mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-15 19:32:40 +01:00
fa7bb8ff7a
Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159
58 lines
1.7 KiB
PHP
58 lines
1.7 KiB
PHP
<?php
|
|
|
|
final class PhabricatorClusterConfigOptions
|
|
extends PhabricatorApplicationConfigOptions {
|
|
|
|
public function getName() {
|
|
return pht('Cluster Setup');
|
|
}
|
|
|
|
public function getDescription() {
|
|
return pht('Configure Phabricator to run on a cluster of hosts.');
|
|
}
|
|
|
|
public function getOptions() {
|
|
return array(
|
|
$this->newOption('cluster.addresses', 'list<string>', array())
|
|
->setLocked(true)
|
|
->setSummary(pht('Address ranges of cluster hosts.'))
|
|
->setDescription(
|
|
pht(
|
|
'To allow Phabricator nodes to communicate with other nodes '.
|
|
'in the cluster, provide an address whitelist of hosts that '.
|
|
'are part of the cluster.'.
|
|
"\n\n".
|
|
'Hosts on this whitelist are permitted to use special cluster '.
|
|
'mechanisms to authenticate requests. By default, these '.
|
|
'mechanisms are disabled.'.
|
|
"\n\n".
|
|
'Define a list of CIDR blocks which whitelist all hosts in the '.
|
|
'cluster. See the examples below for details.',
|
|
"\n\n".
|
|
'When cluster addresses are defined, Phabricator hosts will also '.
|
|
'reject requests to interfaces which are not whitelisted.'))
|
|
->addExample(
|
|
array(
|
|
'23.24.25.80/32',
|
|
'23.24.25.81/32',
|
|
),
|
|
pht('Whitelist Specific Addresses'))
|
|
->addExample(
|
|
array(
|
|
'1.2.3.0/24',
|
|
),
|
|
pht('Whitelist 1.2.3.*'))
|
|
->addExample(
|
|
array(
|
|
'1.2.0.0/16',
|
|
),
|
|
pht('Whitelist 1.2.*.*'))
|
|
->addExample(
|
|
array(
|
|
'0.0.0.0/0',
|
|
),
|
|
pht('Allow Any Host (Insecure!)')),
|
|
);
|
|
}
|
|
|
|
}
|