ops: record hermes dashboard trusted access slice
This commit is contained in:
@@ -0,0 +1,81 @@
|
||||
# Hermes dashboard Trusted-only Policy Engine apply — 2026-05-24
|
||||
|
||||
## Live change summary
|
||||
Applied the narrow UniFi Policy Engine service slice that makes the Hermes dashboard on Nomad effectively Trusted-only.
|
||||
|
||||
Dashboard endpoint:
|
||||
- `10.5.30.7:9119`
|
||||
|
||||
Apply time artifact stamp:
|
||||
- `2026-05-24-061715`
|
||||
|
||||
## What changed
|
||||
Created these two custom firewall policies:
|
||||
|
||||
1. `Allow Trusted to Hermes Dashboard`
|
||||
- id: `6a1297eefb913dd84d4a3fbb`
|
||||
- action: `ALLOW`
|
||||
- protocol: `tcp`
|
||||
- source: `10.5.1.0/24`
|
||||
- destination: `10.5.30.7`
|
||||
- destination port: `9119`
|
||||
- schedule: `ALWAYS`
|
||||
|
||||
2. `Block Management and Servers to Hermes Dashboard`
|
||||
- id: `6a1297eefb913dd84d4a3fc0`
|
||||
- action: `BLOCK`
|
||||
- protocol: `tcp`
|
||||
- source: `10.5.0.0/24`, `10.5.30.0/24`
|
||||
- destination: `10.5.30.7`
|
||||
- destination port: `9119`
|
||||
- schedule: `ALWAYS`
|
||||
|
||||
## Verification result
|
||||
- Pre-apply baseline did not already contain either Hermes-dashboard policy.
|
||||
- Post-apply readback shows both rules present as non-predefined custom policies.
|
||||
- Apply helper returned no API errors.
|
||||
|
||||
## Artifacts
|
||||
Baselines and apply output saved in:
|
||||
- `home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-pre-hermes-dashboard-slice.json`
|
||||
- `home/doris-dashboard/docs/baselines/unifi-hermes-dashboard-policy-apply-2026-05-24-061715.json`
|
||||
- `home/doris-dashboard/docs/baselines/unifi-firewall-policies-custom-2026-05-24-061715-post-hermes-dashboard-slice.json`
|
||||
|
||||
Helper added to repo and copied to PD runtime for repeatable staging/apply:
|
||||
- repo: `automation/bin/unifi_stage_hermes_dashboard_policy.py`
|
||||
- PD runtime: `/mnt/docker-ssd/docker/compose/automation/bin/unifi_stage_hermes_dashboard_policy.py`
|
||||
|
||||
## Representative lane probe after apply
|
||||
Follow-up live check from PD showed an important enforcement caveat.
|
||||
|
||||
From PD (`10.5.30.6`) to Nomad (`10.5.30.7:9119`):
|
||||
- direct TCP connect succeeded
|
||||
- HTTP GET succeeded with `200 OK`
|
||||
- route on PD is on-link: `10.5.30.7 dev enp3s0f0 src 10.5.30.6`
|
||||
|
||||
Interpretation:
|
||||
- PD and Nomad are both on the `Servers` subnet (`10.5.30.0/24`)
|
||||
- this flow stays L2-local and does not traverse the UniFi gateway
|
||||
- therefore the gateway Policy Engine block does not stop PD from reaching the dashboard even though the custom rule exists
|
||||
|
||||
What the current rule set still likely achieves:
|
||||
- Trusted clients on `10.5.1.0/24` can reach the dashboard
|
||||
- routed Management-lane access should still be governed by the custom block
|
||||
- same-subnet Servers peers are not isolated by this gateway-only approach
|
||||
|
||||
## Operator validation still worth doing
|
||||
Because same-subnet east-west traffic bypasses the gateway enforcement point, the right checks are now:
|
||||
- from a Trusted client: confirm `http://hermes.home.paccoco.com:9119` or the intended dashboard URL still loads
|
||||
- from a Management client on a different subnet: confirm `10.5.30.7:9119` is blocked
|
||||
- do not treat PD->Nomad reachability as proof the rule failed globally; it specifically proves intra-subnet server peers need host-local enforcement if they must be excluded
|
||||
|
||||
## If true Trusted-only must exclude PD and other Servers peers
|
||||
Use one of these instead of relying only on the gateway policy:
|
||||
- add a host firewall on Nomad permitting only Trusted-source addresses/subnets to port `9119`
|
||||
- move the dashboard to a lane where disallowed sources must cross a routed boundary
|
||||
- use switch/ACL mechanisms that can enforce same-subnet isolation if available
|
||||
|
||||
## Rollback
|
||||
Fastest rollback is to delete the two Hermes-dashboard custom rules by id or rerun a small helper update that disables/removes them:
|
||||
- `6a1297eefb913dd84d4a3fbb`
|
||||
- `6a1297eefb913dd84d4a3fc0`
|
||||
Reference in New Issue
Block a user