CHANGELOG: add "--host-whitelist" change
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>release-3.4
parent
e9969aae7e
commit
d28c0921d3
|
@ -52,6 +52,15 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.3.0...v3.4.0) and [
|
|||
- If not given, etcd queries `_etcd-server-ssl._tcp.[YOUR_HOST]` and `_etcd-server._tcp.[YOUR_HOST]`.
|
||||
- If `--discovery-srv-name="foo"`, then query `_etcd-server-ssl-foo._tcp.[YOUR_HOST]` and `_etcd-server-foo._tcp.[YOUR_HOST]`.
|
||||
- Useful for operating multiple etcd clusters under the same domain.
|
||||
- Add [`--host-whitelist`](https://github.com/coreos/etcd/pull/9372) flag, [`etcdserver.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), and [`embed.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), to prevent ["DNS Rebinding"](https://en.wikipedia.org/wiki/DNS_rebinding) attack.
|
||||
- Any website can simply create an authorized DNS name, and direct DNS to `"localhost"` (or any other address). Then, all HTTP endpoints of etcd server listening on `"localhost"` becomes accessible, thus vulnerable to [DNS rebinding attacks (CVE-2018-5702)](https://bugs.chromium.org/p/project-zero/issues/detail?id=1447#c2).
|
||||
- Client origin enforce policy works as follow:
|
||||
- If client connection is secure via HTTPS, allow any hostnames..
|
||||
- If client connection is not secure and `"HostWhitelist"` is not empty, only allow HTTP requests whose Host field is listed in whitelist.
|
||||
- By default, `"HostWhitelist"` is empty, which means insecure server allows all client HTTP requests.
|
||||
- Note that the client origin policy is enforced whether authentication is enabled or not, for tighter controls.
|
||||
- When specifying hostnames, loopback addresses are not added automatically. To allow loopback interfaces, add them to whitelist manually (e.g. `"localhost"`, `"127.0.0.1"`, etc.).
|
||||
- e.g. `etcd --host-whitelist example.com`, then the server will reject all HTTP requests whose Host field is not `example.com` (also rejects requests to `"localhost"`).
|
||||
- Define `embed.CompactorModePeriodic` for `compactor.ModePeriodic`.
|
||||
- Define `embed.CompactorModeRevision` for `compactor.ModeRevision`.
|
||||
|
||||
|
|
Loading…
Reference in New Issue