Closed Bug 887600 Opened 12 years ago Closed 12 years ago

Review request : persona auth'd reverse proxy to our production persona availability and performance monitoring

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Unassigned)

Details

We currently monitor our AWS hosted production Persona sites using two pieces of software : * OpsView for availability monitoring * Graphite for performance monitoring These monitoring services are hosted on internal instances inside our production VPCs In order to enable identity developers and services ops the ability to access these services I've made a authenticated apache httpd reverse proxy to them which will run on our publicly facing bastion hosts https://github.com/mozilla/identity-ops/commit/dd9abac15b9eb3f23ac1f77732a72fda35a4bb83 Currently, while waiting for someone to review this, I am blocking web access from the internet using security groups. With web access enabled the path looks like this : * User browses to a bastion host (e.g. http://monitor.admin.us-west-2.persona.org/ or http://perf.admin.us-east-1.persona.org , etc) * Apache responds and requires that the user authenticate using persona * The user logs in using persona with an email address * If that email address is not in the allowed users list ( https://github.com/mozilla/identity-ops/blob/dd9abac15b9eb3f23ac1f77732a72fda35a4bb83/chef/cookbooks/persona-admin/files/default/var/www/mod_browserid_users ) the user gets an apache 403 * If the user is in the allowed list, a session cookie is set and mod_browserid allows apache to reverse proxy the request to the backend opsview or graphite server In the case of graphite, there is no further authentication. This interface is a read only interface to graphs of performance data In the case of opsview, the user then logs into opsview with a shared account (user: identity, password: identity) that grants them read permissions on the monitoring ui I'd like to get Security Assurance's thoughts on this model. Some things specifically that I'd like to know : * risk level of running an apache httpd 2.2.15 server publicly on the internet * any issues with not using https (only reason I'm using http is a lack of certs) * any issues with using a domain name within the persona.org zone. this is probably something I'll direct more towards identity developers but this relates to cookie domains. * any issues with the dual purpose of the systems that this reverse proxy would live on. These hosts are bastion hosts and can initiate ssh connections to internal VPC hosts. I've put this reverse proxy service on the bastion hosts to avoid having to spin up/manage/pay for additional hosts. The security issues that come to mind are that if apache gets compromised these hosts could be used as a jumping off point to attach internal hosts (over ssh) * any issues with using mod_browserid I'm open to whatever venue is best to work on this; a meeting/discussion, some other format method I don't know about, this ticket, email, etc.
Met up with Guillaume and came up with the following : * I'll move this reverse proxy interface off of the bastion hosts and onto their own instances * I'll change to using https and get mozilla-ca issued certs * I'll continue to use a static list of user email addresses and once mozilla IDP is live later this week, mozilla users on the list who leave the company will no longer be able to auth and get to the monitoring
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
This has been completed and deployed.
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.