From 553da4b2139e07f049d85740fbed940859f00e23 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 31 May 2015 17:17:41 +0000 Subject: [PATCH] Switch haproxy to prefer a local mirrorlist server if available. Allow port 443 connections from those proxies on mirrorlists. Add hosts entries for proxy10 and proxy01 that should allow ssl to work right. Will test this on one proxy/mirrorlist and move on to the others. --- inventory/group_vars/mirrorlist2 | 14 ++++++- roles/haproxy/tasks/main.yml | 4 +- .../haproxy/{files => templates}/haproxy.cfg | 40 +++++++++++++++++-- .../{files => templates}/haproxy.cfg.stg | 2 +- .../proxy01.phx2.fedoraproject.org-hosts | 4 ++ .../proxy10.phx2.fedoraproject.org-hosts | 4 ++ 6 files changed, 60 insertions(+), 8 deletions(-) rename roles/haproxy/{files => templates}/haproxy.cfg (76%) rename roles/haproxy/{files => templates}/haproxy.cfg.stg (98%) create mode 100644 roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts create mode 100644 roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts diff --git a/inventory/group_vars/mirrorlist2 b/inventory/group_vars/mirrorlist2 index 0884e9ed94..8b5854536d 100644 --- a/inventory/group_vars/mirrorlist2 +++ b/inventory/group_vars/mirrorlist2 @@ -5,7 +5,19 @@ num_cpus: 4 # for systems that do not match the above - specify the same parameter in # the host_vars/$hostname file -custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT' ] +custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 67.219.144.68/32 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 5.175.150.50/32 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 152.19.134.142/32 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 140.211.169.196/32 --dport 443 -j ACCEPT', ] + +custom6_rules: [ '-A INPUT -p tcp -m tcp -s 2610:28:3090:3001:dead:beef:cafe:fed3 --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 2604:1580:fe00:0:5054:ff:feae:702c --dport 443 -j ACCEPT', + '-A INPUT -p tcp -m tcp -s 2a00:d1a0:1::131 --dport 443 -j ACCEPT', ] + collectd_apache: true fas_client_groups: sysadmin-noc,fi-apprentice nrpe_procs_warn: 500 diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 2982caa44c..6c41747b7f 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -10,7 +10,7 @@ - haproxy - name: install haproxy/cfg in prod - copy: src={{ item.file }} + template: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode=0600 with_items: @@ -22,7 +22,7 @@ - haproxy - name: install haproxy.cfg in stg - copy: src={{ item.file }} + template: src={{ item.file }} dest={{ item.dest }} owner=root group=root mode=0600 with_items: diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg similarity index 76% rename from roles/haproxy/files/haproxy.cfg rename to roles/haproxy/templates/haproxy.cfg index 7a4b6cd147..c3d415990a 100644 --- a/roles/haproxy/files/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -42,11 +42,43 @@ listen fp-wiki 0.0.0.0:10001 listen mirror-lists 0.0.0.0:10002 balance hdr(appserver) timeout connect 30s - server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 - server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 - server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 - server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 +{% if datacenter == 'dedicatedsolutions' %} + server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions.fedoraproject.org:443 check inter 5s rise 2 fall 3 + server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup +{% elif datacenter == 'host1plus' %} + server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-host1plus mirrorlist-host1plus.fedoraproject.org:443 check inter 5s rise 2 fall 3 + server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup +{% elif datacenter == 'ibiblio' %} + server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-ibiblio mirrorlist-ibiblio.fedoraproject.org:443 check inter 5s rise 2 fall 3 + server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup +{% elif datacenter == 'osuosl' %} + server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-osuosl mirrorlist-osuosl.fedoraproject.org:443 check inter 5s rise 2 fall 3 + server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup +{% elif datacenter == 'phx2' %} + server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup + server mirrorlist-phx2 mirrorlist-phx2.fedoraproject.org:443 check inter 5s rise 2 fall 3 +{% else %} server mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 + server mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 + server mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 + server mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 + server mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 +{% endif %} option httpchk GET /mirrorlist option allbackups diff --git a/roles/haproxy/files/haproxy.cfg.stg b/roles/haproxy/templates/haproxy.cfg.stg similarity index 98% rename from roles/haproxy/files/haproxy.cfg.stg rename to roles/haproxy/templates/haproxy.cfg.stg index 6acc0fd3e7..9a5887da53 100644 --- a/roles/haproxy/files/haproxy.cfg.stg +++ b/roles/haproxy/templates/haproxy.cfg.stg @@ -41,7 +41,7 @@ listen fp-wiki 0.0.0.0:10001 listen mirror-lists 0.0.0.0:10002 balance hdr(appserver) timeout connect 30s - server mirrorlist-phx2 mirrorlist-phx2:80 check inter 10s rise 2 fall 3 + server mirrorlist-phx2 mirrorlist-phx2.stg.fedoraproject.org:80 check inter 10s rise 2 fall 3 option httpchk GET /mirrorlist listen pkgdb 0.0.0.0:10003 diff --git a/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts b/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..02cf5fa67f --- /dev/null +++ b/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.50 mirrorlist-phx2.fedoraproject.org diff --git a/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts b/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts new file mode 100644 index 0000000000..02cf5fa67f --- /dev/null +++ b/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts @@ -0,0 +1,4 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +10.5.126.23 infrastructure.fedoraproject.org +10.5.126.50 mirrorlist-phx2.fedoraproject.org