Elukey has submitted this change and it was merged. Change subject: Add the pivot.wikimedia.org VHost to stat1001 ......................................................................
Add the pivot.wikimedia.org VHost to stat1001 This site will be a simple reverse proxy to the nodejs service serving the pivot UI, used to limit the access to authenticated clients (via LDAP). Context up to September 2016: There is a current dispute between Imply and Metamarkets about a possible copyright infringement related to Imply's pivot UI. The Analytics team set a while back a goal to provide a Pivot UI to their users with the assumption that all the code used/deployed was open souce and freely available. If this assumption will change in the future, for example after a legal sentence, the Analytics team will take the necessary actions. For any question please reach out to the Analytics team: https://www.mediawiki.org/wiki/Analytics#Contact Bug: T138262 Change-Id: Iefd2893a1dab5e2da660ba83d42813ad891ee8e2 --- M manifests/role/statistics.pp A modules/statistics/manifests/sites/pivot.pp A modules/statistics/templates/pivot.wikimedia.org.erb 3 files changed, 84 insertions(+), 0 deletions(-) Approvals: Elukey: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/role/statistics.pp b/manifests/role/statistics.pp index 05d4ed1..937b7a7 100644 --- a/manifests/role/statistics.pp +++ b/manifests/role/statistics.pp @@ -209,6 +209,8 @@ include ::statistics::sites::analytics # Proxy to securely access Yarn (authentication via LDAP) include ::statistics::sites::yarn + # Proxy to securely access Pivot (authentication via LDAP) + include ::statistics::sites::pivot ferm::service {'statistics-web': proto => 'tcp', diff --git a/modules/statistics/manifests/sites/pivot.pp b/modules/statistics/manifests/sites/pivot.pp new file mode 100644 index 0000000..987bd3c --- /dev/null +++ b/modules/statistics/manifests/sites/pivot.pp @@ -0,0 +1,41 @@ +# == Class statistics::sites::yarn +# pivot.wikimedia.org +# +# This site will be a simple reverse proxy to the nodejs service serving +# the pivot UI, used to limit the access to authenticated clients (via LDAP). +# +# Context up to September 2016: +# There is a current dispute between Imply and Metamarkets about a possible +# copyright infringement related to Imply's pivot UI. +# The Analytics team set a while back a goal to provide a Pivot UI +# to their users with the assumption that all the code +# used/deployed was open souce and freely available. If this assumption will +# change in the future, for example after a legal sentence, the Analytics team +# will take the necessary actions. +# For any question please reach out to the Analytics team: +# https://www.mediawiki.org/wiki/Analytics#Contact +# +# Bug: T138262 +# +class statistics::sites::pivot { + require statistics::web + + include ::apache::mod::proxy_http + include ::apache::mod::proxy + include ::apache::mod::auth_basic + include ::apache::mod::authnz_ldap + include ::passwords::ldap::production + + $proxypass = $passwords::ldap::production::proxypass + + # Set up the VirtualHost + apache::site { 'pivot.wikimedia.org': + content => template('statistics/pivot.wikimedia.org.erb'), + } + + ferm::service { 'pivot-http': + proto => 'tcp', + port => '80', + } + +} \ No newline at end of file diff --git a/modules/statistics/templates/pivot.wikimedia.org.erb b/modules/statistics/templates/pivot.wikimedia.org.erb new file mode 100644 index 0000000..f3081f8 --- /dev/null +++ b/modules/statistics/templates/pivot.wikimedia.org.erb @@ -0,0 +1,41 @@ +##################################################################### +### THIS FILE IS MANAGED BY PUPPET +##################################################################### +# vim: filetype=apache + +<VirtualHost *:80> + ServerName pivot.wikimedia.org + ServerSignature Off + + # Not used since this VHost will only act as proxy, + # but it is needed to avoid error messages in the httpd + # logs and logrotate crons. + DocumentRoot /var/www + + <Directory /> + Options FollowSymLinks + AllowOverride None + Require all denied + </Directory> + + <Location /> + AuthName "WMF Labs (use wiki login name not shell)" + AuthType Basic + AuthBasicProvider ldap + AuthLDAPBindDN cn=proxyagent,ou=profile,dc=wikimedia,dc=org + AuthLDAPBindPassword <%= @proxypass %> + AuthLDAPURL "ldaps://ldap-labs.eqiad.wikimedia.org ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn" + Require ldap-group cn=wmf,ou=groups,dc=wikimedia,dc=org + Require ldap-group cn=nda,ou=groups,dc=wikimedia,dc=org + </Location> + + CustomLog /var/log/apache2/pivot.wikimedia.org-access.log wmf + ErrorLog /var/log/apache2/pivot.wikimedia.org-error.log + + LogLevel warn + + # The nodejs service is temporary running on stat1002 + # but it will be properly deployed and migrated. + ProxyPass / http://stat1002.eqiad.wmnet:9090/ + ProxyPassReverse / http://stat1002.eqiad.wmnet:9090/ +</VirtualHost> \ No newline at end of file -- To view, visit https://gerrit.wikimedia.org/r/309301 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Iefd2893a1dab5e2da660ba83d42813ad891ee8e2 Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Elukey <ltosc...@wikimedia.org> Gerrit-Reviewer: Elukey <ltosc...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
