Restricting access to the Crypt GUI in AWS13 Jan 2020
Crypt is a client secret escrow tool (primarily FileVault, but other secret types too). Because it hold secrets, it is common to want to restrict access to retrieving secrets to certain locations.
If you are running one node, you can simply add something like the following to your Nginx configuration:
The above will allow everyone access to the
/checkin endpoint (so keys continue to be escrowed), but restrict any other page to the subnets listed.
But what about when you have multiple application servers behind an Application Load Balancer? Wouldn’t it be great if you could block the traffic before it even gets to Nginx? Fortunately this is pretty simple with Listener Rules.
If you have more than one or two subnets that you need to whitelist, you’re either going to have a lot of clicking, or if you’re doing it (half) right, a lot of copy and pasted Terraform code. But wait - Terraform supports
count. We can reduce the amount of copypasta with something like this (much is omitted from the below, like instances and the actual load balancer):