Add environment variable to set proxy bind address (#293)

This patch adds the environment variable PROXY_BIND which can be optionally set to override the default that binds to "*". Binding on all addresses may inadvertently expose the proxy service when run on a node that also has public interfaces such as a bare metal openstack infrastructure node, or a network node. Co-authored-by: Jonathan Rosser <[email protected]>
vexxhost · Mar 7, 2024 · f896818 · f896818
1 parent 50a2c27
commit f896818
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/magnum_cluster_api/proxy/manager.py b/magnum_cluster_api/proxy/manager.py
@@ -45,6 +45,7 @@ def __init__(self):
         self.haproxy_port = utils.find_free_port(
             port_hint=int(os.getenv("PROXY_PORT", 0))
         )
+        self.haproxy_bind = os.getenv("PROXY_BIND", "*")
         self.haproxy_pid = None
 
     def periodic_tasks(self, context, raise_on_error=False):
@@ -55,6 +56,7 @@ def _sync_haproxy(self, proxied_clusters: list):
         config = self.template.render(
             pid_file=CONF.proxy.haproxy_pid_path,
             port=self.haproxy_port,
+            bind=self.haproxy_bind,
             clusters=proxied_clusters,
         )
 

diff --git a/magnum_cluster_api/proxy/templates/haproxy.cfg.j2 b/magnum_cluster_api/proxy/templates/haproxy.cfg.j2
@@ -11,7 +11,7 @@ defaults
   timeout server  10s
 
 frontend magnum
-  bind *:{{ port }}
+  bind {{ bind }}:{{ port }}
   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }
   use_backend %[req.ssl_sni,lower]