mirrors.phx.ovirt.org currently allows HTTP access from the entire internet. It was convenient while it was being deployed, but now it should be changed to allow access only from the PHX data center.
There still is some NAT from times when no route was in place but it can disappear at any moment so please leave access for RFC 1918 private networks.
this ticket is on me right now - is there anything I can help with regarding this ticket? Should I add ACLs to the web server config?
PS: an alternative would be to move mirrors into an internal VLAN, however in case we have external consumers in the future they may have problems accessing them.
I think proper firewalld zone configuration would suffice. I'd set it in place myself but I haven't been able to find the time...
firewalld zones are attached to interfaces and as the server just has one it will not allow filtering traffic out of the box. Custom iptables rules need to be invoked.
you can also make firewalld route to zones by source address with the '--add-source=' option. But anyway you can use what ever you are comfortable with.
We need to also verify that the mirrors remain accessible from all slaves, the jobs will transparently fail-over to the remote package sources if not.
having an apache ACL makes monitoring easy as all accepted/rejected connections show up in access_log - I monitored it and nothing changed for PHX machines accessing the mirrors.