000000000","message":"NACK","commit_id":"07204392959fb3164b449caaae281d46d50bf097"}]}
