[ZBXNEXT-4181] Zabbix proxy should check server ip in passive mode Created: 2011 Aug 30 Updated: 2024 Apr 10 Resolved: 2017 Oct 16 |
|
| Status: | Closed |
| Project: | ZABBIX FEATURE REQUESTS |
| Component/s: | API (A), Proxy (P), Server (S) |
| Affects Version/s: | None |
| Fix Version/s: | 4.0.0alpha1, 4.0 (plan) |
| Type: | New Feature Request | Priority: | Major |
| Reporter: | Ghozlane TOUMI | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 5 |
| Labels: | passiveproxy, proxy | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | Not Specified | Time Spent: | Not Specified |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Issue Links: |
|
||||||||||
| Sub-Tasks: |
|
||||||||||
| Team: |  Team A |
||||||||||
| Sprint: | Sprint 18, Sprint 32 | ||||||||||
| Story Points: | 0 | ||||||||||
| Description |
|
According to the documentation, the configuration parameter 'server' is not used by the proxy in passive mode. I didn't check the source, so it may be a simple documentation error. (in the wiki and default proxy config) |
| Comments |
| Comment by Aleksandrs Saveljevs [ 2011 Nov 07 ] |
|
Could you please link to the documentation page that seems suspicious for you? For instance, http://www.zabbix.com/documentation/2.0/manual/appendix/config/zabbix_proxy says the following about "Server" configuration parameter, which looks alright to me: "IP address (or hostname) of Zabbix server. Active Proxy will get configuration data from the server. For a proxy in the passive mode this parameter will be ignored." |
| Comment by richlv [ 2011 Nov 07 ] |
|
as i understood this, issue is about passive proxy working same as other daemons and only accepting connections from addresses, specified in the "Server" parameter. |
| Comment by Ghozlane TOUMI [ 2011 Nov 08 ] |
|
Correct, |
| Comment by Aleksandrs Saveljevs [ 2011 Nov 08 ] |
|
Thanks! Currently, passive proxy does not check server IP address. Reopening. |
| Comment by richlv [ 2012 Mar 02 ] |
|
|
| Comment by Glebs Ivanovskis (Inactive) [ 2017 Mar 29 ] |
|
ZBXNEXT-1486 is related. |
| Comment by Vladislavs Sokurenko [ 2017 Oct 13 ] |
|
Fixed in:
|
| Comment by Volker Fröhlich [ 2018 Apr 17 ] |
|
I think this is the issue that CVE is about: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0327 Do you consider backporting this? vso please consider using encryption, there is no vulnerability in that case. As far as I know it is not planned to backport because it requires database changes. |
| Comment by richlv [ 2018 Apr 17 ] |
|
interestingly enough, neither this issue, nor the spec actually talk about limiting what active proxies can request from the server, but the changelog has :
|
| Comment by richlv [ 2018 Apr 17 ] |
|
(1) server limiting active proxies is not mentioned in the upgrade notes. this is important, as it will break things for people who use scripts on the server to send data for hosts, monitored by a proxy. ...but it looks like this is optional and documented in whatsnew instead. the development is confusing and does not match the specification. vso this was old specification, removed comment to avoid confussion, Won't Fix <richlv> There's a specification link in the issue description. Is that the specification that was used? What about the new active proxy limitation missing from the upgrade notes? vso new active proxy limitation is optional, so it's missing from upgrade notes as nothing to worry about. No this specification was not used. <richlv> Thank you for the answer. Previously the Server parameter was ignored, thus for somebody who had it specified an upgrade would change the behaviour. Is that correct? vso I yes, please see following link: <richlv> Thank you for the description update. CLOSED |