From ec23aaf08a05eb26e78a4e0294b603c188eda11d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 5 Mar 2015 00:41:37 +0000 Subject: [PATCH] Allow direct varnish access for internal hosts This allows internal that are in the purge acl to issue purge requests. Apache won't forward purge, since it doesn't know what that is. --- inventory/group_vars/proxies | 6 +++++- inventory/group_vars/proxies-stg | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 3953b71e5a..c86440a74d 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -34,10 +34,14 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT', - # only allow varnish from localhost + # allow varnish from localhost '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT', + # also allow varnish from internal for purge requests + '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT', + # Allow koschei.cloud to talk to the inbound fedmsg relay. '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT', # Allow jenkins.cloud to talk to the inbound fedmsg relay. diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg index 1b8fef2de4..2520ff1d48 100644 --- a/inventory/group_vars/proxies-stg +++ b/inventory/group_vars/proxies-stg @@ -33,10 +33,14 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', - # only allow varnish from localhost + # allow varnish from localhost '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT', + # also allow varnish from internal for purge requests + '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT', + # Allow koschei.cloud to talk to the inbound fedmsg relay. '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT', # Allow jenkins.cloud to talk to the inbound fedmsg relay.