Dzahn has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/354078 )
Change subject: gerrit: let Apache proxy only listen on service IP ...................................................................... gerrit: let Apache proxy only listen on service IP Instead of listening on all IPs, let the Apache proxy for Gerrit only listen on the _service_ IP, not the server IP, since each Gerrit server now has both, a server and a service IP. Avoid that https://cobalt.wikimedia.org works but with a cert error. Disable IPv6 on labs but use it on prod. Change-Id: I54b26eb1662e3fa68b1fcd147d8c4436f1adac54 --- M modules/gerrit/manifests/init.pp M modules/gerrit/manifests/proxy.pp A modules/gerrit/templates/apache.ports.conf.erb 3 files changed, 44 insertions(+), 0 deletions(-) Approvals: Paladox: Looks good to me, but someone else must approve Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified Dzahn: Looks good to me, approved diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index 7d1fd4f..61dbbf0 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -19,6 +19,8 @@ class { '::gerrit::proxy': require => Class['gerrit::jetty'], host => $host, + ipv4 => $ipv4, + ipv6 => $ipv6, slave_hosts => $slave_hosts, slave => $slave, } diff --git a/modules/gerrit/manifests/proxy.pp b/modules/gerrit/manifests/proxy.pp index d4bf91e..7016cc3 100644 --- a/modules/gerrit/manifests/proxy.pp +++ b/modules/gerrit/manifests/proxy.pp @@ -1,5 +1,7 @@ # sets up a TLS proxy for Gerrit class gerrit::proxy( + $ipv4, + $ipv6, $host = $::gerrit::host, $slave_hosts = $::gerrit::slave_hosts, $slave = false, @@ -30,6 +32,15 @@ content => template('gerrit/apache.erb'), } + # Let Apache only listen on the service IP. + file { '/etc/apache2/ports.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + content => template('gerrit/apache.ports.conf.erb'), + } + # Error page stuff file { '/var/www/error.html': ensure => present, diff --git a/modules/gerrit/templates/apache.ports.conf.erb b/modules/gerrit/templates/apache.ports.conf.erb new file mode 100644 index 0000000..dd77b73 --- /dev/null +++ b/modules/gerrit/templates/apache.ports.conf.erb @@ -0,0 +1,31 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 127.0.0.1:80 +Listen <%= @ipv4 %>:80 + +<% if @ipv6 %> +Listen [::1]:80 +Listen [<%= @ipv6 %>]:80 +<% end -%> + +<IfModule ssl_module> + Listen 127.0.0.1:443 + Listen <%= @ipv4 %>:443 + <% if @ipv6 %> + Listen [::1]:443 + Listen [<%= @ipv6 %>]:443 + <% end -%> +</IfModule> + +<IfModule mod_gnutls.c> + Listen 127.0.0.1:443 + Listen <%= @ipv4 %>:443 + <% if @ipv6 %> + Listen [::1]:443 + Listen [<%= @ipv6 %>]:443 + <% end -%> +</IfModule> + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet -- To view, visit https://gerrit.wikimedia.org/r/354078 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I54b26eb1662e3fa68b1fcd147d8c4436f1adac54 Gerrit-PatchSet: 21 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Freddy2001 <freddy2...@wikipedia.de> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Paladox <thomasmulhall...@yahoo.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
