Page MenuHomePhabricator

Icinga check for CAS-protected web services
Closed, ResolvedPublic

Description

We currently have a few web services behind LDAP auth which deploy an Icinga check whether the endpoint is protected by LDAP (implemented via the check_https_unauthorized Icinga check which checks for a 401 response).

We should create a similar Icinga check CAS-projected end points, it could e.g. that accessing the protected endpoint triggers an 301 TLS redirect to the IDP login page.

This could be added via a dedicated profile (which in turn could be added to profile::idp::client::http, so that the check is added by default).

Related Objects

StatusSubtypeAssignedTask
OpenNone
Resolvedjbond

Event Timeline

chasemp moved this task from Incoming to Watching on the Security-Team board.

Change 583078 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::idp::client::httpd: add check for sso redirect

https://gerrit.wikimedia.org/r/583078

Change 583078 merged by Jbond:
[operations/puppet@production] profile::idp::client::httpd: add check for sso redirect

https://gerrit.wikimedia.org/r/583078

jbond claimed this task.

This is now in place, resolving