[tech] Clarification of requirements and plan of action

John Hodge tpg at ucc.asn.au
Thu Apr 9 08:27:15 AWST 2020 

Paul,

I haven't seen an update from our discussion several weeks ago, so I 
thought I'd put to paper some notes and queries about the move towards 
Cloudflare proxying.

My understanding is that UWA has decided (in response to one of the 
steps in the ANU data breach) that websites hosted on 130.95.0.0/16 
(UWA's IP range) should not be open to the general internet, and instead 
should be protected by a reverse proxy (in this case, Cloudflare). To 
this end, DNS is being pointed at Cloudflare (I assume because the DNS 
service comes with the web proxy service?) and eventually ports 443 and 
80 inbound will be closed at the border firewall (with an exception for 
the Cloudflare proxies).

Queries:

  * What is the progress on getting access to the Cloudflare dashboard?
    We would like to start on migration of services before ports 443 and
    80 start being blocked.
  * Are there any other ports (apart from 80/443) that will be blocked
    at the border?
  * Is there any progress towards treating 130.95.13.0/24 as "outside"
    in the core firewall (and thus side-stepping the need to place UCC
    services behind Cloudflare)?


Examples of services that cannot work with the Cloudflare setup (running 
both HTTP and non-HTTP on the same hostname):

  * GitLab (source control server): This runs both a web server (for
    viewing source code, and managing permissions) and a SSH server
    (used for uploading code in a secure manner). Neither of these
    services support DNS "SRV" records (which would permit different IP
    addresses for HTTP/HTTPS and other services).
  * "Big Blue Button" (Video conferencing system): This sends its video
    streams over UDP to a collection of high ports (audio is sent over
    websockets). This system has been used to great effect by the clubs
    impacted by the COVID-19 Cameron Hall shutdown, to host their normal
    events in a virtual space.
  * We currently have `secure.ucc.asn.au` that "hosts" a whole range of
    encrypted services (IMAP, POP3, webmail, VPN).


-- 
John Hodge [TPG]
UCC Wheel Member

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20200409/49160d2e/attachment.htm

More information about the tech mailing list