Open jrgriffiniii opened 2 years ago
Unfortunately, this does not appear to be stable, as the Google Cloud Shell containers are going to be restricted from accessing the staging
server environment:
jrg5@cloudshell:~$ curl -v "https://aspace-staging.princeton.edu/staff/api/"
* Trying 35.160.138.106:443...
* Connected to aspace-staging.princeton.edu (35.160.138.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=aspace-staging.princeton.edu
* start date: Feb 15 02:38:05 2022 GMT
* expire date: May 16 02:38:04 2022 GMT
* subjectAltName: host "aspace-staging.princeton.edu" matched cert's "aspace-staging.princeton.edu"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /staff/api/ HTTP/1.1
> Host: aspace-staging.princeton.edu
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Thu, 17 Feb 2022 19:49:29 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 146
< Connection: keep-alive
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Using a sample set of 3 Google Cloud containers, I find the following IP addresses:
jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
35.196.122.174
jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
35.227.53.111
jrg5@cloudshell:~/cloudshell_open/ruby-for-archivesspace$ curl icanhazip.com
34.139.118.209
As this range is far to broad in scope to request any firewall permissions, I am going to request that the workshop exercises please do not use the staging
environment. Should this prove to be too limiting, it should be noted that this still might not be necessary until the second session (scheduled for 03/03/22).
https://github.com/pulibrary/ruby-for-archivesspace/compare/support-openconnect?expand=1 tracks (cleaned) attempts to use mechanize
in order to establish a connection to the VPN using Ruby alone. I am currently addressing this now from a different standpoint by just using a Debian package.
As is unstable, I am attempting to now advance this (temporarily) with a direct request to Lyrasis with https://lyrasis.zendesk.com/hc/en-us/requests/11235
This has been opened for the workshop, and as such, I am going to consider this resolved.
Based upon the findings for https://lyrasis.zendesk.com/hc/en-us/requests/11323, this will need to be reopened.
Ideally, one should be able to authenticate against the ASpace API for the workshop from the Google Cloud Shell.