vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-29 20:10:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/security/pulse-sensor-proxy-network.md
rcourtman c91b7874ac docs: comprehensive v4.24.0 documentation audit and updates 
Complete documentation overhaul for Pulse v4.24.0 release covering all new
features and operational procedures.

Documentation Updates (19 files):

P0 Release-Critical:
- Operations: Rewrote ADAPTIVE_POLLING_ROLLOUT.md as GA operations runbook
- Operations: Updated ADAPTIVE_POLLING_MANAGEMENT_ENDPOINTS.md with DEFERRED status
- Operations: Enhanced audit-log-rotation.md with scheduler health checks
- Security: Updated proxy hardening docs with rate limit defaults
- Docker: Added runtime logging and rollback procedures

P1 Deployment & Integration:
- KUBERNETES.md: Runtime logging config, adaptive polling, post-upgrade verification
- PORT_CONFIGURATION.md: Service naming, change tracking via update history
- REVERSE_PROXY.md: Rate limit headers, error pass-through, v4.24.0 verification
- PROXY_AUTH.md, OIDC.md, WEBHOOKS.md: Runtime logging integration
- TROUBLESHOOTING.md, VM_DISK_MONITORING.md, zfs-monitoring.md: Updated workflows

Features Documented:
- X-RateLimit-* headers for all API responses
- Updates rollback workflow (UI & CLI)
- Scheduler health API with rich metadata
- Runtime logging configuration (no restart required)
- Adaptive polling (GA, enabled by default)
- Enhanced audit logging
- Circuit breakers and dead-letter queue

Supporting Changes:
- Discovery service enhancements
- Config handlers updates
- Sensor proxy installer improvements

Total Changes: 1,626 insertions(+), 622 deletions(-)
Files Modified: 24 (19 docs, 5 code)

All documentation is production-ready for v4.24.0 release.
2025-10-20 17:20:13 +00:00

64 lines
3.8 KiB
Markdown
Raw Blame History

# Pulse Sensor Proxy Network Segmentation
## Overview
- **Proxy host** collects temperatures via SSH from Proxmox nodes and serves a Unix socket to the Pulse stack.
- Goals: isolate the proxy from production hypervisors, prevent lateral movement, and ensure log forwarding/audit channels remain available.
## Zones & Connectivity
- **Pulse Application Zone (AZ-Pulse)**
- Hosts Pulse backend/frontend containers.
- Allowed to reach the proxy over Unix socket (local) or loopback if containerised via `socat`.
- **Sensor Proxy Zone (AZ-Sensor)**
- Dedicated VM/bare-metal host running `pulse-sensor-proxy`.
- Maintains outbound SSH to Proxmox management interfaces only.
- **Proxmox Management Zone (AZ-Proxmox)**
- Hypervisors / BMCs reachable on `tcp/22` (SSH) and optional IPMI UDP.
- **Logging/Monitoring Zone (AZ-Logging)**
- Receives forwarded audit/application logs (e.g. RELP/TLS on `tcp/6514`).
- Exposes Prometheus scrape port (default `tcp/9127`) if remote monitoring required.
## Recommended Firewall Rules
| Source Zone | Destination Zone | Protocol/Port | Purpose | Action |
|-------------|------------------|---------------|---------|--------|
| AZ-Pulse (localhost) | AZ-Sensor (Unix socket) | `unix` | RPC requests from Pulse | Allow (local only) |
| AZ-Sensor | AZ-Proxmox nodes | `tcp/22` | SSH for sensors/ipmitool wrapper | Allow (restricted to node list) |
| AZ-Sensor | AZ-Proxmox BMC | `udp/623` *(optional)* | IPMI if required for temperature data | Allow if needed |
| AZ-Proxmox | AZ-Sensor | `any` | Return SSH traffic | Allow stateful |
| AZ-Sensor | AZ-Logging | `tcp/6514` (TLS RELP) | Audit/application log forwarding | Allow |
| AZ-Logging | AZ-Sensor | `tcp/9127` *(optional)* | Prometheus scrape of proxy metrics | Allow if scraping remotely |
| Any | AZ-Sensor | `tcp/22` | Shell/SSH access | Deny (use management bastion) |
| AZ-Sensor | Internet | `any` | Outbound Internet | Deny (except package mirrors via proxy if required) |
## Implementation Steps
1. Place proxy host in dedicated subnet/VLAN with ACLs enforcing the table above.
2. Populate `/etc/hosts` or routing so proxy resolves Proxmox nodes to management IPs only (no public networks).
3. Configure iptables/nftables on proxy:
```bash
# Allow SSH to Proxmox nodes
iptables -A OUTPUT -p tcp -d <PROXMOX_SUBNET>/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <PROXMOX_SUBNET>/24 --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow log forwarding
iptables -A OUTPUT -p tcp -d <LOG_HOST> --dport 6514 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s <LOG_HOST> --sport 6514 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# (Optional) allow Prometheus scrape
iptables -A INPUT -p tcp -s <SCRAPE_HOST> --dport 9127 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d <SCRAPE_HOST> --sport 9127 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Drop everything else
iptables -P OUTPUT DROP
iptables -P INPUT DROP
```
4. Deny inbound SSH to proxy except via management bastion: block `tcp/22` or whitelist bastion IPs.
5. Ensure log-forwarding TLS certificates are rotated and stored under `/etc/pulse/log-forwarding`.
## Monitoring & Alerting
- Alert if proxy initiates connections outside permitted subnets (Netflow or host firewall counters).
- Monitor `pulse_proxy_limiter_*` metrics for unusual rate-limit hits that might signal abuse.
- Track `audit_log` forwarding queue depth and remote availability; on failure, emit alert via rsyslog action queue (set `action.resumeRetryCount=-1` already).
## Change Management
- Document node IP changes and update firewall objects (`PROXMOX_NODES`) before redeploying certificates.
- Capture segmentation in infrastructure-as-code (e.g. Terraform/security group definitions) to avoid drift.
Reference in a new issue View git blame Copy permalink