Op 7/06/2012 19:02, Pierre Casenove schreef:
2012/6/7 Scott Worthington<[email protected]>:
On 6/7/2012 11:18 AM, Jeremy Maes wrote:
Hey Spacewalk users
I'm new to the list but have been testing Spacewalk since version 1.3. Recently
made a clean installation of 1.7 to start using in production, but I have a
question about the webinterface.
First a little overview of out current situation:
I have Spacewalk 1.7 installed on PostgreSQL, on a CentOS 6.2 server. The
Spacewalk server itself is in our DMZ because it needs to be accessible by our
other servers at over 200 remote sites.
Now I would very much like to close off the access to the webinterface for the
outside world, and only make it available for access from our internal IP's.
I know this is something that is probably possible through customizing the
apache config, but there's 2 things holding me back from trying it out as of
yet:
* I'm not really sure which of the config files to change, and where I'd
have to put the change(s).
* Will my remote servers still be able to send and receive updates, register
if needed, etc... if I shut down the webinterface for external hosts? It is my
perception that almost all communication runs over http(s) through webservices
hosted by apache and I'm afraid of closing those off too. Is it possible to
selectively shut off access to only the webUI but not the rest?
Any pointers or tips would be really appreciated!
Regards,
Jeremy
Have you considered using iptables on the Spacwalk server to limit ports 80 and
443 (and other ports for Spacewalk) to your internal IP addresses?
Or perhaps just limit all initial inbound communication to your Spacewalk
server to your internal IP addresses in iptables.
It's also mentioned in the conversation Pierre linked below, if you do that you
will lose all connectivity towards your spacewalk server for your client
servers. This is because basically all communication towards Spacewalk runs
over those ports. The solution as I expected is in the usage of specific Apache
rules.
Hi,
Here is what I've done:
https://www.redhat.com/archives/spacewalk-list/2011-August/msg00223.html
Pierre
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
Wonderful, exactly what I was looking for!
Guess I was using the wrong terms when searching for the info...
Thanks and regards,
Jeremy
**** DISCLAIMER ****
http://www.schaubroeck.be/maildisclaimer.htm
_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list
