[MediaWiki-commits] [Gerrit] Bind GitBlit http service to all interfaces, shield off with... - change (operations/puppet)

[Mark Bergsma (Code Review)]

Mark Bergsma has submitted this change and it was merged.

Change subject: Bind GitBlit http service to all interfaces, shield off with 
iptables
......................................................................


Bind GitBlit http service to all interfaces, shield off with iptables

Change-Id: I9b850d7ba592017d063281dfa75716a09575ec8b
---
M files/gitblit/gitblit.properties
M manifests/misc/gitblit.pp
2 files changed, 10 insertions(+), 1 deletion(-)

Approvals:
  Mark Bergsma: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/files/gitblit/gitblit.properties b/files/gitblit/gitblit.properties
index 5adcc42..58f8872 100644
--- a/files/gitblit/gitblit.properties
+++ b/files/gitblit/gitblit.properties
@@ -1451,7 +1451,7 @@
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.httpBindInterface = localhost
+server.httpBindInterface =
 
 # Specify the interface for Jetty to bind the secure connector.
 # You may specify an ip or an empty value to bind to all interfaces.
diff --git a/manifests/misc/gitblit.pp b/manifests/misc/gitblit.pp
index d231038..9345b66 100644
--- a/manifests/misc/gitblit.pp
+++ b/manifests/misc/gitblit.pp
@@ -10,9 +10,18 @@
        $ssl_cert_key="") {
 
        include webserver::apache
+       require iptables::tables
 
        systemuser { $user: name => $user }
 
+       # Prevent external connections to the GitBlit HTTP service
+       iptables_add_service { 'gitblit_8080':
+               service => 'http-alt',
+               source => '! 10.64.0.0/12',
+               protocol => 'tcp',
+               jump => 'REJECT'
+       }
+
        file {
                "/etc/apache2/sites-available/git.wikimedia.org":
                        mode => 0444,

-- 
To view, visit https://gerrit.wikimedia.org/r/78381
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9b850d7ba592017d063281dfa75716a09575ec8b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mark Bergsma <m...@wikimedia.org>
Gerrit-Reviewer: Mark Bergsma <m...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits