Merge "Deny access to server-status via single frontend" into stable/2025.1

Zuul · openstack-gerrit · commit 3293f54dbd70 · 2025-08-29T14:36:17.000Z
diff --git a/ansible/roles/loadbalancer/templates/haproxy/haproxy_external_frontend.cfg.j2 b/ansible/roles/loadbalancer/templates/haproxy/haproxy_external_frontend.cfg.j2
@@ -9,3 +9,4 @@ frontend external_frontend
     http-request set-header X-Forwarded-Proto https if { ssl_fc }
     bind {{ kolla_external_vip_address }}:{{ haproxy_external_single_frontend_public_port }} {{ external_tls_bind_info }}
     use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/external-frontend-map,{{ haproxy_external_single_frontend_default_backend }})]
+    http-request deny if { path -i -m beg /server-status }
diff --git a/releasenotes/notes/deny-server-status-via-single-frontend-33bbf3b9688a9ae4.yaml b/releasenotes/notes/deny-server-status-via-single-frontend-33bbf3b9688a9ae4.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Deny access to /server-status via the single frontend.
+    `LP#2121626 <https://bugs.launchpad.net/kolla-ansible/+bug/2121626>`__
