<Incomplete, but the existing information is correct>| Table of Contents |
|---|
Environments
- Production - domain is seamlessaccess.org
- Beta & staging - domain is thiss.io
...
Some of the nftable rules are implemented through this puppet manifest https://github.com/TheIdentitySelector/thiss-ops/blob/master/global/overlay/etc/puppet/modules/thiss/manifests/firewall_rules.pp
| Server type | Rules |
|---|---|
| All | SSH via SUNET's designated jump hosts |
| All | NRPE to monitor.seamlessaccess.org & nagiosxi.nordu.net |
| All | Egress/ougoing packets from all ports |
| HAproxy Load Balancer for thiss-js | HTTPS to internet TCP 8404 (HAproxy stats port) to vpn1.sunet.se & monitor.seamlessaccess.org |
| HAproxy Load Balancer for thiss-mdq | HTTPS to internet TCP 8404 (HAproxy stats port) to vpn1.sunet.se & monitor.seamlessaccess.org |
| thiss-js | HTTP to HAproxy Load Balancer for |
| thiss-mdq for Production & Beta | HTTP to HAproxy Load Balancer for |
| thiss-mdq for staging | HTTPS and HTTP to SUNET Load Balancers |
| Aggregator & publishers for Production & Staging | HTTPS to |
| Aggregator & publishers for Beta | HTTPS to |
| Monitor | HTTPS to vpn1.sunet.se HTTP to internet (for ACME challenges to renew Let's Encrypt certificate) |
| Demo Application | HTTPS to internet |
Staging Metadata Service
SUNET only hosts the thiss-mdq service for staging which is https://md-staging.thiss.io. It is served by SUNET load balancers.
...