[Spacewalk-list] Filtering webui access
Pierre Casenove
pcasenove at gmail.com
Fri Aug 26 15:13:46 UTC 2011
Found it! As usual, right under my eyes!
I've mixed the order between Deny and Allow!
<Location /rhn/>
Order Deny,Allow
Allow from 192.168
Allow from 127.0.0.1
Allow from 10.120.2.5
Deny from all
</Location>
<Location /help/>
Order Deny,Allow
Allow from 192.168
Allow from 127.0.0.1
Allow from 10.120.2.5
Deny from all
</Location>
2011/8/26 Pierre Casenove <pcasenove at gmail.com>
> Hello,
> i've been trying a bit more around this.
> What I did:
> In file /etc/httpd/conf.d/zz-spacewalk-www.conf, I've added the following:
> <Location /rhn>
> Order Allow,Deny
> Allow from 192.168.1.1
> Allow from 127.0.0.1
> Allow from 10.120.2.5
> Deny from all
> </Location>
>
> I'm getting an error :
> [Fri Aug 26 14:45:36 2011] [error] [client 192.168.1.1] client denied by
> server configuration: proxy:ajp://localhost:8009/rhn/Login.do
>
> Which really confuses me. I've been working around this a lot but can't get
> something to work.
>
> I've modified Location tag by Proxy tag... everybody gets access!
>
> If someone has an idea, please share!
>
>
> Pierre
>
>
>
> 2011/8/24 Pierre Casenove <pcasenove at gmail.com>
>
>> Hello,
>> iptables can't do the trick, as spacewalk clients connect to port 443 as
>> well as the admins
>> I've tried to add a Location /rhn tag with allow/Deny rules, but I get a
>> spacewalk error 403 page when I reload apache.
>> I haven't dig too much around this point, I'll keep informed if I get
>> something working.
>>
>> Pierre
>>
>>
>> 2011/8/24 Matt Moldvan <mmoldvan at dcctools.com>
>>
>>> If all else fails a simple IPTables rule could do this also, or even
>>> complement the Allow From rules.
>>>
>>> Regards,
>>> Matt.
>>> ________________________________________
>>> From: spacewalk-list-bounces at redhat.com [
>>> spacewalk-list-bounces at redhat.com] on behalf of Michael Mraka [
>>> michael.mraka at redhat.com]
>>> Sent: Tuesday, August 23, 2011 8:42 AM
>>> To: spacewalk-list at redhat.com
>>> Subject: Re: [Spacewalk-list] Filtering webui access
>>>
>>> Pierre Casenove wrote:
>>> % Hello,
>>> % My security department ask me to filter the HTTPS access to the webui
>>> based
>>> % on the IPs of the administrator.
>>> % The administrators are on a predefined subnet, but the spacewalk
>>> clients are
>>> % on multiple subnets.
>>> % Is it possible to filter https access (either in apache or iptables)
>>> without
>>> % breaking YUM https communication between spacewalk server and clients?
>>>
>>> WebUI is available under https://spacewalk/rhn/ and
>>> https://spacewalk/network/, while clients (rhn_register, yum, etc.) go
>>> primarily to https://spacewalk/XMLRPC/.
>>>
>>> There is also some more interfaces for package push, ISS, etc. list of
>>> which you can find in
>>> /etc/rhn/satellite-httpd/conf/rhn/spacewalk-backend-*.conf (on RHEL5)
>>> or in /etc/httpd/conf.d/zz-spacewalk-server-wsgi.conf (on RHEL6 and
>>> Fedoras).
>>>
>>> So you might be able to limit access in httpd via
>>>
>>> <Location ...>
>>> Order allow,deny
>>> Allow from ...
>>> Deny from ...
>>> </Location>
>>>
>>> I've never heard about anyone doing this so it'll be great if you
>>> share your experience with others.
>>>
>>> Regards,
>>>
>>> --
>>> Michael Mráka
>>> Satellite Engineering, Red Hat
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20110826/609ef345/attachment.htm>
More information about the Spacewalk-list
mailing list