smokescreen: Default to only listening on 127.0.0.1.

This prevents Smokescreen from acting as an open proxy.

Fixes #19214.
This commit is contained in:
Alex Vandiver 2021-07-14 14:54:15 -07:00 committed by Alex Vandiver
parent e0faa9699d
commit 528e5adaab
3 changed files with 12 additions and 1 deletions

View File

@ -254,6 +254,11 @@ To use Smokescreen:
port = 4750 port = 4750
``` ```
1. If you intend to also make the Smokescreen install available to
other hosts, set `listen_address` in the same block. Note that you
must control access to the Smokescreen port if you do this, as
failing to do so opens a public HTTP proxy!
1. As root, run 1. As root, run
`/home/zulip/deployments/current/scripts/zulip-puppet-apply`. This `/home/zulip/deployments/current/scripts/zulip-puppet-apply`. This
will compile and install Smokescreen, reconfigure services to use will compile and install Smokescreen, reconfigure services to use
@ -665,3 +670,8 @@ proxy](#using-an-outgoing-http-proxy).
#### `port` #### `port`
The TCP port of the HTTP `CONNECT` proxy on the host specified above. The TCP port of the HTTP `CONNECT` proxy on the host specified above.
#### `listen_address`
The IP address that Smokescreen should bind to and listen on.
Defaults to `127.0.0.1`.

View File

@ -42,6 +42,7 @@ class zulip::profile::smokescreen {
notify => Service[supervisor], notify => Service[supervisor],
} }
$listen_address = zulipconf('http_proxy', 'listen_address', '127.0.0.1')
file { "${zulip::common::supervisor_conf_dir}/smokescreen.conf": file { "${zulip::common::supervisor_conf_dir}/smokescreen.conf":
ensure => file, ensure => file,
require => [ require => [

View File

@ -1,5 +1,5 @@
[program:smokescreen] [program:smokescreen]
command=/usr/local/bin/smokescreen-<%= @version %> command=/usr/local/bin/smokescreen-<%= @version %> --listen-ip <%= @listen_address %>
priority=15 priority=15
autostart=true autostart=true
autorestart=true autorestart=true