From dc7d020e21ec622f0225da2bf9c44ce50c3360b8 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sat, 22 Jul 2017 11:32:04 +0000 Subject: [PATCH] Fix fedpkg double uploads by abusing the krb5 replay cache being local Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-fedora-web.yml | 2 + roles/fedora-web/src/tasks/main.yml | 12 +++++ .../templates/reversepassproxy.src.conf | 46 +++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 roles/fedora-web/src/tasks/main.yml create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.src.conf diff --git a/playbooks/include/proxies-fedora-web.yml b/playbooks/include/proxies-fedora-web.yml index 119a62de5c..3b404ad5ec 100644 --- a/playbooks/include/proxies-fedora-web.yml +++ b/playbooks/include/proxies-fedora-web.yml @@ -49,6 +49,8 @@ website: codecs.fedoraproject.org - role: fedora-web/alt website: alt.fedoraproject.org + - role: fedora-web/src + website: src.fedoraproject.org # Some other static content, not strictly part of "fedora-web" goes below here - role: fedora-docs/proxy diff --git a/roles/fedora-web/src/tasks/main.yml b/roles/fedora-web/src/tasks/main.yml new file mode 100644 index 0000000000..3c1f0d5e1f --- /dev/null +++ b/roles/fedora-web/src/tasks/main.yml @@ -0,0 +1,12 @@ +# For info, check roles/httpd/reverseproxy/templates/reversepassproxy.src.conf +- name: Install the pkgs keytab + file: src="{{ private }}/files/keytabs/{{env}}/pkgs" + dest=/etc/pkgs.keytab + owner=apache + group=apache + mode=0600 + notify: + - reloadhttpd + tags: + - fedora-web + - fedora-web/src diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf new file mode 100644 index 0000000000..023b4d2ffc --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf @@ -0,0 +1,46 @@ +{% if rewrite %} +RewriteEngine On +RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] + +{% endif %} +{% if header_scheme %} +RequestHeader set X-Forwarded-Scheme https early +RequestHeader set X-Scheme https early +RequestHeader set X-Forwarded-Proto https early + +{% endif %} +{% if header_expect %} +RequestHeader unset Expect early + +{% endif %} +{% if keephost %} +ProxyPreserveHost On +{% endif %} + +# If you are a krb5 purist, please skip this. +# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks +# while having an auth check on the proxies. +# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but +# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after +# which the request will still fail (because pkgs will require auth). +# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses. +# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes +# files to be uploaded twice. +# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever +# someone gets into the local network, they could send their own request to the pkgs server, which will +# then trust any username header (terrible idea, see CVE-2016-1000038). +# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client +# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way +# authenticate the user on its own accord. +# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and* +# pkgs will accept the GSSAPI security context. + + + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:/etc/pkgs.keytab + Require valid-user + + +ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} +ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}