Closed
Bug 1216008
Opened 9 years ago
Closed 9 years ago
Add route to bounceradmin.mozilla.com (52.26.59.232)
Categories
(Infrastructure & Operations :: Corporate VPN: ACL requests, task)
Infrastructure & Operations
Corporate VPN: ACL requests
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: nthomas, Unassigned)
References
Details
Since bug 1211734 moved download.m.o to AWS I can no longer reach bounceradmin.mozilla.com. I can open a connection from machines in the RelEng network, but not from my laptop. Probably this is because new ip (52.26.59.232) is not advertised by the VPN routing config (I've tried bouncing the VPN). oremj, do I need some new ldap group-membership for this, or am I just the first non-cloudops remotie to attempt access since the move ?
Flags: needinfo?(oremj)
Reporter | ||
Comment 1•9 years ago
|
||
Also, if this didn't show up while Rail was testing, does that mean that offices have blanket access to this host ? If so, we should lock it down to a minimal set of people.
Assignee: infra → vpn-acl
Component: Infrastructure: OpenVPN → Mozilla VPN: ACL requests
QA Contact: jdow → cshields
Comment 2•9 years ago
|
||
I've added the route to the vpn configuration. I'm not sure about ACLs. Is there any type of auth configured on the host? What group of people should be allowed to reach it through vpn? I'm guessing if it works in the offices, then that's an office network ACL allowing it and not the VPN, but not sure. Also, since I just now added the route, but haven't made any other changes, this might still not work for you, as normally it's a route and an ACL group needed, but I don't want to add an ACL group until I know who all should be in it, or if the ACL should be added to an existing group.
Comment 3•9 years ago
|
||
The problem here is, the admin interface is fronted by an ELB, so the IP is not static. So far, we've whitelisted 63.245.214.82/32 and 63.245.214.169/32. The long term plan is #2 in bug 1209161.
Flags: needinfo?(oremj)
Reporter | ||
Comment 4•9 years ago
|
||
Thanks jabba, I see the route now. You're right that it's not enough as the connection doesn't open, but the IP shifted to 52.25.71.151. Should we back out the change for 52.26.59.232 and .. er .. WONTFIX this in favour of bug 1209161 ? In the meantime I can proxy via a machine in the RelEng network.
Comment 5•9 years ago
|
||
Works for me. I've backed out the change.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•