uccwiki

Describe TheCloudflarening here.

History

To be filled in here by [MPT].

Configuration

DNS

You ---> DNS Resolver ---> Cloudflare DNS
                                  ^
                                  |
                             zonemake.py
                                  |
                                  v
UCC client -------------------> BIND9 (mooneye) 

UWA has migrated all external-facing DNS services to Cloudflare and blocked port 53 in to anywhere on campus (including us). They are currently providing us with Cloudflare Pro accounts for ucc.asn.au, ucc.gu.uwa.edu.au, and ucc.guild.uwa.edu.au. Using that services is also required to get our web server traffic proxied onto campus (see below).

Cloudflare provides a decent API for programmatic DNS changes. [MTL] has adapted zonemake.py to work with OctoDNS to make changes to our Cloudflare configuration. This also required an extension of the ucc.machines format, to allow web domain names to have Cloudflare proxying enabled and be directed as required.

HTTP(S)

You ---> Cloudflare Edge ---> UWA Edge (F5) --\
                                              v
                                        Origin Server (mussel/mooneye/gitlab-host)
                                              ^
UCC client -----------------------------------/

Yo dog, I heard you liked reverse proxies (and outdated memes)?

Cloudflare

Any domain name of ours with Cloudflare proxying enabled is directed to Cloudflare's network of anycast web servers. In that case, the CNAME or A record for that name instead acts to configure the origin web server for the proxy. Because of the below requirements for UWA web traffic ingress, any UCC names running websites have that option set and are pointed at cf02-nextdc.uwa.edu.au.

Any non-web server names are set to the same as the UCC-internal view.

A consequence of the above is that web and non-web services cannot not be run under the same domain name externally. In many cases, we have separated all services to their own domain names, pointing as CNAMEs to the domain name of their host machine.

F5 reverse proxy

UWA funnels all HTTP(S) traffic in from Cloudflare to a set of F5 reverse proxies/load balancers/web firewalls. From there, the traffic is routed to the various web servers running on campus, including directing things for UCC to us. Any HTTP(S) traffic hitting UWA from outside Cloudflare's network is discarded.

The current config they use to direct our traffic is listed here:

   "gitlab.ucc.asn.au" -
   "gitlab.ucc.gu.uwa.edu.au" -
   "gitlab.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.6_443
     set usessl 1
     }
   "ucc.asn.au" -
   "ucc.gu.uwa.edu.au" -
   "ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.9_443
     set usessl 1
     }
   "ocsinventory.ucc.asn.au" -
   "ocsinventory.gu.uwa.edu.au" -
   "ocsinventory.guild.uwa.edu.au" -
   "ocsinventory-ng.ucc.asn.au" -
   "ocsinventory-ng.gu.uwa.edu.au" -
   "ocsinventory-ng.guild.uwa.edu.au"
     {
     pool ip_130.95.13.10_443
     set usessl 1
     }
   "ttyflame.ucc.asn.au" -
   "wwwflame.ucc.asn.au" -
   "*.flame.ucc.asn.au"
     {
     pool ip_130.95.13.12_443
     set usessl 1
     }
   "sync.ucc.asn.au" -
   "sync.ucc.gu.uwa.edu.au" -
   "sync.ucc.guild.uwa.edu.au" -
   "webmail.ucc.asn.au" -
   "webmail.ucc.gu.uwa.edu.au" -
   "webmail.ucc.guild.uwa.edu.au" -
   "secure.ucc.asn.au" -
   "secure.ucc.gu.uwa.edu.au" -
   "secure.ucc.guild.uwa.edu.au" -
   "xn--secre-b9n.ucc.asn.au" -
   "xn--secre-b9n.ucc.gu.uwa.edu.au" -
   "xn--secre-b9n.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.28_443
     set usessl 1
     }
   "portal.ucc.asn.au" -
   "portal.ucc.gu.uwa.edu.au" -
   "portal.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.36_443
     set usessl 1
     }
   "meetings.ucc.asn.au"
   "meetings.ucc.gu.uwa.edu.au" -
   "meetings.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.38_443
     set usessl 1
     }
   "games.ucc.asn.au" -
   "heath.ucc.asn.au" -
   "heathred.ucc.asn.au"
     {
     pool ip_130.95.13.66_80
     set usessl 0
     }
   "unisfa-koha.ucc.asn.au" -
   "unisfa-koha.ucc.gu.uwa.edu.au" -
   "unisfa-koha.ucc.guild.uwa.edu.au" -
   "unisfa-library.ucc.asn.au" -
   "unisfa-library.ucc.gu.uwa.edu.au" -
   "unisfa-library.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.86_80
     set usessl 0
     }
   "evil.ucc.asn.au" -
   "evil.ucc.gu.uwa.edu.au" -
   "evil.ucc.guild.uwa.edu.au" -
   "evilstats.ucc.asn.au" -
   "evilstats.ucc.gu.uwa.edu.au" -
   "evilstats.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.111_443
     set usessl 1
     }
   "minecraft.ucc.asn.au"
   "minecraft2019.ucc.asn.au"
     {
     pool ip_130.95.13.177_443
     set usessl 1
     }
   "*.ucc.asn.au" -
   "*.ucc.gu.uwa.edu.au" -
   "*.ucc.guild.uwa.edu.au"
     {
     pool ip_130.95.13.18_443
     set usessl 1
     }

Setting up this config was a series of back-and-forward emails between [MPT] and the contractor who was configuring the system. To change it now requires a ticket with UniIT (not that we've needed to yet, so this has not been tested). This makes setting up a reverse proxy of our own attractive — we would be able to change the routing of our web traffic within the clubroom ourselves.

Origin Servers

HTTP goes through mussel or mooneye. HTTPS is served by mussel largely from secure.ucc.asn.au, for the historical reason that UCC could only afford one SSL certificate. Nowadays, UCC uses LetsEncrypt for everything (including secure.ucc.asn.au) and this is no longer necessary. Several services have been unpicked from mussel now, either via a service subdomain (e.g. gitlab.ucc.asn.au) or by reverse-proxying from mussel.

Other Services

As of yet, all traffic not on ports 53, 80, or 443 is still allowed in to UCC straight off the 'net.

That includes:

uccwiki: TheCloudflarening (last edited 2021-03-29 21:20:16 by JamesArcus)