From b6eb15c0eebbe69032369aaffb4a3971c6fdb922 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Fri, 17 Jun 2016 19:52:31 +0000 Subject: [PATCH] Create mm-frontend-checkin01 This server should be regarded as untrusted. Related: CVE-2016-1000003 Signed-off-by: Patrick Uiterwijk --- ...m-frontend-checkin01.phx2.fedoraproject.org | 17 +++++++++++++++++ .../mm-frontend01.phx2.fedoraproject.org | 1 + .../mm-frontend01.stg.phx2.fedoraproject.org | 1 + .../mm-frontend02.phx2.fedoraproject.org | 1 + inventory/inventory | 1 + .../frontend2/templates/mirrormanager.conf | 8 ++++++++ .../frontend2/templates/mirrormanager2.cfg | 18 ++++++++++++++---- ...m-frontend-checkin01.phx2.fedoraproject.org | 1 + 8 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org create mode 100644 roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org diff --git a/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org new file mode 100644 index 0000000000..12f94160bf --- /dev/null +++ b/inventory/host_vars/mm-frontend-checkin01.phx2.fedoraproject.org @@ -0,0 +1,17 @@ +--- +lvm_size: 20000 +mem_size: 8192 +num_cpus: 2 +nm: 255.255.255.0 +gw: 10.5.126.254 +dns: 10.5.126.21 +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-rhel-7 +ks_repo: http://10.5.126.23/repo/rhel/RHEL7-x86_64/ +volgroup: /dev/vg_guests +eth0_ip: 10.5.126.187 +vmhost: virthost02.phx2.fedoraproject.org +datacenter: phx2 + +tcp_ports: [ 80, 443 ] + +mm2_checkin: true diff --git a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org index d0d5cdbd43..10ada80ce7 100644 --- a/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org +++ b/inventory/host_vars/mm-frontend01.phx2.fedoraproject.org @@ -14,3 +14,4 @@ datacenter: phx2 tcp_ports: [ 80, 443 ] +mm2_checkin: false diff --git a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org index 9289bf5da6..ba9a3a808d 100644 --- a/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org +++ b/inventory/host_vars/mm-frontend01.stg.phx2.fedoraproject.org @@ -14,3 +14,4 @@ datacenter: phx2 tcp_ports: [ 80, 443 ] +mm2_checkin: true diff --git a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org index d8caa83cf5..2f99b1a9c1 100644 --- a/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org +++ b/inventory/host_vars/mm-frontend02.phx2.fedoraproject.org @@ -14,3 +14,4 @@ datacenter: phx2 tcp_ports: [ 80, 443 ] +mm2_checkin: false diff --git a/inventory/inventory b/inventory/inventory index dbc90f2d5c..124bfe8f75 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -439,6 +439,7 @@ mirrorlist-phx2.stg.phx2.fedoraproject.org [mm-frontend] mm-frontend01.phx2.fedoraproject.org mm-frontend02.phx2.fedoraproject.org +mm-frontend-checkin01.phx2.fedoraproject.org [mm-backend] mm-backend01.phx2.fedoraproject.org diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager.conf b/roles/mirrormanager/frontend2/templates/mirrormanager.conf index 06e1181de5..27c90767de 100644 --- a/roles/mirrormanager/frontend2/templates/mirrormanager.conf +++ b/roles/mirrormanager/frontend2/templates/mirrormanager.conf @@ -13,6 +13,14 @@ WSGIPythonOptimize 1 WSGIScriptAlias /mirrormanager /var/www/mirrormanager2.wsgi + +{% if mm2_checkin %} + Require all granted +{% else %} + Require all denied +{% endif %} + + WSGIProcessGroup mirrormanager diff --git a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg index 26abf33957..4f8f90ccd1 100644 --- a/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg +++ b/roles/mirrormanager/frontend2/templates/mirrormanager2.cfg @@ -8,20 +8,30 @@ MirrorManager2 sample configuration. # Most important configuration items ### - -# url to the database server: -DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}' - # the number of items to display on the search pages # Default: ``50``. ITEMS_PER_PAGE = 50 + +{% if mm2_checkin %} +# url to the database server: +DB_URL='postgresql://{{ mirrormanager_checkin_db_user }}:{{ mirrormanager_checkin_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}' + +# The checkin server does not use the secret key or password secret. Let's not leak it. +SECRET_KEY = 'invalid' +PASSWORD_SEED = 'invalid' + +{% else %} +# url to the database server: +DB_URL='postgresql://{{ mirrormanager_db_user }}:{{ mirrormanager_db_pass }}@{{ mirrormanager_db_host }}/{{ mirrormanager_db_name }}' + # secret key used to generate unique csrf token SECRET_KEY = '{{ mirrormanager_secret_key }}' # Seed used to make the password harder to brute force in case of leaking # This should be kept really secret! PASSWORD_SEED = "{{ mirrormanager_password_seed }}" +{% endif %} # Make browsers send session cookie only via HTTPS SESSION_COOKIE_SECURE=True diff --git a/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org new file mode 100644 index 0000000000..84e33f9dee --- /dev/null +++ b/roles/openvpn/server/files/ccd/mm-frontend-checkin01.phx2.fedoraproject.org @@ -0,0 +1 @@ +ifconfig-push 192.168.100.11 192.168.100.11