Page MenuHomePhabricator
Create Task
Maniphest T281320

Network configuration for Civiproxy
Closed, ResolvedPublic
Actions

Description

We need firewall config and server config to allow frdata (email-pref-center-wiki) web servers (but not the internet at large) to make requests to the civicrm hosts on the port which will serve civiproxy

Can payments servers just make the requests to civicrm.wikimedia.org, or is there a different alias they should use internally?

FR-Tech-Ops Notes:

  • civiproxy will be exposed internally as https://{civicrm app server fqdn}:442 - this configuration should come from puppet not localsettings
  • [need to confirm this] it will be accessible only to donorwiki running on the frdata server role
  • civiproxy service needs access to redis on frqueue server role
  • civiproxy service needs access to civicrm on localhost/loopback (this is relevant for container/firejail)

Related Objects
Search...

Event Timeline

Ejegg created this task.Apr 27 2021, 9:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 27 2021, 9:53 PM
Ejegg added a project: FR-email-preferences.Apr 27 2021, 10:04 PM
Jgreen added a parent task: T125272: Epic: Create Preference Center for donors to manage email subscription preferences.Apr 29 2021, 1:31 PM
Jgreen subscribed.Apr 29 2021, 1:44 PM

@Ejegg As far as I know the only server/service planned to access civiproxy is donorwiki, which will run on the frdata servers. Is that what this task is about, and not payments servers?

Jgreen moved this task from Triage to Up Next on the fundraising-tech-ops board.Apr 29 2021, 1:47 PM
Jgreen mentioned this in T268499: Configure CiviProxy vhost and firewall to allow requests from email prefs box.Apr 29 2021, 2:06 PM
Jgreen updated the task description. (Show Details)Apr 29 2021, 2:13 PM
Dwisehaupt moved this task from Up Next to In Progress on the fundraising-tech-ops board.May 4 2021, 5:36 PM
Dwisehaupt claimed this task.May 5 2021, 12:32 AM
Ejegg updated the task description. (Show Details)May 5 2021, 5:15 PM
In T281320#7045675, @Jgreen wrote:

@Ejegg As far as I know the only server/service planned to access civiproxy is donorwiki, which will run on the frdata servers. Is that what this task is about, and not payments servers?

Oops, yep, that's the one. I had momentarily forgotten that email pref center was a separate wiki when I wrote this task. Updated!

Dwisehaupt closed this task as Resolved.May 6 2021, 4:05 PM
Dwisehaupt moved this task from In Progress to Done on the fundraising-tech-ops board.

All of the iptables and pfw rules have been pushed. Basic connectivity verified. On to testing all the functionality.

ayounsi closed subtask T282286: Deploy pfw policy1620422079 for T268501 and T281320 as Resolved.May 10 2021, 8:40 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits