I have two cvmfs repositories on my HPC system, let’s call them “public” and “private”. The public repository can be used outside of the cluster and the private repository should not be used outside of the cluster. As of now, I only have things set up for the cluster, using both repositories. I want to restrict access to the private repository for hosts outside of the cluster. Is there a way to have each repository on a different port? Or is the best option to stand up a second stratum 1 that will only replicate the public repository and point non-cluster hosts to it?
I think you should be able to configure apache to put them on separate ports. I’m not sure but it might require modifying the apache configuration file that cvmfs_server usually controls and sometimes regenerates when there are upgrades. You could rename the configuration file in /etc/httpd/conf.d, then cvmfs_server will leave it alone.
However, the easiest thing would probably be to use apache access control by creating
/srv/cvmfs/<repo>/.htaccess in your private repo with appropriate Allow and Deny lines to limit it to the IP address range of the local cluster.
I think you are correct that the
.htaccess file would be the best way to go.