With my solution, I filter only access to rhn context root. This context root is used only by the web UI. The clients are still able to connect
Pierre 2012/6/8 Jeremy Maes <[email protected]>: > Op 7/06/2012 19:02, Pierre Casenove schreef: >> >> 2012/6/7 Scott Worthington<[email protected]>: >>> >>> On 6/7/2012 11:18 AM, Jeremy Maes wrote: >>>> >>>> Hey Spacewalk users >>>> >>>> I'm new to the list but have been testing Spacewalk since version 1.3. >>>> Recently made a clean installation of 1.7 to start using in production, but >>>> I have a question about the webinterface. >>>> >>>> First a little overview of out current situation: >>>> I have Spacewalk 1.7 installed on PostgreSQL, on a CentOS 6.2 server. >>>> The Spacewalk server itself is in our DMZ because it needs to be accessible >>>> by our other servers at over 200 remote sites. >>>> Now I would very much like to close off the access to the webinterface >>>> for the outside world, and only make it available for access from our >>>> internal IP's. >>>> >>>> I know this is something that is probably possible through customizing >>>> the apache config, but there's 2 things holding me back from trying it out >>>> as of yet: >>>> >>>> * I'm not really sure which of the config files to change, and where >>>> I'd have to put the change(s). >>>> * Will my remote servers still be able to send and receive updates, >>>> register if needed, etc... if I shut down the webinterface for external >>>> hosts? It is my perception that almost all communication runs over http(s) >>>> through webservices hosted by apache and I'm afraid of closing those off >>>> too. Is it possible to selectively shut off access to only the webUI but >>>> not >>>> the rest? >>>> >>>> Any pointers or tips would be really appreciated! >>>> >>>> Regards, >>>> Jeremy >>> >>> Have you considered using iptables on the Spacwalk server to limit ports >>> 80 and 443 (and other ports for Spacewalk) to your internal IP addresses? >>> >>> Or perhaps just limit all initial inbound communication to your Spacewalk >>> server to your internal IP addresses in iptables. > > It's also mentioned in the conversation Pierre linked below, if you do that > you will lose all connectivity towards your spacewalk server for your client > servers. This is because basically all communication towards Spacewalk runs > over those ports. The solution as I expected is in the usage of specific > Apache rules. > >> Hi, >> Here is what I've done: >> https://www.redhat.com/archives/spacewalk-list/2011-August/msg00223.html >> >> Pierre >> >> _______________________________________________ >> Spacewalk-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/spacewalk-list > > Wonderful, exactly what I was looking for! > > Guess I was using the wrong terms when searching for the info... > > Thanks and regards, > Jeremy > > **** DISCLAIMER **** > http://www.schaubroeck.be/maildisclaimer.htm _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
