Hello, iptables can't do the trick, as spacewalk clients connect to port 443 as well as the admins I've tried to add a Location /rhn tag with allow/Deny rules, but I get a spacewalk error 403 page when I reload apache. I haven't dig too much around this point, I'll keep informed if I get something working.
Pierre 2011/8/24 Matt Moldvan <[email protected]> > If all else fails a simple IPTables rule could do this also, or even > complement the Allow From rules. > > Regards, > Matt. > ________________________________________ > From: [email protected] [[email protected]] > on behalf of Michael Mraka [[email protected]] > Sent: Tuesday, August 23, 2011 8:42 AM > To: [email protected] > Subject: Re: [Spacewalk-list] Filtering webui access > > Pierre Casenove wrote: > % Hello, > % My security department ask me to filter the HTTPS access to the webui > based > % on the IPs of the administrator. > % The administrators are on a predefined subnet, but the spacewalk clients > are > % on multiple subnets. > % Is it possible to filter https access (either in apache or iptables) > without > % breaking YUM https communication between spacewalk server and clients? > > WebUI is available under https://spacewalk/rhn/ and > https://spacewalk/network/, while clients (rhn_register, yum, etc.) go > primarily to https://spacewalk/XMLRPC/. > > There is also some more interfaces for package push, ISS, etc. list of > which you can find in > /etc/rhn/satellite-httpd/conf/rhn/spacewalk-backend-*.conf (on RHEL5) > or in /etc/httpd/conf.d/zz-spacewalk-server-wsgi.conf (on RHEL6 and > Fedoras). > > So you might be able to limit access in httpd via > > <Location ...> > Order allow,deny > Allow from ... > Deny from ... > </Location> > > I've never heard about anyone doing this so it'll be great if you > share your experience with others. > > Regards, > > -- > Michael Mráka > Satellite Engineering, Red Hat > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list >
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
