[Spacewalk-list] Limiting access to spacewalk webinterface
Pierre Casenove
pcasenove at gmail.com
Fri Jun 8 10:33:07 UTC 2012
With my solution, I filter only access to rhn context root.
This context root is used only by the web UI. The clients are still
able to connect
Pierre
2012/6/8 Jeremy Maes <jma at schaubroeck.be>:
> Op 7/06/2012 19:02, Pierre Casenove schreef:
>>
>> 2012/6/7 Scott Worthington<scott.c.worthington at gmail.com>:
>>>
>>> On 6/7/2012 11:18 AM, Jeremy Maes wrote:
>>>>
>>>> Hey Spacewalk users
>>>>
>>>> I'm new to the list but have been testing Spacewalk since version 1.3.
>>>> Recently made a clean installation of 1.7 to start using in production, but
>>>> I have a question about the webinterface.
>>>>
>>>> First a little overview of out current situation:
>>>> I have Spacewalk 1.7 installed on PostgreSQL, on a CentOS 6.2 server.
>>>> The Spacewalk server itself is in our DMZ because it needs to be accessible
>>>> by our other servers at over 200 remote sites.
>>>> Now I would very much like to close off the access to the webinterface
>>>> for the outside world, and only make it available for access from our
>>>> internal IP's.
>>>>
>>>> I know this is something that is probably possible through customizing
>>>> the apache config, but there's 2 things holding me back from trying it out
>>>> as of yet:
>>>>
>>>> * I'm not really sure which of the config files to change, and where
>>>> I'd have to put the change(s).
>>>> * Will my remote servers still be able to send and receive updates,
>>>> register if needed, etc... if I shut down the webinterface for external
>>>> hosts? It is my perception that almost all communication runs over http(s)
>>>> through webservices hosted by apache and I'm afraid of closing those off
>>>> too. Is it possible to selectively shut off access to only the webUI but not
>>>> the rest?
>>>>
>>>> Any pointers or tips would be really appreciated!
>>>>
>>>> Regards,
>>>> Jeremy
>>>
>>> Have you considered using iptables on the Spacwalk server to limit ports
>>> 80 and 443 (and other ports for Spacewalk) to your internal IP addresses?
>>>
>>> Or perhaps just limit all initial inbound communication to your Spacewalk
>>> server to your internal IP addresses in iptables.
>
> It's also mentioned in the conversation Pierre linked below, if you do that
> you will lose all connectivity towards your spacewalk server for your client
> servers. This is because basically all communication towards Spacewalk runs
> over those ports. The solution as I expected is in the usage of specific
> Apache rules.
>
>> Hi,
>> Here is what I've done:
>> https://www.redhat.com/archives/spacewalk-list/2011-August/msg00223.html
>>
>> Pierre
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> Wonderful, exactly what I was looking for!
>
> Guess I was using the wrong terms when searching for the info...
>
> Thanks and regards,
> Jeremy
>
> **** DISCLAIMER ****
> http://www.schaubroeck.be/maildisclaimer.htm
More information about the Spacewalk-list
mailing list