[Spacewalk-list] Filtering webui access

Pierre Casenove pcasenove at gmail.com
Wed Aug 24 19:05:39 UTC 2011 

Hello,
iptables can't do the trick, as spacewalk clients connect to port 443 as
well as the admins
I've tried to add a Location /rhn tag with allow/Deny rules, but I get a
spacewalk error 403 page when I reload apache.
I haven't dig too much around this point, I'll keep informed if I get
something working.

Pierre


2011/8/24 Matt Moldvan <mmoldvan at dcctools.com>

> If all else fails a simple IPTables rule could do this also, or even
> complement the Allow From rules.
>
> Regards,
> Matt.
> ________________________________________
> From: spacewalk-list-bounces at redhat.com [spacewalk-list-bounces at redhat.com]
> on behalf of Michael Mraka [michael.mraka at redhat.com]
> Sent: Tuesday, August 23, 2011 8:42 AM
> To: spacewalk-list at redhat.com
> Subject: Re: [Spacewalk-list] Filtering webui access
>
> Pierre Casenove wrote:
> % Hello,
> % My security department ask me to filter the HTTPS access to the webui
> based
> % on the IPs of the administrator.
> % The administrators are on a predefined subnet, but the spacewalk clients
> are
> % on multiple subnets.
> % Is it possible to filter https access (either in apache or iptables)
> without
> % breaking YUM https communication between spacewalk server and clients?
>
> WebUI is available under https://spacewalk/rhn/ and
> https://spacewalk/network/, while clients (rhn_register, yum, etc.) go
> primarily to https://spacewalk/XMLRPC/.
>
> There is also some more interfaces for package push, ISS, etc. list of
> which you can find in
> /etc/rhn/satellite-httpd/conf/rhn/spacewalk-backend-*.conf (on RHEL5)
> or in /etc/httpd/conf.d/zz-spacewalk-server-wsgi.conf (on RHEL6 and
> Fedoras).
>
> So you might be able to limit access in httpd via
>
> <Location ...>
>    Order allow,deny
>    Allow from ...
>    Deny from ...
> </Location>
>
> I've never heard about anyone doing this so it'll be great if you
> share your experience with others.
>
> Regards,
>
> --
> Michael Mráka
> Satellite Engineering, Red Hat
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110824/c00308ae/attachment.htm>

More information about the Spacewalk-list mailing list