MK8S-25: Disable HTTP directory listing for RPM repository

rdebay-scality · rdebay-scality · commit 5ff8f6e29ce5 · 2025-10-01T13:54:13.000+02:00
Security fix to prevent exposing repository structure on port 8080.

- Changed autoindex from on to off in nginx configuration.
- Use nginx location directives to return 200 for health checks instead of index files
  This maintains the original health check functionality while preventing
  directory structure exposure.

The nginx location = / and location = /saltenv/ directives handle health
check requests with 200 status, while location / handles all other requests
with autoindex off for security.

The nginx.conf.j2 template uses the archives variable to generate
location directives for each saltenv, but the variable wasn't being
passed in the template context. This caused Salt unit tests to fail.

The creation of index.html files was tried but it creates a chicken and
egg issue during the container startup when the files were not present.
Plus this approach is much more simple, no code, not so much salt, only
plain configuration.

Related: RD-680
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,9 @@
 
 ### Bug Fixes
 
+- Disable HTTP directory listing for RPM repository to improve security
+  (PR[#4651](https://github.com/scality/metalk8s/pull/4651))
+
 - Fix a Bug where NodeSystemSaturation alert triggers too early after only 15 minutes of high load
   (PR[#4641](https://github.com/scality/metalk8s/pull/4641))
 
diff --git a/salt/metalk8s/repo/configured.sls b/salt/metalk8s/repo/configured.sls
@@ -15,6 +15,7 @@ Generate repositories nginx configuration:
     - defaults:
         listening_address: {{ grains.metalk8s.control_plane_ip }}
         listening_port: {{ repo.port }}
+        archives: {{ archives }}
 
 Deploy common container registry nginx configuration:
   file.managed:
diff --git a/salt/metalk8s/repo/files/nginx.conf.j2 b/salt/metalk8s/repo/files/nginx.conf.j2
@@ -2,9 +2,24 @@ server {
     listen       {{ listening_address }}:{{ listening_port }};
     server_name  localhost;
 
+    # Return 200 OK for root path health checks
+    location = / {
+        return 200 '';
+        add_header Content-Type text/plain;
+    }
+
+    # Return 200 OK for saltenv path health checks
+    {%- for env in archives.keys() %}
+    location = /{{ env }}/ {
+        return 200 '';
+        add_header Content-Type text/plain;
+    }
+    {%- endfor %}
+
     location / {
         root   /var/www/repositories;
-        autoindex on;
+        # Security fix: Disable directory listing to prevent exposing repository structure
+        autoindex off;
     }
 
     include conf.d/*.inc;
diff --git a/salt/metalk8s/repo/installed.sls b/salt/metalk8s/repo/installed.sls
@@ -100,6 +100,5 @@ Wait for Repositories container to answer:
    - name: http://{{ grains.metalk8s.control_plane_ip }}:{{
      repo.port }}/{{ saltenv }}/
    - status: 200
-   - request_interval: 1
    - require:
      - module: Ensure repositories container is up
diff --git a/salt/tests/unit/formulas/config.yaml b/salt/tests/unit/formulas/config.yaml
@@ -882,6 +882,7 @@ metalk8s:
             extra_context:
               listening_address: "10.0.0.1"
               listening_port: 8080
+              archives: *example_archives
 
       repositories-manifest.yaml.j2:
         _cases:
