Ottomata has submitted this change and it was merged. Change subject: Set up https with archiva certificate for archiva.wikmedia.org ......................................................................
Set up https with archiva certificate for archiva.wikmedia.org - This adds a simple generic nginx site to force all non https traffic on port 80 to https. - This also points our maven module archiva urls at https://archiva.wikimedia.org Bug: T88139 Change-Id: I3bfff6e632e0d5c26d710d8ab69dcc4d1ee8f3a1 --- M hieradata/labs.yaml M manifests/role/archiva.pp A modules/archiva/manifests/proxy.pp M modules/maven/files/settings.xml A templates/nginx/sites/force-https.erb M templates/nginx/sites/simple-proxy.erb 6 files changed, 112 insertions(+), 34 deletions(-) Approvals: Ottomata: Verified; Looks good to me, approved diff --git a/hieradata/labs.yaml b/hieradata/labs.yaml index e04cab3..e3986da 100644 --- a/hieradata/labs.yaml +++ b/hieradata/labs.yaml @@ -5,3 +5,5 @@ elasticsearch::expected_nodes: 1 elasticsearch::recover_after_nodes: 1 ganglia_class: old +archiva::proxy::ssl_enabled: false +archiva::proxy::certificate_name: ssl-cert-snakeoil \ No newline at end of file diff --git a/manifests/role/archiva.pp b/manifests/role/archiva.pp index 1003c15..90d8597 100644 --- a/manifests/role/archiva.pp +++ b/manifests/role/archiva.pp @@ -13,33 +13,14 @@ } } - $archiva_port = 8080 class { '::archiva': - port => $archiva_port, require => Package['openjdk-7-jdk'], } - class { '::archiva::gitfat': - require => Class['::archiva'] - } + # Set up a reverse proxy for the archiva service. + class { '::archiva::proxy': } - # Set up simple Nginx reverse proxy port 80 to port $archiva_port. - class { '::nginx': - require => Class['::archiva'], - } - $listen = 80 - $proxy_pass = "http://127.0.0.1:${archiva_port}/" - $server_properties = [ - # Need large body size to allow for .jar deployment. - 'client_max_body_size 256M', - # Archiva sometimes takes a long time to respond. - 'proxy_connect_timeout 600s', - 'proxy_read_timeout 600s', - 'proxy_send_timeout 600s', - ] - nginx::site { 'archiva': - content => template('nginx/sites/simple-proxy.erb'), - } + class { '::archiva::gitfat': } # Bacula backups for /var/lib/archiva. if $::realm == 'production' { @@ -49,14 +30,9 @@ } } - ferm::service { 'http': - proto => 'tcp', - port => '80', - } - ferm::service { 'rsync': proto => 'tcp', port => '873', } - } + diff --git a/modules/archiva/manifests/proxy.pp b/modules/archiva/manifests/proxy.pp new file mode 100644 index 0000000..ab4da91 --- /dev/null +++ b/modules/archiva/manifests/proxy.pp @@ -0,0 +1,90 @@ +# == Class archiva::proxy +# Sets up a simple nginx reverse proxy. +# This must be included on the same node as the archiva server. +# +# This depends on the nginx, ferm, and sslcert modules from WMF operations/puppet/modules. +# +# == Parameters +# $ssl_enabled - If true, this proxy will do SSL and force redirect to HTTPS. Default: true +# +# $certificate_name - Name of certificate. If this is anything but 'ssl-cert-snakeoil', +# install_certificate will be called, and the certificate file will be +# assumed to be in /etc/ssl/localcert. If this is 'ssl-cert-snakeoil', +# the snakeoil certificate will be used. It is expected to be found at +# /etc/ssl/certs/ssl-cert-snakeoil.pem. Default: archiva.wikimedia.org +# +class archiva::proxy( + $ssl_enabled = true, + $certificate_name = 'archiva.wikimedia.org', +) { + Class['::archiva'] -> Class['::archiva::proxy'] + + # Set up simple Nginx reverse proxy to $archiva_port. + class { '::nginx': } + + # $archiva_server_properties and + # $ssl_server_properties will be concatenated together to form + # a single $server_properties array for the simple-proxy.erb + # nginx site template. + $archiva_server_properties = [ + # Need large body size to allow for .jar deployment. + 'client_max_body_size 256M;', + # Archiva sometimes