From 7481741f95e591727b2dee0e58c31d68f58c5359 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 14:33:34 +0100 Subject: [PATCH 1/2] denc-webcluster: allow http(s) publicly Public firewall rules were missing from initial import. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 923369e..41c78d2 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -204,3 +204,10 @@ nginx: - proxy_busy_buffers_size: 512k - error_log: /var/log/nginx/libsso_public.error.log - access_log: /var/log/nginx/libsso_public.access.log combined + +firewalld: + zones: + public: + services: + - http + - https From 533aedd864fce377ee4cc543bad5edcf4ef6acf3 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 14:37:45 +0100 Subject: [PATCH 2/2] denc-webcluster: enable keepalived script security Prevent script tampering. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 41c78d2..2e8859d 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -15,6 +15,7 @@ keepalived: smtp_server: {{ mailer }} smtp_connect_timeout: 30 router_id: SSO_FO + enable_script_security: true vrrp_script: check_nginx_port: script: '"/usr/bin/curl -kfsSm2 https://[::1]:443"'