Add bookmark for *NEW* input admin site to ssl vpn portal

RESOLVED WONTFIX

Status

Infrastructure & Operations
NetOps
RESOLVED WONTFIX
5 years ago
5 years ago

People

(Reporter: cturra, Assigned: adam)

Tracking

Details

(Reporter)

Description

5 years ago
can i please have a link added to vpn.mozilla.com for:

  http://input-admin.mozilla.org:81/admin/


this should direct you to the django admin login page for the *new* input cluster.
(Assignee)

Updated

5 years ago
Assignee: network-operations → adam
(Assignee)

Comment 1

5 years ago
The link has been added to the vpn web interface. Please verify.

Regards,

-Adam
(Reporter)

Comment 2

5 years ago
as discussed on irc, i am seeing the following error connecting to input-admin over the ssl vpn:

 Cannot access the Web site. Please check your proxy settings. Made http request for GET /admin/ HTTP/1.1 to input-admin.mozilla.org:81. The URL you entered is incorrect or the Web site is not accessible. Administrator: Please make sure that the DNS Domain information is entered correctly. Made http request for GET /admin/ HTTP/1.1 to input-admin.mozilla.org:81. 


i did double check dns:

$ dig +noauthority +noadditional input-admin.mozilla.org

; <<>> DiG 9.7.6-P1 <<>> +noauthority +noadditional input-admin.mozilla.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32930
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;input-admin.mozilla.org.	IN	A

;; ANSWER SECTION:
input-admin.mozilla.org. 300	IN	CNAME	input1.webapp.phx1.mozilla.com.
input1.webapp.phx1.mozilla.com.	300 IN	A	10.8.81.177

;; Query time: 93 msec
;; SERVER: 10.8.75.21#53(10.8.75.21)
;; WHEN: Fri Mar 22 15:50:37 2013
;; MSG SIZE  rcvd: 203


... and curl(ing) the site outside of the ssl vpn returns a 403 as i would expect:

$ curl -I http://input-admin.mozilla.org:81/admin
HTTP/1.1 403 Forbidden
Date: Fri, 22 Mar 2013 22:51:20 GMT
Server: Apache
X-Backend-Server: input1.webapp.phx1.mozilla.com
Content-Type: text/html; charset=iso-8859-1
(Assignee)

Comment 3

5 years ago
I've tried copying previously working links and modifying them to no avail. In certain configurations the SSL VPN tries to force using SSL on the back end. In others, SSL is bypassed but I get the same forbidden message shown above.
:cturra, is there something different about this app in comparison to other apps like firefox flicks admin ui? When I log in, not via vpn to that URL, I get a 301 to https://input-admin.mozilla.org:81/en-US/?next=/admin/ which is trying to negotiate SSL over a non SSL enabled port.  Thats why the VPN link is failing.  Once the 301 to to https is resolved, this will be functional.
Flags: needinfo?(cturra)
(Reporter)

Comment 5

5 years ago
there is no redirect on the apache side that would do this. i am going to have to defer to :willkg (added as a /cc to this bug) to see if maybe that is done within the application?
Flags: needinfo?(cturra) → needinfo?(willkg)
I'm a little fuzzy as to what you're doing. We handle authentication (aka login) with Persona. We don't use the /admin login form. If you go to /admin without being logged in, then you get redirected to the configured login page--which is the front page. That's clearly not working here, but it doesn't matter since no one is going to log in that way.

I'm also fuzzy on what https://input-admin.mozilla.org/ has to do with anything. If the plan is to have input.mozilla.org/admin redirect to input-admin.mozilla.org/admin and the protection is done there, that's not going to work because the configuration won't support it.
Flags: needinfo?(willkg)
(Reporter)

Comment 7

5 years ago
input-admin.mozilla.org is a domain that will only resolve internally to allow us to skip around the ssl termination on our load balancers. essentially is resolves directly to one of the web nodes to serve the /admin content ONLY. 

since the admin login uses persona, unlike other sites that use this ssl vpn, i don't know if it's going to be possible. we might need to live with it behind LDAP like we setup last night.
(In reply to Chris Turra [:cturra] from comment #7)
> since the admin login uses persona, unlike other sites that use this ssl
> vpn, i don't know if it's going to be possible. we might need to live with
> it behind LDAP like we setup last night.

According to the secure coding guidelines[1], the goal of putting /admin/ on the VPN is to prevent brute-force attacks.

But we don't log in through /admin/, we log in via Persona. So putting hiding /admin/ behind the VPN doesn't do anything to mitigate brute-force attacks.

(The guidelines also say using the VPN is the "most popular option" but no one seems to actually use this option, so I'm confused by that.)

These guidelines were written before Persona. I think this is a bigger conversation and, recognizing that :adam in particular has put a bunch of work in already, I think we should live with the LDAP setup we have now, as Chris says in comment 7. At least for the time being.

[1] https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Admin_Login_Pages
I'm game for leaving it as is given that it's ok with sec folks who raised the issue originally.

I'm game for marking this as WONTFIX.

Thank you both for putting all the effort into it!
(Reporter)

Comment 10

5 years ago
i agree with you :willkg. after speaking with :adam about this on irc, i am going to mark this bug as r/wontfix.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.