Hello,
i've been trying a bit more around this.
What I did:
In file /etc/httpd/conf.d/zz-spacewalk-www.conf, I've added the following:
<Location /rhn>
Order Allow,Deny
Allow from 192.168.1.1
Allow from 127.0.0.1
Allow from 10.120.2.5
Deny from all
</Location>
I'm getting an error :
[Fri Aug 26 14:45:36 2011] [error] [client 192.168.1.1] client denied by
server configuration: proxy:ajp://localhost:8009/rhn/Login.do
Which really confuses me. I've been working around this a lot but can't get
something to work.
I've modified Location tag by Proxy tag... everybody gets access!
If someone has an idea, please share!
Pierre
2011/8/24 Pierre Casenove <[email protected]>
> Hello,
> iptables can't do the trick, as spacewalk clients connect to port 443 as
> well as the admins
> I've tried to add a Location /rhn tag with allow/Deny rules, but I get a
> spacewalk error 403 page when I reload apache.
> I haven't dig too much around this point, I'll keep informed if I get
> something working.
>
> Pierre
>
>
> 2011/8/24 Matt Moldvan <[email protected]>
>
>> If all else fails a simple IPTables rule could do this also, or even
>> complement the Allow From rules.
>>
>> Regards,
>> Matt.
>> ________________________________________
>> From: [email protected] [
>> [email protected]] on behalf of Michael Mraka [
>> [email protected]]
>> Sent: Tuesday, August 23, 2011 8:42 AM
>> To: [email protected]
>> Subject: Re: [Spacewalk-list] Filtering webui access
>>
>> Pierre Casenove wrote:
>> % Hello,
>> % My security department ask me to filter the HTTPS access to the webui
>> based
>> % on the IPs of the administrator.
>> % The administrators are on a predefined subnet, but the spacewalk clients
>> are
>> % on multiple subnets.
>> % Is it possible to filter https access (either in apache or iptables)
>> without
>> % breaking YUM https communication between spacewalk server and clients?
>>
>> WebUI is available under https://spacewalk/rhn/ and
>> https://spacewalk/network/, while clients (rhn_register, yum, etc.) go
>> primarily to https://spacewalk/XMLRPC/.
>>
>> There is also some more interfaces for package push, ISS, etc. list of
>> which you can find in
>> /etc/rhn/satellite-httpd/conf/rhn/spacewalk-backend-*.conf (on RHEL5)
>> or in /etc/httpd/conf.d/zz-spacewalk-server-wsgi.conf (on RHEL6 and
>> Fedoras).
>>
>> So you might be able to limit access in httpd via
>>
>> <Location ...>
>> Order allow,deny
>> Allow from ...
>> Deny from ...
>> </Location>
>>
>> I've never heard about anyone doing this so it'll be great if you
>> share your experience with others.
>>
>> Regards,
>>
>> --
>> Michael Mráka
>> Satellite Engineering, Red Hat
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> [email protected]
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> [email protected]
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>
>
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