takes a long time to respond. + 'proxy_connect_timeout 600s;', + 'proxy_read_timeout 600s;', + 'proxy_send_timeout 600s;', + ] + + if $ssl_enabled { + $listen = '443 ssl' + + # Install the certificate if it is not the snakeoil cert + if $certificate_name != 'ssl-cert-snakeoil' { + install_certificate{ $certificate_name: } + } + + $ssl_certificate = $certificate_name ? { + 'ssl-cert-snakeoil' => '/etc/ssl/certs/ssl-cert-snakeoil.pem', + default => "/etc/ssl/localcerts/${certificate_name}.crt", + } + $ssl_certificate_key = "/etc/ssl/private/${certificate_name}.key" + + # Use puppet's stupidity to flatten these into a single array. + $server_properties = [ + $archiva_server_properties, + ssl_ciphersuite('nginx', 'compat'), + [ + "ssl_certificate ${ssl_certificate};", + "ssl_certificate_key ${ssl_certificate_key};", + ], + ] + + $force_https_site_ensure = 'present' + + ferm::service { 'https': + proto => 'tcp', + port => 443, + } + } + else { + $listen = 80 + $server_properties = $archiva_server_properties + + $force_https_site_ensure = 'absent' + } + + $proxy_pass = "http://127.0.0.1:${::archiva::port}/" + + nginx::site { 'archiva': + content => template('nginx/sites/simple-proxy.erb'), + } + nginx::site { 'archiva-force-https': + content => template('nginx/sites/force-https.erb'), + ensure => $force_https_site_ensure, + } + + ferm::service { 'http': + proto => 'tcp', + port => 80, + } +} diff --git a/modules/maven/files/settings.xml b/modules/maven/files/settings.xml index d6dff7e..37b4dea 100644 --- a/modules/maven/files/settings.xml +++ b/modules/maven/files/settings.xml @@ -12,13 +12,13 @@ <id>system-wide-wmf-releases</id> <mirrorOf>wmf-releases</mirrorOf> <name>WMF Archiva. Released Artifacts</name> - <url>http://archiva.wikimedia.org/repository/releases/</url> + <url>https://archiva.wikimedia.org/repository/releases/</url> </mirror> <mirror> <id>system-wide-wmf-mirrored-default</id> <mirrorOf>*,!system-wide-wmf-releases</mirrorOf> <name>WMF Archiva. Mirrored Artifacts</name> - <url>http://archiva.wikimedia.org/repository/mirrored/</url> + <url>https://archiva.wikimedia.org/repository/mirrored/</url> </mirror> </mirrors> </settings> diff --git a/templates/nginx/sites/force-https.erb b/templates/nginx/sites/force-https.erb new file mode 100644 index 0000000..df69915 --- /dev/null +++ b/templates/nginx/sites/force-https.erb @@ -0,0 +1,8 @@ +# This file is managed by Puppet. + +## Nginx site to force all requests on port 80 to https + +server { + listen 80; + return 301 https://$host$request_uri; +} diff --git a/templates/nginx/sites/simple-proxy.erb b/templates/nginx/sites/simple-proxy.erb index 467f5f0..788140f 100644 --- a/templates/nginx/sites/simple-proxy.erb +++ b/templates/nginx/sites/simple-proxy.erb @@ -4,21 +4,23 @@ # Parameters: # @listen - Example: host:port # @proxy_pass - Example: http://host:port/ -# @server_properties - Example: ['client_max_body_size 256M', 'other_thing 123'] -# @location_properties - Example: ['this_prop yes', 'one_more_prop 456'] +# @server_properties - Example: ['client_max_body_size 256M;', 'other_thing 123;'] +# @location_properties - Example: ['this_prop yes;', 'one_more_prop 456;'] # + + -%> server { listen <%= @listen %>; <% if @server_properties -%> - <%= @server_properties.sort.join(";\n ") -%>; + <%= @server_properties.sort.join("\n ") -%> <% end -%> location / { proxy_pass <%= @proxy_pass %>; <% if @location_properties -%> - <%= @location_properties.sort.join(";\n ") -%>; + <%= @location_properties.sort.join("\n ") -%> <% end -%> } } -- To view, visit https://gerrit.wikimedia.org/r/202474 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3bfff6e632e0d5c26d710d8ab69dcc4d1ee8f3a1 Gerrit-PatchSet: 16 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ottomata <o...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Ottomata <o...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits