ansible/inventory/group_vars/proxies-stg

---
# Define resources for this group of hosts here.
lvm_size: 50000
mem_size: 8192
num_cpus: 2

# This is used in the httpd.conf to determine the value for serverlimit and 
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this 
# should be lowered in the host vars for that proxy.
maxrequestworkers: 900

tcp_ports: [
    # For apache, generally.
    80,
    443,

    # This is for TCP krb5
    1088,

    # This is for RabbitMQ public access
    5671,
    # This is for RabbitMQ internal-public access
    15671,

    # This is for the haproxy HTML stats page
    # TODO -- there's no need for this to be wide open to the world.  With this
    # in place, you can visit https://apps.fedoraproject.org:8080 and get the
    # haproxy stats page.  We should close this and just have admins go through
    # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
    8080,

    # For fedmsg websocket server over stunnel
    9939,
    # For fedmsg raw zeromq socket (outbound)
    9940,
    # 9941 is closed generally, is for the inbound fedmsg and is covered in
    # custom_rules
 ]
custom_rules: [
    # Need for rsync from log01 for logs.
    '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',

    # allow varnish from localhost
    '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',

    # also allow varnish from internal for purge requests
    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',

    # Allow copr-be.cloud to talk to the inbound fedmsg relay.
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT',

    # Allow stg.fedoramagazine.org running at vultr.com to talk inbound fedmsg
    # Contact cydrobolt about the status of this.  It hasn't hit prod status
    # yet as of 2015-04-27 (threebean).
    '-A INPUT -p tcp -m tcp --dport 9941 -s 104.207.133.220 -j ACCEPT',

    # Allow retrace/faf to talk to the inbound fedmsg relay.
    # retrace01.qa.fedoraproject.org
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.28 -j ACCEPT',
    # retrace02.qa.fedoraproject.org
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.34 -j ACCEPT',

    # Allow resultsdb talk to the inbound fedmsg relay.
    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.147 -j ACCEPT',

    # Allow openqa to talk to the inbound fedmsg relay.
    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT',
    
    # Allow happinesspackets-stg.fedorainfracloud.org to talk to the inbound fedmsg relay
    '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT',
 ]

fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran

collectd_apache: true
varnish_group: proxies

# For the MOTD
csi_security_category: Moderate
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
    Using Apache -> haproxy, these hosts contact app servers and
        other various hosts to provide web applications at sites like
        fedoraproject.org and admin.fedoraproject.org.  The proxy servers are
        balanced via dns and geoIP and are spread all over the place.

openshift_masters:
- os-master01.stg.phx2.fedoraproject.org
- os-master02.stg.phx2.fedoraproject.org
- os-master03.stg.phx2.fedoraproject.org

openshift_nodes:
- os-node01.stg.phx2.fedoraproject.org
- os-node02.stg.phx2.fedoraproject.org
- os-node03.stg.phx2.fedoraproject.org
- os-node04.stg.phx2.fedoraproject.org
Add a proxy02.stg instance 2014-12-07 16:53:39 +00:00			`---`
iptables rules for proxies-stg. 2014-12-17 18:46:27 +00:00			`# Define resources for this group of hosts here.`
Give proxies more disk Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-11-21 21:48:23 +00:00			`lvm_size: 50000`
Add a proxy02.stg instance 2014-12-07 16:53:39 +00:00			`mem_size: 8192`
			`num_cpus: 2`

Stab at making our lower mem proxies happier so they don't nagios flood us 2015-02-06 18:16:31 +00:00			`# This is used in the httpd.conf to determine the value for serverlimit and`
			`# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this`
			`# should be lowered in the host vars for that proxy.`
			`maxrequestworkers: 900`

iptables rules for proxies-stg. 2014-12-17 18:46:27 +00:00			`tcp_ports: [`
			`# For apache, generally.`
			`80,`
			`443,`

Open port 1088 on the proxies Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-25 16:52:51 +00:00			`# This is for TCP krb5`
We aren't alone in this list Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-25 16:53:31 +00:00			`1088,`
Open port 1088 on the proxies Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-10-25 16:52:51 +00:00
Add rabbitmq proxying to the proxies Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2019-03-06 21:11:12 +01:00			`# This is for RabbitMQ public access`
			`5671,`
			`# This is for RabbitMQ internal-public access`
			`15671,`

iptables rules for proxies-stg. 2014-12-17 18:46:27 +00:00			`# This is for the haproxy HTML stats page`
			`# TODO -- there's no need for this to be wide open to the world. With this`
			`# in place, you can visit https://apps.fedoraproject.org:8080 and get the`
			`# haproxy stats page. We should close this and just have admins go through`
			`# the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1`
			`8080,`

			`# For fedmsg websocket server over stunnel`
			`9939,`
			`# For fedmsg raw zeromq socket (outbound)`
			`9940,`
			`# 9941 is closed generally, is for the inbound fedmsg and is covered in`
			`# custom_rules`
			`]`
Add a proxy02.stg instance 2014-12-07 16:53:39 +00:00			`custom_rules: [`
			`# Need for rsync from log01 for logs.`
			`'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',`
			`'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',`

