DSI notified us that clear access is possible from:
This was not intended.
Find a way to make varnish not serve those urls, a 403 would do.
Description
Description
Revisions and Commits
Revisions and Commits
| rSPSITE puppet-swh-site | |||
| D4862 | rSPSITE6702a957bc5c varnish: Refuse access to unknown vhost | ||
Related Objects
Related Objects
- Mentioned Here
- D4862: varnish: Define vhost with forbidden access
Event Timeline
Comment Actions
Tentatively tried:
sub vcl_recv {
if (
req.http.host ~ "^(?i)hedgedoc\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
if (req.http.upgrade ~ "(?i)websocket") {
return (pipe);
}
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = hedgedoc;
}
}
else { # here, reject the rest
return (synth(403));
}
}which works right now but might be because we only have 1 vhost in the admin vlan.
We gather that won't work when we'll add other vhosts to serve.
Comment Actions
Manually deployed:
root@rp1:/etc/varnish/includes# cat 90_vhost_forbidden_access_swh-rproxy3.inria.fr.vcl
# vhost_forbidden_access_swh-rproxy3.inria.fr.vcl
#
# Settings for swh-rproxy3.inria.fr vhost to refuse access
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)128\.93\.166\.10(:[0-9]+)?$" ||
req.http.host ~ "^(?i)swh\-rproxy3\.inria\.fr(:[0-9]+)?$"
) {
return(synth(403, "Forbidden access"));
}
}(puppet agent stopped for now)
As this seems enough to do the job, D4862 allows to declare the same vhost through puppet.