-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document security concerns of Atlantis UI #485
Comments
Is there an undocumented setting for disabling the UI entirely? If not, I'm interested in implementing it. Since the UI runs on the same port as the version control webhooks, which necessarily is exposed to the open internet for those of us using services like GitHub, the only way that I can think of to firewall off the UI without interfering with the webhooks is to whitelist GitHub's backend IPs. Polling GitHub for its IPs sounds like a lot of operational overhead to secure a feature that I don't use. I would rather be able to just switch off the UI. edit: Like others in this thread, I ended up putting Atlantis behind a reverse proxy that allows fine-grained access control. |
There isn't an undocumented setting and I don't think I'd want a PR to implement it. The UI is necessary for normal Atlantis usage, I'd be surprised if you never needed it. You could also front Atlantis with a server that only lets through requests to /events. I'm also not sure how often GitHub changes their backend IPs, but you probably don't have to poll them? I know those aren't great solutions but that's where we're at today. |
In my case, UI is pretty good for just showing the information across the repos (atlantis tool for all our repos). |
On the IP whitelisting: if you use Terraform, you can get the IPs from the Github provider. |
You could also potentially run nginx in front of atlantis and use basic auth. The web hook could then be configured as |
We use the whitelisted IPs through terraform like @chadasapp, it also goes through a custom tool that checks the signature, who is attached to the request, if the repo is truly a private repo, all those bits. It also has our company's next-gen WAF protecting it. It would be easier if API traffic and human traffic were on different ports. It's a lot easier to trust a security group, for instance. |
I've very succesfully been deploying https://github.com/pusher/oauth2_proxy in front of atlantis, with the github integration. You can specify to skip auth for the |
You can update the ingress to handle only /events, thereby disabling UI partially. Update ingress block in helm chart deployment:
|
@netguino How did you implement this if you can remember? I've used the |
These are my settings for oauth2_proxy
|
Many thanks for that @netguino 🙂 |
Via #49 (comment), document the impact of access to the Atlantis UI in the security section
The text was updated successfully, but these errors were encountered: