Closed
Bug 853644
Opened 11 years ago
Closed 11 years ago
Add bookmark for *NEW* input admin site to ssl vpn portal
Categories
(Infrastructure & Operations Graveyard :: NetOps, task)
Infrastructure & Operations Graveyard
NetOps
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: cturra, Assigned: adam)
References
Details
can i please have a link added to vpn.mozilla.com for: http://input-admin.mozilla.org:81/admin/ this should direct you to the django admin login page for the *new* input cluster.
Assignee | ||
Updated•11 years ago
|
Assignee: network-operations → adam
Assignee | ||
Comment 1•11 years ago
|
||
The link has been added to the vpn web interface. Please verify. Regards, -Adam
Reporter | ||
Comment 2•11 years ago
|
||
as discussed on irc, i am seeing the following error connecting to input-admin over the ssl vpn: Cannot access the Web site. Please check your proxy settings. Made http request for GET /admin/ HTTP/1.1 to input-admin.mozilla.org:81. The URL you entered is incorrect or the Web site is not accessible. Administrator: Please make sure that the DNS Domain information is entered correctly. Made http request for GET /admin/ HTTP/1.1 to input-admin.mozilla.org:81. i did double check dns: $ dig +noauthority +noadditional input-admin.mozilla.org ; <<>> DiG 9.7.6-P1 <<>> +noauthority +noadditional input-admin.mozilla.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32930 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;input-admin.mozilla.org. IN A ;; ANSWER SECTION: input-admin.mozilla.org. 300 IN CNAME input1.webapp.phx1.mozilla.com. input1.webapp.phx1.mozilla.com. 300 IN A 10.8.81.177 ;; Query time: 93 msec ;; SERVER: 10.8.75.21#53(10.8.75.21) ;; WHEN: Fri Mar 22 15:50:37 2013 ;; MSG SIZE rcvd: 203 ... and curl(ing) the site outside of the ssl vpn returns a 403 as i would expect: $ curl -I http://input-admin.mozilla.org:81/admin HTTP/1.1 403 Forbidden Date: Fri, 22 Mar 2013 22:51:20 GMT Server: Apache X-Backend-Server: input1.webapp.phx1.mozilla.com Content-Type: text/html; charset=iso-8859-1
Assignee | ||
Comment 3•11 years ago
|
||
I've tried copying previously working links and modifying them to no avail. In certain configurations the SSL VPN tries to force using SSL on the back end. In others, SSL is bypassed but I get the same forbidden message shown above.
Comment 4•11 years ago
|
||
:cturra, is there something different about this app in comparison to other apps like firefox flicks admin ui? When I log in, not via vpn to that URL, I get a 301 to https://input-admin.mozilla.org:81/en-US/?next=/admin/ which is trying to negotiate SSL over a non SSL enabled port. Thats why the VPN link is failing. Once the 301 to to https is resolved, this will be functional.
Flags: needinfo?(cturra)
Reporter | ||
Comment 5•11 years ago
|
||
there is no redirect on the apache side that would do this. i am going to have to defer to :willkg (added as a /cc to this bug) to see if maybe that is done within the application?
Flags: needinfo?(cturra) → needinfo?(willkg)
Comment 6•11 years ago
|
||
I'm a little fuzzy as to what you're doing. We handle authentication (aka login) with Persona. We don't use the /admin login form. If you go to /admin without being logged in, then you get redirected to the configured login page--which is the front page. That's clearly not working here, but it doesn't matter since no one is going to log in that way. I'm also fuzzy on what https://input-admin.mozilla.org/ has to do with anything. If the plan is to have input.mozilla.org/admin redirect to input-admin.mozilla.org/admin and the protection is done there, that's not going to work because the configuration won't support it.
Flags: needinfo?(willkg)
Reporter | ||
Comment 7•11 years ago
|
||
input-admin.mozilla.org is a domain that will only resolve internally to allow us to skip around the ssl termination on our load balancers. essentially is resolves directly to one of the web nodes to serve the /admin content ONLY. since the admin login uses persona, unlike other sites that use this ssl vpn, i don't know if it's going to be possible. we might need to live with it behind LDAP like we setup last night.
Comment 8•11 years ago
|
||
(In reply to Chris Turra [:cturra] from comment #7) > since the admin login uses persona, unlike other sites that use this ssl > vpn, i don't know if it's going to be possible. we might need to live with > it behind LDAP like we setup last night. According to the secure coding guidelines[1], the goal of putting /admin/ on the VPN is to prevent brute-force attacks. But we don't log in through /admin/, we log in via Persona. So putting hiding /admin/ behind the VPN doesn't do anything to mitigate brute-force attacks. (The guidelines also say using the VPN is the "most popular option" but no one seems to actually use this option, so I'm confused by that.) These guidelines were written before Persona. I think this is a bigger conversation and, recognizing that :adam in particular has put a bunch of work in already, I think we should live with the LDAP setup we have now, as Chris says in comment 7. At least for the time being. [1] https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
Comment 9•11 years ago
|
||
I'm game for leaving it as is given that it's ok with sec folks who raised the issue originally. I'm game for marking this as WONTFIX. Thank you both for putting all the effort into it!
Reporter | ||
Comment 10•11 years ago
|
||
i agree with you :willkg. after speaking with :adam about this on irc, i am going to mark this bug as r/wontfix.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Updated•11 years ago
|
Product: mozilla.org → Infrastructure & Operations
Updated•2 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•