[tech] List of UCC servers (hostnames) running both HTTP and other services

Mon Apr 6 16:47:39 AWST 2020

On Sat, Apr 04, 2020 at 02:27:01PM +0800, John Hodge wrote:
> Here's the start of a list of machines that would break with CF 
> proxying, off the top of my head. These machines run web servers (so UWA 
> will want us to point them at CF), which will prevent non-http services 
> from getting through.

Thanks.

We need access to our part of the ucc.{gu,guild}.uwa.edu.au Cloudflare
dashboard to test our services in a straightforward way.

> mooneye (hosts wiki): Runs mail & DNS?? (DNS and the website will be 
> handled by CF, mail isn't).
> DNS secondaries will stop getting updates

That's the start of the DNS problem.

It's a critical service and it's hard to know the full extent of the
impact if it boils down to "you just can't host any". Without being
certain...

  * we've provided secondary (or primary) DNS services for member's
    domains from this machine and previously from others: this is a
    valuable service, but benign and low-traffic
  * members use our DNS proxy service, iodine
  * In some cases, for simple web services, Cloudflare could now provide
    our SSL certificates. However:
    * The automated ACME DNS challenge protocol is currently used by us
      for web and non-web services. For some types of certificate, it's
      mandatory
    * Some of our SSL certificate infrastructure for that relies on
      RFC 2136 DNS update protocol with a tool such as "ddclient" or
      "nsupdate" for Letsencrypt challenges. It appears to be possible
      to use that workflow on at least the Cloudflare free tier
      accounts, but we're hoping to _test_ that with delegated access
      on ucc.gu.uwa.edu.au .
    * It's unclear if Cloudflare can provide our _non-web_ SSL certs
    * We certainly don't want to lose the _ability_ to register SSL certs
      with other providers, like Letsencrypt, through the automated ACME
      DNS challenge protocol
    * Cloudflare-CDN-proxied web services can use a SSL cert of one's choice,
      but only on the Business or Enterprise tier, not Free or Pro.
      https://www.cloudflare.com/en-au/plans/
    * We may want ACME DNS challenges for internal subdomains, this
      might not work if part of our domains get a strict "split horizon",
      not visible to the world. The alternative would be running a private
      CA, which we have done, but at least the _option_ to clear all
      that away and have a single view makes things easier to understand

> mussel (hosts main website): git and irc
> 
> secure (has HTTPS): Hosts HEAPS

secure is also the target of IPSec tunneling - non-UDP, non-TCP.
The router, murasoi has served some of those sort of purposes but we
like to prototype on other machines and keep a logical separation of
services where possible and where that aids management and maintenance.

> heathred/et (small pages for hosting games/stats): Runs the games, need 
> I say more
> 
> 
> Feel free to add other hostnames that would be impacted by having their 
> DNS changed to point at CF instead of the true IP.

On Sat, Apr 04, 2020 at 11:15:42PM +0800, James Andrewartha wrote:
> meetings - BBB runs web but also WebRTC on UDP 16384-32767.

On Sun, Apr 05, 2020 at 09:15:23PM +0800, David Adam wrote:
> A quick look through the firewall is probably helpful.
>
> ssh.ucc.asn.au runs SSH on all ports, including 443.
>
> Heathred can be proxied from Mussel or similar.
>
> My VM has a web server but also SSH and mosh, though I could live
> without the web server.
>
> I haven't been keeping up with the whole CF plan; presumably this
can't be
> done upstream by policy routing?
>
> [DAA]
> zanchey@

-- 
   Nick Bannon   | "I made this letter longer than usual because
nick-sig at rcpt.to | I lack the time to make it shorter." - Pascal