Allow direct varnish access for internal hosts This allows internal that are in the purge acl to issue purge requests. Apache won't forward purge, since it doesn't know what that is. 2015-03-05 00:41:37 +00:00			`# allow varnish from localhost`
Some more proxy adjustments 2015-01-21 17:21:54 +00:00			`'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',`
			`'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',`

Allow direct varnish access for internal hosts This allows internal that are in the purge acl to issue purge requests. Apache won't forward purge, since it doesn't know what that is. 2015-03-05 00:41:37 +00:00			`# also allow varnish from internal for purge requests`
			`'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',`
			`'-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',`

iptables rules for proxies-stg. 2014-12-17 18:46:27 +00:00			`# Allow copr-be.cloud to talk to the inbound fedmsg relay.`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.131 -j ACCEPT',`
Allow stg.fedoramagazine.org to talk to our stg fedmsg bus. 2015-03-21 00:06:44 +00:00
			`# Allow stg.fedoramagazine.org running at vultr.com to talk inbound fedmsg`
Add a comment about this stg firewall rule. 2015-04-27 15:32:36 +00:00			`# Contact cydrobolt about the status of this. It hasn't hit prod status`
			`# yet as of 2015-04-27 (threebean).`
Allow stg.fedoramagazine.org to talk to our stg fedmsg bus. 2015-03-21 00:06:44 +00:00			`'-A INPUT -p tcp -m tcp --dport 9941 -s 104.207.133.220 -j ACCEPT',`
Let retrace0{1,2}.qa talk to our stg fedmsg bus for testing and science (and faf and abrt). 2015-04-27 15:32:59 +00:00
			`# Allow retrace/faf to talk to the inbound fedmsg relay.`
			`# retrace01.qa.fedoraproject.org`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.28 -j ACCEPT',`
			`# retrace02.qa.fedoraproject.org`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.181.34 -j ACCEPT',`

Let resultsdb talk to the inbound fedmsg relay (iptables). 2015-10-07 18:06:36 +00:00			`# Allow resultsdb talk to the inbound fedmsg relay.`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.147 -j ACCEPT',`
Let openqa-stg01 talk to the staging fedmsg relay. 2016-03-10 21:26:08 +00:00
			`# Allow openqa to talk to the inbound fedmsg relay.`
			`'-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT',`
Add happinesspackets-stg. Add fedmsg/base to both to get fedmsg certs. Adjust proxies firewall to allow sending. 2018-07-03 17:48:23 +00:00
			`# Allow happinesspackets-stg.fedorainfracloud.org to talk to the inbound fedmsg relay`
happinesspackets-stg is cloud, thus .184, not .181 (PHX2) Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2018-07-18 21:05:34 +02:00			`'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT',`
iptables rules for proxies-stg. 2014-12-17 18:46:27 +00:00			`]`
Add a proxy02.stg instance 2014-12-07 16:53:39 +00:00
Add sysadmin-veteran with shell anywhere that sysadmin-noc and/or fi-apprentice had access 2016-05-17 00:18:04 +00:00			`fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran`
Add CSI info for staging proxies. 2015-01-06 14:26:17 +00:00
Lets add some collect_apache to proxies. 2015-02-22 15:34:46 +00:00			`collectd_apache: true`
make varnish role more general and add in config for a new varnish on kojipkgs 2017-04-05 19:07:01 +00:00			`varnish_group: proxies`
Lets add some collect_apache to proxies. 2015-02-22 15:34:46 +00:00
Add CSI info for staging proxies. 2015-01-06 14:26:17 +00:00			`# For the MOTD`
			`csi_security_category: Moderate`
			`csi_primary_contact: Fedora Admins - admin@fedoraproject.org`
			`csi_purpose: Provides frontend (reverse) proxy for most web applications`
			`csi_relationship: \|`
			`Using Apache -> haproxy, these hosts contact app servers and`
More whitespace. 2015-01-06 14:28:37 +00:00			`other various hosts to provide web applications at sites like`
Whitespace. 2015-01-06 14:30:27 +00:00			`fedoraproject.org and admin.fedoraproject.org. The proxy servers are`
More whitespace. 2015-01-06 14:28:37 +00:00			`balanced via dns and geoIP and are spread all over the place.`
Move to apache balancer for all openshift Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org> 2018-09-28 18:11:51 +02:00
			`openshift_masters:`
			`- os-master01.stg.phx2.fedoraproject.org`
			`- os-master02.stg.phx2.fedoraproject.org`
			`- os-master03.stg.phx2.fedoraproject.org`

			`openshift_nodes:`
			`- os-node01.stg.phx2.fedoraproject.org`
			`- os-node02.stg.phx2.fedoraproject.org`
			`- os-node03.stg.phx2.fedoraproject.org`
			`- os-node04.stg.phx2.fedoraproject.org`