puppet: Move nagios to behind teleport.

This makes the server only accessible via localhost, by way of the Teleport application service.
2026-06-24 21:08:25 +08:00 · 2021-06-02 02:03:13 +00:00 · 2021-06-02 02:03:13 +00:00 · 51b985b40d
commit 51b985b40d
parent 4f51d32676
3 changed files with 6 additions and 42 deletions
--- a/puppet/zulip_ops/files/apache/ports.conf
+++ b/puppet/zulip_ops/files/apache/ports.conf
@ -5,22 +5,5 @@
 # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
 # README.Debian.gz

-NameVirtualHost *:80
-Listen 80
-
-<IfModule mod_ssl.c>
-    # If you add NameVirtualHost *:443 here, you will also have to change
-    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
-    # to <VirtualHost *:443>
-    # Server Name Indication for SSL named virtual hosts is currently not
-    # supported by MSIE on Windows XP.
-
-    # This line added by Zulip.
-    NameVirtualHost *:443
-
-    Listen 443
-</IfModule>
-
-<IfModule mod_gnutls.c>
-    Listen 443
-</IfModule>
+# Only serve Nagios on localhost
+Listen 127.0.0.1:3000
--- a/puppet/zulip_ops/manifests/profile/nagios.pp
+++ b/puppet/zulip_ops/manifests/profile/nagios.pp
@ -58,8 +58,7 @@ class zulip_ops::profile::nagios {
    ],
    notify  => Service['apache2'],
  }
-  zulip_ops::firewall_allow{ 'http': }
-  zulip_ops::firewall_allow{ 'https': }
+  zulip_ops::teleport::application{ 'nagios': port => '3000' }

  file { '/etc/nagios3/conf.d/contacts.cfg':
    require => Package[nagios3],
--- a/puppet/zulip_ops/templates/nagios_apache_site.conf.template.erb
+++ b/puppet/zulip_ops/templates/nagios_apache_site.conf.template.erb
@ -1,15 +1,5 @@
-<VirtualHost *:80>
-    ServerName nagios.<%= @default_host_domain %>
-    Redirect permanent / https://nagios.<%= @default_host_domain %>/
-</VirtualHost>
-
-<VirtualHost *:443>
-    ServerName nagios.<%= @default_host_domain %>
-
-    SSLEngine on
-    SSLCertificateFile /etc/letsencrypt/live/nagios.<%= @default_host_domain %>/cert.pem
-    SSLCertificateChainFile /etc/letsencrypt/live/nagios.<%= @default_host_domain %>/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/nagios.<%= @default_host_domain %>/privkey.pem
+<VirtualHost 127.0.0.1>
+    ServerName nagios.teleport.<%= @default_host_domain %>

    Header add Strict-Transport-Security "max-age=15768000"
    Header add X-Frame-Options DENY
@ -23,15 +13,7 @@
    # Where the HTML pages live
    Alias /nagios3 /usr/share/nagios3/htdocs

-    RedirectMatch ^/?$ https://nagios.<%= @default_host_domain %>/cgi-bin/nagios3/status.cgi?host=all
-
-    <Location "/">
-        AuthType Digest
-        AuthName "monitoring"
-        AuthDigestProvider file
-        AuthUserFile /etc/apache2/users/monitoring
-        Require valid-user
-    </Location>
+    RedirectMatch ^/?$ https://nagios.teleport.<%= @default_host_domain %>/cgi-bin/nagios3/status.cgi?host=all

    <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
        Options FollowSymLinks