Update the MAAS proxy to only allow source addresses from the POD management network
Change-Id: Idb27386d284f294193248020a391a4cb17e0d0f1
(cherry picked from commit acd218afbc1751147572d9c37c1f62f00c78da73)
diff --git a/roles/maas/tasks/main.yml b/roles/maas/tasks/main.yml
index c5c4642..f9cae50 100644
--- a/roles/maas/tasks/main.yml
+++ b/roles/maas/tasks/main.yml
@@ -197,6 +197,21 @@
tags:
- switch_support
+- name: Disable Proxy Access To All
+ become: yes
+ replace:
+ dest: /usr/share/maas/maas-proxy.conf
+ regexp: '^(acl localnet src all.*)$'
+ replace: '# \1'
+
+- name: Only Allow Proxy Access To POD Management Network
+ become: yes
+ lineinfile:
+ insertafter: '^# acl localnet src all'
+ line: "acl localnet src {{ networks.management }} # Only allow the POD management network to use proxy"
+ dest: /usr/share/maas/maas-proxy.conf
+ state: present
+
- name: Restart MAAS Services
become: yes
service: