action #176241
Updated by okurz about 1 month ago
## Motivation
As discussed in #175902 there are certain use cases where unauthorized, unencrypted asset access is necessary, e.g.
* http://openqa.suse.de/assets/iso/agama-installer.s390x-11.0.0-SLE-Build3.7.iso
* http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
* http://openqa.suse.de/assets/repo/SLE-15-SP7-Product-SLES-POOL-x86_64-Build56.1-Media1/
* (http,10.145.10.207)/assets/repo/SLE-15-SP7-Online-ppc64le-Build56.1-Media1/boot/ppc64le/linux
if it turns out we can't or mustn't allow complete unauthenticated access to /iso/ or /repo/ then we could look into the approach to use a dedicated network interface for zone-cc traffic and other traffic, e.g. OSD openQA workers from NUE2. Then we can have separate nginx instances listening on the corresponding server IP addresses of separate interfaces with differing config, i.e. allow unauthenticated traffic within zone-cc but only authenticated traffic from and to other zones
## Suggestions
* Read http://nginx.org/en/docs/http/request_processing.html#mixed_name_ip_based_servers