Page MenuHomeSoftware Heritage

hedgedoc: Fix irrelevant access to hedgedoc instance
Started, Work in Progress, NormalPublic

Description

DSI notified us that clear access is possible from:

This was not intended.

Find a way to make varnish not serve those urls, a 403 would do.

Event Timeline

ardumont triaged this task as Normal priority.Tue, Jan 12, 2:41 PM
ardumont created this task.

Tentatively tried:

sub vcl_recv {
    if (
        req.http.host ~ "^(?i)hedgedoc\.softwareheritage\.org(:[0-9]+)?$"
    ) {
        if (std.port(server.ip) == 80) {
            set req.http.x-redir = "https://" + req.http.host + req.url;
            return(synth(850, "Moved permanently"));
        } else {
            if (req.http.upgrade ~ "(?i)websocket") {
                return (pipe);
            }
            set req.http.X-Forwarded-Proto = "https";
            set req.backend_hint = hedgedoc;
        }
    }
    else { # here, reject the rest
       return (synth(403));
    }
}

which works right now but might be because we only have 1 vhost in the admin vlan.
We gather that won't work when we'll add other vhosts to serve.

ardumont changed the task status from Open to Work in Progress.Thu, Jan 14, 2:07 PM
ardumont moved this task from Backlog to in-progress on the System administration board.
ardumont updated the task description. (Show Details)

Manually deployed:

root@rp1:/etc/varnish/includes# cat 90_vhost_forbidden_access_swh-rproxy3.inria.fr.vcl
# vhost_forbidden_access_swh-rproxy3.inria.fr.vcl
#
# Settings for swh-rproxy3.inria.fr vhost to refuse access
#
# File managed by puppet. All modifications will be lost.

sub vcl_recv {
    if (
        req.http.host ~ "^(?i)128\.93\.166\.10(:[0-9]+)?$" ||
        req.http.host ~ "^(?i)swh\-rproxy3\.inria\.fr(:[0-9]+)?$"
    ) {
        return(synth(403, "Forbidden access"));
    }
}

(puppet agent stopped for now)

As this seems enough to do the job, D4862 allows to declare the same vhost through puppet.