From 5a60b3887ca88c65c8864ba82311544f4e7b40cf Mon Sep 17 00:00:00 2001 From: Remi Debay Date: Mon, 1 Sep 2025 14:21:16 +0200 Subject: [PATCH] MK8S-25: Disable HTTP directory listing for RPM repository Security fix to prevent exposing repository structure on port 8080. - Changed autoindex from on to off in nginx configuration. - Use nginx location directives to return 200 for health checks instead of index files This maintains the original health check functionality while preventing directory structure exposure. The nginx location = / and location = /saltenv/ directives handle health check requests with 200 status, while location / handles all other requests with autoindex off for security. The nginx.conf.j2 template uses the archives variable to generate location directives for each saltenv, but the variable wasn't being passed in the template context. This caused Salt unit tests to fail. The creation of index.html files was tried but it creates a chicken and egg issue during the container startup when the files were not present. Plus this approach is much more simple, no code, not so much salt, only plain configuration. Related: RD-680 --- CHANGELOG.md | 3 +++ salt/metalk8s/repo/configured.sls | 1 + salt/metalk8s/repo/files/nginx.conf.j2 | 17 ++++++++++++++++- salt/tests/unit/formulas/config.yaml | 1 + 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 889322dbe4..864e11a0c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,9 @@ ### Bug Fixes +- Disable HTTP directory listing for RPM repository to improve security + (PR[#4651](https://github.com/scality/metalk8s/pull/4651)) + - Fix a Bug where NodeSystemSaturation alert triggers too early after only 15 minutes of high load (PR[#4641](https://github.com/scality/metalk8s/pull/4641)) diff --git a/salt/metalk8s/repo/configured.sls b/salt/metalk8s/repo/configured.sls index f02a7f41a5..6a1106c91f 100644 --- a/salt/metalk8s/repo/configured.sls +++ b/salt/metalk8s/repo/configured.sls @@ -15,6 +15,7 @@ Generate repositories nginx configuration: - defaults: listening_address: {{ grains.metalk8s.control_plane_ip }} listening_port: {{ repo.port }} + archives: {{ archives }} Deploy common container registry nginx configuration: file.managed: diff --git a/salt/metalk8s/repo/files/nginx.conf.j2 b/salt/metalk8s/repo/files/nginx.conf.j2 index bc7c745860..682af15840 100644 --- a/salt/metalk8s/repo/files/nginx.conf.j2 +++ b/salt/metalk8s/repo/files/nginx.conf.j2 @@ -2,9 +2,24 @@ server { listen {{ listening_address }}:{{ listening_port }}; server_name localhost; + # Return 200 OK for root path health checks + location = / { + return 200 ''; + add_header Content-Type text/plain; + } + + # Return 200 OK for saltenv path health checks + {%- for env in archives.keys() %} + location = /{{ env }}/ { + return 200 ''; + add_header Content-Type text/plain; + } + {%- endfor %} + location / { root /var/www/repositories; - autoindex on; + # Security fix: Disable directory listing to prevent exposing repository structure + autoindex off; } include conf.d/*.inc; diff --git a/salt/tests/unit/formulas/config.yaml b/salt/tests/unit/formulas/config.yaml index b89a6ff1ba..5ae6c3a6cd 100644 --- a/salt/tests/unit/formulas/config.yaml +++ b/salt/tests/unit/formulas/config.yaml @@ -882,6 +882,7 @@ metalk8s: extra_context: listening_address: "10.0.0.1" listening_port: 8080 + archives: *example_archives repositories-manifest.yaml.j2: _cases: