Do not provide example integrations as classes #414
+203
−1,077
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The module configure PuppetBoard, but also has classes to setup Apache configuration to serve it. Unfortunately, such configuration is very site specific, and providing it in the module confuse users who discover that their setup is exposed to the internet without authentication. At some point, LDAP authentication was added which partially fix the issue, but only for users who can authenticate their users with LDAP. It is also quite common to use the Puppet CA to authenticate clients, or use Passenger instead of wsgi, or use another web server than apache, and any combination of this, making a generic solution not viable. Remove all these apache-specific examples from the module classes, and provide examples configuration for different setups. It will be easier to add new integration examples by just dropping more files in the example directory, without cluttering the module with complex mostly private code.
|
Hopefully this will help to avoid the number of PuppetBoard instances exposed on the Internet to continue to be so common. Here is a report from shodan for the trend of the number of results for the search "http.title:puppetboard"
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The module configure PuppetBoard, but also has classes to setup Apache
configuration to serve it. Unfortunately, such configuration is very
site specific, and providing it in the module confuse users who discover
that their setup is exposed to the internet without authentication.
At some point, LDAP authentication was added which partially fix the
issue, but only for users who can authenticate their users with LDAP.
It is also quite common to use the Puppet CA to authenticate clients,
or use Passenger instead of wsgi, or use another web server than apache,
and any combination of this, making a generic solution not viable.
Remove all these apache-specific examples from the module classes, and
provide examples configuration for different setups. It will be easier
to add new integration examples by just dropping more files in the
example directory, without cluttering the module with complex mostly
private code.