[MediaWiki-commits] [Gerrit] Bind GitBlit http service to all interfaces, shield off with... - change (operations/puppet)

Mark Bergsma (Code Review) Fri, 09 Aug 2013 06:34:51 -0700

Mark Bergsma has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/78381



Change subject: Bind GitBlit http service to all interfaces, shield off with 
iptables
......................................................................

Bind GitBlit http service to all interfaces, shield off with iptables

Change-Id: I9b850d7ba592017d063281dfa75716a09575ec8b
---
M files/gitblit/gitblit.properties
M manifests/misc/gitblit.pp
2 files changed, 10 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/81/78381/1

diff --git a/files/gitblit/gitblit.properties b/files/gitblit/gitblit.properties
index 5adcc42..58f8872 100644
--- a/files/gitblit/gitblit.properties
+++ b/files/gitblit/gitblit.properties
@@ -1451,7 +1451,7 @@
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.httpBindInterface = localhost
+server.httpBindInterface =
 
 # Specify the interface for Jetty to bind the secure connector.
 # You may specify an ip or an empty value to bind to all interfaces.
diff --git a/manifests/misc/gitblit.pp b/manifests/misc/gitblit.pp
index d231038..9345b66 100644
--- a/manifests/misc/gitblit.pp
+++ b/manifests/misc/gitblit.pp
@@ -10,9 +10,18 @@
        $ssl_cert_key="") {
 
        include webserver::apache
+       require iptables::tables
 
        systemuser { $user: name => $user }
 
+       # Prevent external connections to the GitBlit HTTP service
+       iptables_add_service { 'gitblit_8080':
+               service => 'http-alt',
+               source => '! 10.64.0.0/12',
+               protocol => 'tcp',
+               jump => 'REJECT'
+       }
+
        file {
                "/etc/apache2/sites-available/git.wikimedia.org":
                        mode => 0444,

-- 
To view, visit https://gerrit.wikimedia.org/r/78381
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9b850d7ba592017d063281dfa75716a09575ec8b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mark Bergsma <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Bind GitBlit http service to all interfaces, shield off with... - change (operations/puppet)

Reply via email to