BBlack has submitted this change and it was merged.
Change subject: rcstream: remove internal TLS listener
......................................................................
rcstream: remove internal TLS listener
This was used to provide public TLS for stream.wikimedia.org, back
when that was a direct LVS service to the rcstream hosts. That's
now handled by cache_misc. It's true that in the future we'll
want internal TLS on these for varnish (and/or other internal
consumers), but the structure of that would be entirely different
and it would be abstracted in a different way...
Bug: T134871
Change-Id: I5a776ea4f3c2c08756bf4a0e2e38a48c379c2def
---
M manifests/role/rcstream.pp
D modules/rcstream/manifests/proxy/ssl.pp
M modules/rcstream/templates/rcstream.nginx.erb
3 files changed, 3 insertions(+), 90 deletions(-)
Approvals:
Krinkle: Looks good to me, but someone else must approve
BBlack: Looks good to me, approved
jenkins-bot: Verified
Dzahn: Looks good to me, but someone else must approve
diff --git a/manifests/role/rcstream.pp b/manifests/role/rcstream.pp
index b781a84..3779cdf 100644
--- a/manifests/role/rcstream.pp
+++ b/manifests/role/rcstream.pp
@@ -29,10 +29,6 @@
backends => $backends,
}
- class { '::rcstream::proxy::ssl':
- backends => $backends,
- }
-
nrpe::monitor_service { 'rcstream_backend':
description => 'Recent Changes Stream Python backend',
nrpe_command => '/usr/local/sbin/rcstreamctl check',
@@ -46,20 +42,10 @@
port => '80',
}
- ferm::service { 'rcstream_ssl':
- proto => 'tcp',
- port => '443',
- }
-
ferm::service { 'rcstream_redis':
proto => 'tcp',
port => '6379',
srange => '(($INTERNAL @resolve(wikitech.wikimedia.org, AAAA)
@resolve(labtestwikitech.wikimedia.org, AAAA)))',
- }
-
- monitoring::service { 'https_rcstream':
- description => 'HTTPS',
- check_command => 'check_ssl_http!stream.wikimedia.org',
}
diamond::collector { 'RCStream':
diff --git a/modules/rcstream/manifests/proxy/ssl.pp
b/modules/rcstream/manifests/proxy/ssl.pp
deleted file mode 100644
index f01ff05..0000000
--- a/modules/rcstream/manifests/proxy/ssl.pp
+++ /dev/null
@@ -1,63 +0,0 @@
-# == Class: rcstream::proxy::ssl
-#
-# This class provisions an Nginx WebSockets reverse-proxy.
-# Requires Nginx 1.4+. This class uses SSL to connect to the backend.
-#
-# === Parameters
-#
-# [*backends*]
-# An array of port numbers or strings in 'host:port' format
-# specifying the WebSocket backend servers to reverse-proxy.
-#
-# [*server_name*]
-# See <http://nginx.org/en/docs/http/server_names.html>.
-# Defaults to '_'.
-#
-# [*listen*]
-# Interface / port to listen on (default: 80, [::]:80),
-# specified as a single value or an array.
-# See <http://nginx.org/en/docs/http/ngx_http_core_module.html#listen>.
-#
-# [*location*]
-# Path WebSocket servers should be mounted at (default: '/').
-#
-# === Examples
-#
-# class { '::rcstream::proxy::ssl':
-# server_name => 'stream.wikimedia.org',
-# listen => 8080,
-# location => '/rc',
-# backends => [
-# 'websockets.eqiad.wmnet:10080',
-# 'websockets.eqiad.wmnet:10081',
-# 'websockets.eqiad.wmnet:10082',
-# ],
-# }
-#
-class rcstream::proxy::ssl(
- $backends,
- $ensure = present,
- $server_name = 'stream.wikimedia.org',
- $listen = ['443', '[::]:443'],
- $location = '/'
-) {
- $use_ssl = true
- $ssl_settings = ssl_ciphersuite('nginx', 'compat', true)
-
- sslcert::certificate { $server_name: }
-
- nginx::site { 'rcstream-ssl':
- content => template('rcstream/rcstream.nginx.erb'),
- notify => Service['nginx'],
- require => [
- Sslcert::Certificate[$server_name],
- Class['nginx::ssl'],
- Class['rcstream::proxy'],
- ],
- }
-
- class { 'nginx::ssl':
- ie6_compat => true,
- }
-
-}
diff --git a/modules/rcstream/templates/rcstream.nginx.erb
b/modules/rcstream/templates/rcstream.nginx.erb
index 74de9d2..49d3135 100644
--- a/modules/rcstream/templates/rcstream.nginx.erb
+++ b/modules/rcstream/templates/rcstream.nginx.erb
@@ -2,7 +2,6 @@
# <http://siriux.net/2013/06/nginx-and-websockets/>
# <http://socket.io/docs/using-multiple-nodes/#nginx-configuration>
# Requires Nginx 1.4+.
-<%- if ! @use_ssl -%>
upstream websockets {
ip_hash;
<%- @backends.each do |backend| -%>
@@ -14,25 +13,16 @@
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_x_forwarded_proto"';
-<%- end -%>
server {
<%- Array(@listen).each do |bind| -%>
- listen <%= bind %><%= ' ssl' if @use_ssl %>;
+ listen <%= bind %>;
<%- end -%>
server_name <%= @server_name %>;
- access_log /var/log/nginx/rcstream_<%= 'ssl_' if @use_ssl %>access.log
combined_with_proto;
- error_log /var/log/nginx/rcstream_<%= 'ssl_' if @use_ssl %>error.log;
-
- <%- if @use_ssl -%>
- ssl_certificate /etc/ssl/localcerts/<%= @server_name %>.chained.crt;
- ssl_certificate_key /etc/ssl/private/<%= @server_name %>.key;
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 5m;
- <%= @ssl_settings.join("\n") %>
- <%- end -%>
+ access_log /var/log/nginx/rcstream_access.log combined_with_proto;
+ error_log /var/log/nginx/rcstream_error.log;
location <%= @location %> {
<%- if @location != '/' -%>
--
To view, visit https://gerrit.wikimedia.org/r/304023
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5a776ea4f3c2c08756bf4a0e2e38a48c379c2def
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Krinkle <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
