Reverse proxy and PatchOrchestration

[Mardoxx]

I use RP but I want to install the Patch Orchestration application. Looking here it says it opens an http listener to view results of attempted installs. Is it possible to secure this or disable it since RP allows access to all http services.

I thought there was an issue requesting a feature to select which services are accessible through RP via configuration -- can't find it though! This would be a great use case. Can't ever think of a reason why non-cluster-maintainers would ever need this information!

Thanks

[mkosieradzki]

You should not expose RP publicly... RP is a client facility for xplat connection to services from inside the cluster or from internal client applications.

I agree that a proper Internet Facing Proxy is a missing feature in SF. You can implement your own using https://github.com/aspnet/Proxy (as a stateless service) or use preexisting like nginx or haproxy. Alternatively can also use some Azure Service like Application Gateway or API Management.

But exposing RP publicly is not the best idea at all. Despite many people still do this :-(.

[Mardoxx]

Why not?

[mkosieradzki]

Because Service Fabric Reverse Proxy non-selectively exposes ALL internal endpoints publicly and also gives too much control over replica and endpoint selection, timeouts, etc. to the caller. I can also imagine it might be a nice target for DoS attacks (I have no proof). I can imagine that many developers are not aware about RP features like Secondary Replica selector or Listener selector what can lead to potential security vulnerabilities.

Of course I can imagine an application written in a way that will not have no non-public endpoints, but it cuts off many potential options.

Also this issue with Patch Orchestration Application is only a symptom.

Also: Reverse Proxy works quite nice with L7 load balancers, where you can do nice path translation.