[MediaWiki-commits] [Gerrit] Add debug_proxy module, for X-Wikimedia-Debug request routing - change (operations/puppet)

Ori.livneh (Code Review) Mon, 07 Mar 2016 14:02:36 -0800

Ori.livneh has submitted this change and it was merged.

Change subject: Add debug_proxy module, for X-Wikimedia-Debug request routing
......................................................................



Add debug_proxy module, for X-Wikimedia-Debug request routing

The module configures an nginx instance that listens on port 80 and acts
as a transparent proxy which passes requests to a set of un-pooled app
servers that are reserved for debugging, based on the content of the
X-Wikimedia-Debug HTTP header. The set of permissable backends which may
be selected via the header is configurable via a regexp.

Bug: T129000
Bug: T129003
Change-Id: I2ef40124c891c7f9039850f90c7dc2f6e2641487
---
A manifests/role/debug_proxy.pp
M manifests/site.pp
A modules/debug_proxy/manifests/init.pp
A modules/debug_proxy/templates/debug_proxy.nginx.erb
4 files changed, 91 insertions(+), 1 deletion(-)

Approvals:
  Ori.livneh: Verified; Looks good to me, approved



diff --git a/manifests/role/debug_proxy.pp b/manifests/role/debug_proxy.pp
new file mode 100644
index 0000000..1192317
--- /dev/null
+++ b/manifests/role/debug_proxy.pp
@@ -0,0 +1,18 @@
+# == Class: role::debug_proxy
+#
+# Transparent proxy which passes requests to a set of un-pooled
+# application servers that are reserved for debugging, based on
+# the value of the X-Wikimedia-Debug HTTP header.
+#
+class role::debug_proxy {
+    system::role { 'role::debug_proxy':
+        description => 'X-Wikimedia-Debug proxy',
+    }
+
+    # - Allow X-Wikimedia-Debug to select mw1017 (EQIAD) and mw2017 (CODFW).
+    # - For back-compat, pass 'X-Wikimedia-Debug: 1' requests to mw1017
+    class { '::debug_proxy':
+        backend_regexp  => '^mw[12]017',
+        backend_aliases => { '1' => 'mw1017.eqiad.wmnet' },
+    }
+}
diff --git a/manifests/site.pp b/manifests/site.pp
index 97a9780..a993d47 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1100,8 +1100,9 @@
     include base::firewall
 }
 
-# debug_proxy hosts
+# debug_proxy hosts; Varnish backend for X-Wikimedia-Debug reqs
 node /^(hassaleh|hassium)\.(codfw|eqiad)\.wmnet$/ {
+    role debug_proxy
     include standard
 }
 
diff --git a/modules/debug_proxy/manifests/init.pp 
b/modules/debug_proxy/manifests/init.pp
new file mode 100644
index 0000000..02356a7
--- /dev/null
+++ b/modules/debug_proxy/manifests/init.pp
@@ -0,0 +1,43 @@
+# == Class: debug_proxy
+#
+# Transparent proxy which passes requests to a set of un-pooled
+# application servers that are reserved for debugging, based on
+# the value of the X-Wikimedia-Debug HTTP header.
+#
+# === Parameters
+#
+# [*backend_regexp*]
+#   If the value of X-Wikimedia-Debug matches this regular expression,
+#   it will be used as the backend address, verbatim.
+#
+# [*backend_aliases*]
+#   If the value of X-Wikimedia-Debug is equal to a defined alias,
+#   the alias's target will be used as the backend address.
+#
+# === Examples
+#
+# Allow requests to select mw1017 / mw1018 / mw1019 explicitly,
+# and map 'X-Wikimedia-Debug: profile' to mw1020:
+#
+#  class { '::debug_proxy':
+#      backend_regexp  => '^mw101[789]',
+#      backend_aliases => { 'profile' => 'mw1020.eqiad.wmnet' },
+#  }
+#
+class debug_proxy(
+    $backend_regexp,
+    $backend_aliases,
+) {
+    nginx::site { 'debug_proxy':
+        content => template('debug_proxy/debug_proxy.nginx.erb'),
+        notify  => Service['nginx'],
+    }
+
+    diamond::collector::nginx { 'debug_proxy': }
+
+    ferm::service { 'debug_proxy':
+        proto  => 'tcp',
+        port   => '80',
+        srange => '$INTERNAL',
+    }
+}
diff --git a/modules/debug_proxy/templates/debug_proxy.nginx.erb 
b/modules/debug_proxy/templates/debug_proxy.nginx.erb
new file mode 100644
index 0000000..81802a4
--- /dev/null
+++ b/modules/debug_proxy/templates/debug_proxy.nginx.erb
@@ -0,0 +1,28 @@
+# Transparent proxy which passes requests to a set of un-pooled
+# application servers that are reserved for debugging, based on
+# the value of the X-Wikimedia-Debug header.
+
+map $http_x_wikimedia_debug $debug_backend {
+  <%= @backend_regexp.sub(/^~*/, '~').to_pson %> $http_x_wikimedia_debug;
+  <%= @backend_aliases.sort.map { |k, v| "#{k.to_pson} #{v.to_pson};" 
}.join("\n  ") %>
+  default 'invalid';
+}
+
+server {
+    listen       [::]:80 ipv6only=off;
+    server_name  _;
+    access_log   /var/log/nginx/debug_proxy_access.log;
+    error_log    /var/log/nginx/debug_proxy_error.log;
+
+    location / {
+        if ($debug_backend = invalid) {
+            return 400;
+        }
+
+        proxy_buffering off;
+        proxy_pass $scheme://$debug_backend;
+        proxy_pass_request_headers on;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+    }
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/275307
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I2ef40124c891c7f9039850f90c7dc2f6e2641487
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add debug_proxy module, for X-Wikimedia-Debug request routing - change (operations/puppet)

Reply via email to