Closed Bug 758238 Opened 12 years ago Closed 12 years ago

Only allow VPN access to django admin on webpagemaker site

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: avarma, Assigned: jd)

References

Details

cturra, in the dev/stage/prod deployments of webpagemaker, we'd like to enforce VPN-only access to anything under the '/admin/' path of the app, in keeping with the secure coding guidelines [1]. Can you do this for us?

[1] https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
look at firefoxflicks allow setup as an example
Assignee: server-ops → jcrowe
Corey, are you asking me to look at flicks allow setup, or are you asking an ops person to look at something? Let me know if there's anything I should do on my end... Thanks!
Atul,

This was a note for IT.

I do need to ask you a question however.  Typically we only put prod behind the ssl vpn and then we put dev and stage behind Apache auth.  This is generally sufficient as there is not supposed to be any sensitive data on dev or stage.  I intend to set this up in this manner unless you have a reason not to.

Please let me know.

Regards
Sure, that sounds great Jason! Just let me know what you set the apache auth to, since we don't currently have apache auth set up on dev and stage.
(In reply to Atul Varma [:atul] from comment #0)
> cturra, in the dev/stage/prod deployments of webpagemaker, we'd like to
> enforce VPN-only access to anything under the '/admin/' path of the app, in
> keeping with the secure coding guidelines [1]. Can you do this for us?
> 
> [1]
> https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages

I will need the url for the production site.  It is not clear from the configs I have been digging through and I don't want to set this up on the incorrect site.

Thanks
Status: NEW → ASSIGNED
Production site will be thimble.webmaker.org
I see, I am unable to resolve this in DNS, I guess you are aware of that.  I will set up a dns entry for thimble-admin.webmaker.org FYI.  This will not be accessible form off VPN, but something is necessary for the vpn app to lookup against and the Apache Vhost to match against.  I mention this as the DNS name will not be available for other use.  I will set this up in the morning unless I hear any objection to the name.

Regards
Hmm.  I don't care about the name, your choice is fine.  I'm a bit concerned that having admin on a different domain than prod may not be compatible w/ BrowserID sign-in, but maybe I'm totally offbase.  I guess we'll find out tomorrow =).
Depends on: 759793
This is finished, let me know how you want me to give you the apache auth password for dev and stage, prod is working through VPN.

Regards
Thanks Jason, can you just email the apache auth passwords?
Sent,

Let me know if you need anything further.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Thanks Jason!

Er, just one more thing... we don't actually have any django admin *users* on dev or staging yet, in part because we don't actually support any kind of login for normal users yet. Would it be possible for you to create admin users for both instances (using "manage.py createsuperuser") with the same credentials that you emailed me? Or should I file a new bug for that?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Actually, for that matter, can you also create a superuser with the same username and password on the production instance, too?
Atul,

I have created the users as you requested.  All 3 are breaking with the CSRF token error.  I enabled debugging on the dev instance to aid in troubleshooting the problem.  Additionally I added the SITE_URL variable to the settings on dev, I could not remember if this was part of the issue but it did not fix it so I guess not.

Please let me know if you need any further action from me.

Regards
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.