Describe TheCloudflarening here. <> = History = To be filled in here by [MPT]. = Configuration = == DNS == {{{ You ---> DNS Resolver ---> Cloudflare DNS ^ | zonemake.py | v UCC client -------------------> BIND9 (mooneye) }}} UWA has migrated all external-facing DNS services to Cloudflare and blocked port 53 in to anywhere on campus (including us). They are currently providing us with Cloudflare Pro accounts for `ucc.asn.au`, `ucc.gu.uwa.edu.au`, and `ucc.guild.uwa.edu.au`. Using that services is also required to get our web server traffic proxied onto campus (see below). Cloudflare provides a decent API for programmatic DNS changes. [MTL] has adapted `zonemake.py` to work with OctoDNS to make changes to our Cloudflare configuration. This also required an extension of the `ucc.machines` format, to allow web domain names to have Cloudflare proxying enabled and be directed as required. == HTTP(S) == {{{ You ---> Cloudflare Edge ---> UWA Edge (F5) --\ v Origin Server (mussel/mooneye/gitlab-host) ^ UCC client -----------------------------------/ }}} Yo dog, I heard you liked [[https://www.nginx.com/resources/glossary/reverse-proxy-server/|reverse proxies]] (and outdated memes)? === Cloudflare === Any domain name of ours with Cloudflare proxying enabled is directed to Cloudflare's network of anycast web servers. In that case, the CNAME or A record for that name instead acts to configure the origin web server for the proxy. Because of the below requirements for UWA web traffic ingress, any UCC names running websites have that option set and are pointed at `cf02-nextdc.uwa.edu.au`. Any non-web server names are set to the same as the UCC-internal view. A consequence of the above is that web and non-web services cannot not be run under the same domain name externally. In many cases, we have separated all services to their own domain names, pointing as CNAMEs to the domain name of their host machine. === F5 reverse proxy === UWA funnels all HTTP(S) traffic in from Cloudflare to a set of F5 reverse proxies/load balancers/web firewalls. From there, the traffic is routed to the various web servers running on campus, including directing things for UCC to us. Any HTTP(S) traffic hitting UWA from outside Cloudflare's network is discarded. The current config they use to direct our traffic is listed here: {{{ "gitlab.ucc.asn.au" - "gitlab.ucc.gu.uwa.edu.au" - "gitlab.ucc.guild.uwa.edu.au" { pool ip_130.95.13.6_443 set usessl 1 } "ucc.asn.au" - "ucc.gu.uwa.edu.au" - "ucc.guild.uwa.edu.au" { pool ip_130.95.13.9_443 set usessl 1 } "ocsinventory.ucc.asn.au" - "ocsinventory.gu.uwa.edu.au" - "ocsinventory.guild.uwa.edu.au" - "ocsinventory-ng.ucc.asn.au" - "ocsinventory-ng.gu.uwa.edu.au" - "ocsinventory-ng.guild.uwa.edu.au" { pool ip_130.95.13.10_443 set usessl 1 } "ttyflame.ucc.asn.au" - "wwwflame.ucc.asn.au" - "*.flame.ucc.asn.au" { pool ip_130.95.13.12_443 set usessl 1 } "sync.ucc.asn.au" - "sync.ucc.gu.uwa.edu.au" - "sync.ucc.guild.uwa.edu.au" - "webmail.ucc.asn.au" - "webmail.ucc.gu.uwa.edu.au" - "webmail.ucc.guild.uwa.edu.au" - "secure.ucc.asn.au" - "secure.ucc.gu.uwa.edu.au" - "secure.ucc.guild.uwa.edu.au" - "xn--secre-b9n.ucc.asn.au" - "xn--secre-b9n.ucc.gu.uwa.edu.au" - "xn--secre-b9n.ucc.guild.uwa.edu.au" { pool ip_130.95.13.28_443 set usessl 1 } "portal.ucc.asn.au" - "portal.ucc.gu.uwa.edu.au" - "portal.ucc.guild.uwa.edu.au" { pool ip_130.95.13.36_443 set usessl 1 } "meetings.ucc.asn.au" "meetings.ucc.gu.uwa.edu.au" - "meetings.ucc.guild.uwa.edu.au" { pool ip_130.95.13.38_443 set usessl 1 } "games.ucc.asn.au" - "heath.ucc.asn.au" - "heathred.ucc.asn.au" { pool ip_130.95.13.66_80 set usessl 0 } "unisfa-koha.ucc.asn.au" - "unisfa-koha.ucc.gu.uwa.edu.au" - "unisfa-koha.ucc.guild.uwa.edu.au" - "unisfa-library.ucc.asn.au" - "unisfa-library.ucc.gu.uwa.edu.au" - "unisfa-library.ucc.guild.uwa.edu.au" { pool ip_130.95.13.86_80 set usessl 0 } "evil.ucc.asn.au" - "evil.ucc.gu.uwa.edu.au" - "evil.ucc.guild.uwa.edu.au" - "evilstats.ucc.asn.au" - "evilstats.ucc.gu.uwa.edu.au" - "evilstats.ucc.guild.uwa.edu.au" { pool ip_130.95.13.111_443 set usessl 1 } "minecraft.ucc.asn.au" "minecraft2019.ucc.asn.au" { pool ip_130.95.13.177_443 set usessl 1 } "*.ucc.asn.au" - "*.ucc.gu.uwa.edu.au" - "*.ucc.guild.uwa.edu.au" { pool ip_130.95.13.18_443 set usessl 1 } }}} Setting up this config was a series of back-and-forward emails between [MPT] and the contractor who was configuring the system. To change it now requires a ticket with UniIT (not that we've needed to yet, so this has not been tested). This makes setting up a reverse proxy of our own attractive — we would be able to change the routing of our web traffic within the clubroom ourselves. === Origin Servers === HTTP goes through `mussel` or `mooneye`. HTTPS is served by `mussel` largely from `secure.ucc.asn.au`, for the historical reason that UCC could only afford one SSL certificate. Nowadays, UCC uses LetsEncrypt for everything (including `secure.ucc.asn.au`) and this is no longer necessary. Several services have been unpicked from `mussel` now, either via a service subdomain (e.g. `gitlab.ucc.asn.au`) or by reverse-proxying from `mussel`. == Other Services == As of yet, all traffic not on ports 53, 80, or 443 is still allowed in to UCC straight off the 'net. That includes: * Client mail services POP3S, IMAPS and submission (SMTPS), handled through the new `mail-agents` HAProxy instance. * A number of [[VPN]] servers running on [[Murasoi]], though SSH tends to be the most reliable protocol for tunnelling about. * Many other things — would you like to add one you know about?