From da999f7e0105cf73cb5fea686afd30a7662a6dd7 Mon Sep 17 00:00:00 2001
From: Onur Filiz <onfiliz@amazon.com>
Date: Tue, 21 Nov 2017 12:57:14 -0800
Subject: [PATCH 1/2] Bind credential listener to localhost

---
 agent/config/config.go                | 3 +++
 agent/handlers/credentials/handler.go | 2 +-
 misc/windows-deploy/hostsetup.ps1     | 3 ++-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/agent/config/config.go b/agent/config/config.go
index eb125182776..a754ab45148 100644
--- a/agent/config/config.go
+++ b/agent/config/config.go
@@ -45,6 +45,9 @@ const (
 	// AgentCredentialsPort is used to serve the credentials for tasks.
 	AgentCredentialsPort = 51679
 
+	// AgentCredentialsAddress is used to serve the credentials for tasks.
+	AgentCredentialsAddress = "127.0.0.1"
+
 	// defaultConfigFileName is the default (json-formatted) config file
 	defaultConfigFileName = "/etc/ecs_container_agent/config.json"
 
diff --git a/agent/handlers/credentials/handler.go b/agent/handlers/credentials/handler.go
index dc5d27b1867..26a5b08f020 100644
--- a/agent/handlers/credentials/handler.go
+++ b/agent/handlers/credentials/handler.go
@@ -106,7 +106,7 @@ func setupServer(credentialsManager credentials.Manager, auditLogger audit.Audit
 	loggingServeMux.Handle("/", handlers.NewLoggingHandler(serverMux))
 
 	server := http.Server{
-		Addr:         ":" + strconv.Itoa(config.AgentCredentialsPort),
+		Addr:         config.AgentCredentialsAddress + ":" + strconv.Itoa(config.AgentCredentialsPort),
 		Handler:      loggingServeMux,
 		ReadTimeout:  readTimeout,
 		WriteTimeout: writeTimeout,
diff --git a/misc/windows-deploy/hostsetup.ps1 b/misc/windows-deploy/hostsetup.ps1
index 9fddd3eb8c1..8960dad3e12 100644
--- a/misc/windows-deploy/hostsetup.ps1
+++ b/misc/windows-deploy/hostsetup.ps1
@@ -19,6 +19,7 @@ $ErrorActionPreference = 'Continue'
 # 169.254.170.2:51679 is the IP address used for task IAM roles.
 $credentialAddress = "169.254.170.2"
 $credentialPort = "51679"
+$loopbackAddress = "127.0.0.1"
 
 $adapter = (Get-NetAdapter -Name "*APIPA*")
 if(!($adapter)) {
@@ -45,7 +46,7 @@ if(!($ip)) {
 
 	# This forwards traffic from port 80 and listens on the IAM role IP address.
 	# 'portproxy' doesn't have a powershell module equivalent, but we could move if it becomes available.
-	netsh interface portproxy add v4tov4 listenaddress=$credentialAddress listenport=80 connectaddress=$credentialAddress connectport=$credentialPort
+	netsh interface portproxy add v4tov4 listenaddress=$credentialAddress listenport=80 connectaddress=$loopbackAddress connectport=$credentialPort
 }
 
 $ErrorActionPreference=$oldActionPref

From fc7e2192b71836b3018e16c71723daac49f01443 Mon Sep 17 00:00:00 2001
From: Samuel Karp <skarp@amazon.com>
Date: Tue, 21 Nov 2017 15:24:26 -0800
Subject: [PATCH 2/2] config: preserve current behavior for Linux

---
 agent/config/config.go         | 3 ---
 agent/config/config_unix.go    | 2 ++
 agent/config/config_windows.go | 3 +++
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/agent/config/config.go b/agent/config/config.go
index a754ab45148..eb125182776 100644
--- a/agent/config/config.go
+++ b/agent/config/config.go
@@ -45,9 +45,6 @@ const (
 	// AgentCredentialsPort is used to serve the credentials for tasks.
 	AgentCredentialsPort = 51679
 
-	// AgentCredentialsAddress is used to serve the credentials for tasks.
-	AgentCredentialsAddress = "127.0.0.1"
-
 	// defaultConfigFileName is the default (json-formatted) config file
 	defaultConfigFileName = "/etc/ecs_container_agent/config.json"
 
diff --git a/agent/config/config_unix.go b/agent/config/config_unix.go
index fa35d366f4b..27139f9870b 100644
--- a/agent/config/config_unix.go
+++ b/agent/config/config_unix.go
@@ -21,6 +21,8 @@ import (
 )
 
 const (
+	// AgentCredentialsAddress is used to serve the credentials for tasks.
+	AgentCredentialsAddress = "" // this is left blank right now for net=bridge
 	// defaultAuditLogFile specifies the default audit log filename
 	defaultCredentialsAuditLogFile = "/log/audit.log"
 	// Default cgroup prefix for ECS tasks
diff --git a/agent/config/config_windows.go b/agent/config/config_windows.go
index db4bb7d9637..03c37bf6faf 100644
--- a/agent/config/config_windows.go
+++ b/agent/config/config_windows.go
@@ -23,6 +23,9 @@ import (
 )
 
 const (
+	// AgentCredentialsAddress is used to serve the credentials for tasks.
+	AgentCredentialsAddress = "127.0.0.1"
+	// defaultAuditLogFile specifies the default audit log filename
 	defaultCredentialsAuditLogFile = `log\audit.log`
 	// When using IAM roles for tasks on Windows, the credential proxy consumes port 80
 	httpPort = 80