varnish: Define vhost with forbidden access (!295) · Merge requests · Platform / Infrastructure / Puppet / puppet-swh-site

Antoine R. Dumont requested to merge generated-differential-D4862-source into generated-differential-D4862-target Jan 14, 2021

This defined a vhost which explicitely refuses access when an unknown vhost is detected.

This will allow to fix the current caveat, access to "hedgedoc" (default vhost) from http(s)://swh-rproxy3.inria.fr or from the associated ip.

Manually deployed on rp1.internal.admin.swh.network and this seems to do the job.

The other vhosts are still responding appropriately.

Related to T2962

Test Plan

vagrant provision admin-rp1

Refuse access with:

curl --insecure https://10.168.50.20
<!DOCTYPE html>
<html>
  <head>
    <title>403 Forbidden access to unknown vhost 10.168.50.20</title>
  </head>
  <body>
    <h1>Error 403 Forbidden access to unknown vhost 10.168.50.20</h1>
    <p>Forbidden access to unknown vhost 10.168.50.20</p>
    <h3>Guru Meditation:</h3>
    <p>XID: 32789</p>
    <hr>
    <p>Varnish cache server</p>
  </body>
</html>

same goes for http://swh-rproxy3.inria.fr...

with local /etc/hosts tampered with:

...
10.168.50.10 bardo.internal.admin.swh.network
10.168.50.20 hedgedoc.softwareheritage.org swh-rproxy3.inria.fr toto
...

Migrated from D4862 (view on Phabricator)

Admin message

varnish: Define vhost with forbidden access

Test Plan

Merge request reports