[tor-bugs] #30912 [Internal Services/Tor Sysadmin Team]: Investigate stunnel outage on crm-ext-01
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 29 21:14:53 UTC 2019
#30912: Investigate stunnel outage on crm-ext-01
-------------------------------------------------+-------------------------
Reporter: peterh | Owner: tpa
Type: defect | Status:
| needs_information
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
as it turns out, ipsec tunnels are not directly monitored, so we do need
to have some stronger garantees here.
i added the following record into DNS:
{{{
crm-int-01-priv.torproject.org. 3600 IN A 172.30.136.1
crm-ext-01-priv.torproject.org. 3600 IN A 172.30.136.2
}}}
which point to the two CRM instances, but on an internal network that
shouldn't travel outside of the VPN.
you should therefore setup Redis on `crm-ext` to connect to `crm-
int-01-priv.torproject.org` (or plain `crm-int-01-priv`) instead of
localhost.
and yes, i had to reconfigure redis to listen on the new network.
we '''DEFINITELY''' do not want to make redis listen on all interfaces
(`0.0.0.0`). even if we have a firewall in place, that could possibly be
"very bad" if the firewall fails.
the tunnel works, in my tests:
{{{
crm-ext-01# echo PING | nc -s 172.30.136.2 -v -w 1 172.30.136.1 6379
Connection to 172.30.136.1 6379 port [tcp/*] succeeded!
+PONG
}}}
note that i had to pick a specific source address `-s 172.30.136.2` so
that the firewall rules matches (because we allow only traffic from the
tunnel). unfortunately, "outgoing" connexions go out with a source IP of
`138.201.212.236` by default, so you have to tweak that. no idea if it
would be possible to do so in Drupal/CiviCRM/PHP or whatever is going on
up there. :)
as a worst case scenario (if the above fails for you), we might consent to
punching a hole for `138.201.212.236` as well, but i'd rather avoid such
hackery for now.
we'll also research if there are better ways to do firewalling with ipsec,
if you can't figure out the source IP stuff...
thank you for your patience!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30912#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list