Deny access to server-status via single frontend

jackhodgkiss · Alex-Welsh · commit cc026038948d · 2025-09-01T09:12:33.000+01:00
This change denies access to `server-status` when the using `single frontend` configuration for public API services with `HAProxy`. Closes-Bug: #2121626 Change-Id: I447212df92c0da4248e44f652fc66c7381a404bb Signed-off-by: Jack Hodgkiss <jack@stackhpc.com> (cherry picked from commit 6eae55b)
diff --git a/ansible/roles/loadbalancer/templates/haproxy/haproxy_external_frontend.cfg.j2 b/ansible/roles/loadbalancer/templates/haproxy/haproxy_external_frontend.cfg.j2
@@ -9,3 +9,4 @@ frontend external_frontend
     http-request set-header X-Forwarded-Proto https if { ssl_fc }
     bind {{ kolla_external_vip_address }}:{{ haproxy_external_single_frontend_public_port }} {{ external_tls_bind_info }}
     use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/external-frontend-map,{{ haproxy_external_single_frontend_default_backend }})]
+    http-request deny if { path -i -m beg /server-status }
diff --git a/releasenotes/notes/deny-server-status-via-single-frontend-33bbf3b9688a9ae4.yaml b/releasenotes/notes/deny-server-status-via-single-frontend-33bbf3b9688a9ae4.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Deny access to /server-status via the single frontend.
+    `LP#2121626 <https://bugs.launchpad.net/kolla-ansible/+bug/2121626>`__
