Switch haproxy to prefer a local mirrorlist server if available.

Allow port 443 connections from those proxies on mirrorlists.
Add hosts entries for proxy10 and proxy01 that should allow ssl to work right.
Will test this on one proxy/mirrorlist and move on to the others.

inventory/group_vars/mirrorlist2

@@ -5,7 +5,19 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', 
+                '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 67.219.144.68/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 5.175.150.50/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 152.19.134.142/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 140.211.169.196/32 --dport 443 -j ACCEPT', ]
+
+custom6_rules: [ '-A INPUT -p tcp -m tcp -s 2610:28:3090:3001:dead:beef:cafe:fed3 --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2604:1580:fe00:0:5054:ff:feae:702c --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2a00:d1a0:1::131 --dport 443 -j ACCEPT', ]
+
 collectd_apache: true
 fas_client_groups: sysadmin-noc,fi-apprentice
 nrpe_procs_warn: 500

roles/haproxy/tasks/main.yml

@@ -10,7 +10,7 @@
   - haproxy
 
 - name: install haproxy/cfg in prod
-  copy: src={{ item.file }}
+  template: src={{ item.file }}
         dest={{ item.dest }}
         owner=root group=root mode=0600
   with_items:
@@ -22,7 +22,7 @@
   - haproxy
 
 - name: install haproxy.cfg in stg
-  copy: src={{ item.file }}
+  template: src={{ item.file }}
         dest={{ item.dest }}
         owner=root group=root mode=0600
   with_items:

roles/haproxy/templates/haproxy.cfg

@@ -42,11 +42,43 @@ listen  fp-wiki 0.0.0.0:10001
 listen  mirror-lists 0.0.0.0:10002
     balance hdr(appserver)
     timeout connect 30s
-    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3
+{% if datacenter == 'dedicatedsolutions' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'host1plus' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'ibiblio' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'osuosl' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'phx2' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2.fedoraproject.org:443 check inter 5s rise 2 fall 3
+{% else %}
     server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3
+{% endif %}
     option  httpchk GET /mirrorlist
     option  allbackups
 

roles/haproxy/templates/haproxy.cfg.stg

@@ -41,7 +41,7 @@ listen  fp-wiki 0.0.0.0:10001
 listen  mirror-lists 0.0.0.0:10002
     balance hdr(appserver)
     timeout connect 30s
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 10s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2.stg.fedoraproject.org:80 check inter 10s rise 2 fall 3
     option  httpchk GET /mirrorlist
 
 listen  pkgdb 0.0.0.0:10003

roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts

@@ -0,0 +1,4 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.126.23 infrastructure.fedoraproject.org
+10.5.126.50 mirrorlist-phx2.fedoraproject.org

roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts

@@ -0,0 +1,4 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.126.23 infrastructure.fedoraproject.org
+10.5.126.50 mirrorlist-phx2.fedoraproject.org