Block internet access to mirrors.phx.ovirt.org

Description

mirrors.phx.ovirt.org currently allows HTTP access from the entire internet. It was convenient while it was being deployed, but now it should be changed to allow access only from the PHX data center.

Activity

Show:
Evgheni Dereveanchin
March 3, 2017, 3:03 PM

There still is some NAT from times when no route was in place but it can disappear at any moment so please leave access for RFC 1918 private networks.
this ticket is on me right now - is there anything I can help with regarding this ticket? Should I add ACLs to the web server config?

PS: an alternative would be to move mirrors into an internal VLAN, however in case we have external consumers in the future they may have problems accessing them.

Barak Korren
March 3, 2017, 4:59 PM

I think proper firewalld zone configuration would suffice. I'd set it in place myself but I haven't been able to find the time...

Evgheni Dereveanchin
March 9, 2017, 10:30 AM

firewalld zones are attached to interfaces and as the server just has one it will not allow filtering traffic out of the box. Custom iptables rules need to be invoked.

Instead I just applied an ACL in /etc/httpd/conf/httpd.conf to limit traffic sources, so now repos are only reachable from inside PHX:
http://mirrors.phx.ovirt.org/repos/

Barak Korren
March 9, 2017, 11:43 AM

you can also make firewalld route to zones by source address with the '--add-source=' option. But anyway you can use what ever you are comfortable with.

We need to also verify that the mirrors remain accessible from all slaves, the jobs will transparently fail-over to the remote package sources if not.

Evgheni Dereveanchin
March 9, 2017, 11:47 AM

having an apache ACL makes monitoring easy as all accepted/rejected connections show up in access_log - I monitored it and nothing changed for PHX machines accessing the mirrors.

Assignee

Evgheni Dereveanchin

Reporter

Barak Korren

Blocked By

None

Priority

Medium
Configure