Closed Bug 920115 Opened 11 years ago Closed 11 years ago

VPN ACL request for RelEng to access aus4-admin.mozilla.org and aus4-admin.allizom.org

Categories

(Infrastructure & Operations :: Infrastructure: OpenVPN, task)

Product:
Infrastructure & Operations
Component:
Infrastructure: OpenVPN
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Assigned: jabba)

References

Details

This is a newly set-up host that RelEng will need to be able to access over https to admin the new update server.
I've added the ACLs for 10.8.81.20 and 10.8.81.74 to the vpn_releng group, but note that the .mozilla.org and .allizom.org names might have difficulty being resolved in certain VPN client configurations, if they are doing per-domain resolution (similar to the ship-it hosts). I'd recommend keeping public names with public IPs and using internal names internally to avoid this (both for these as well as the ship-it hosts), not sure who to have review and make that change though.
Assignee: infra → jdow
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Justin Dow [:jabba] from comment #1)
> I've added the ACLs for 10.8.81.20 and 10.8.81.74 to the vpn_releng group,
> but note that the .mozilla.org and .allizom.org names might have difficulty
> being resolved in certain VPN client configurations, if they are doing
> per-domain resolution (similar to the ship-it hosts).

WFM now. I had someone on Mac test too (which does do per-domain resolution, I think), and it worked for him too.

> I'd recommend keeping
> public names with public IPs and using internal names internally to avoid
> this (both for these as well as the ship-it hosts), not sure who to have
> review and make that change though.

Internal IPs is actually a security requirement. From my point of view, I don't see why we couldn't use a hostname that makes more sense for you and your systems. I'll put that on my list to revisit in the near future.
Yeah, if internal IPs are a requirement, then I'd suggest internal naming schema, although a public IP that is firewalled/ACL'd to only allow VPN clients would be an option as well in most cases. If it is working for you though, then we can definitely revisit it later than sooner.
You need to log in before you can comment on or make changes to this bug.