diff --git a/playbooks/groups/proxies-reverseproxy.yml b/playbooks/groups/proxies-reverseproxy.yml index d45547b836..a4634251ef 100644 --- a/playbooks/groups/proxies-reverseproxy.yml +++ b/playbooks/groups/proxies-reverseproxy.yml @@ -267,7 +267,8 @@ localpath: /freemedia proxyurl: http://localhost:10011 - - role: httpd/reverseproxy + # This one gets its own role (instead of httpd/reverseproxy) so that it can + # copy in some silly static resources (globe.png, index.html) + - role: geoip-city-wsgi/proxy website: geoip.fedoraproject.org - destname: geoip-city-wsgi-proxy proxyurl: http://localhost:10029 diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml index fa9ad5c683..7e4c3064a0 100644 --- a/playbooks/groups/proxies.yml +++ b/playbooks/groups/proxies.yml @@ -39,6 +39,8 @@ - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/apache.yml" + - include: "{{ tasks }}/mod_wsgi.yml" handlers: - include: "{{ handlers }}/restart_services.yml" @@ -51,19 +53,18 @@ # - review-stats::build (bapp0*) # - membership-map::build (bapp0*) # - # - iptables rules for fedmsg inbound - # - sebooleans - # - semanage_port - # - semanagefcontext # - geoipwsgi app itself # + ## TBD + # - sysctl ip_conntrack_max bits - do we still need this on rhel7? + # - semanage ports.. we're likely going to need one for every app. + # - sebooleans.. let's try running first, see what gets blocked, and then + # selectively enable where semanage port fails + # ## Not going to do # - smolt::proxy -- note going to do this. smolt is dead. long live smolt. # - domainnotarget stuff - only smolt used this # - ## TBD - # - sysctl ip_conntrack_max bits - do we still need this on rhel7? - # # After setting up the "basics" of the proxy hosts above, here below we break # out the proxy-specific configuration into a couple different sub-playbooks. @@ -77,3 +78,32 @@ - include: proxies-fedora-web.yml - include: proxies-haproxy.yml - include: proxies-miscellaneous.yml + +#- name: Some after the after stuff for proxies. +# hosts: proxies-stg +# user: root +# gather_facts: False +# +# vars_files: +# - /srv/web/infra/ansible/vars/global.yml +# - "{{ private }}/vars.yml" +# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml +# +# tasks: +# +# ## TODO - we should audit each one of these sebooleans to make sure they're +# ## really necessary. The proxies are more forward-facing than other machines +# ## so we should take a little more care.. +# ## Really, before we are generally allowing httpd to do stuff carte blanche, +# ## we should lock things down with 'semanage port' first. See +# ## roles/fedmsg/base/ for an example. +# # +# #- name: Set some sebooleans +# # seboolean: name={{item}} state=true persistent=true +# # with_items: +# # - httpd_can_network_connect_db +# # - httpd_can_network_relay +# # - httpd_can_network_connect +# # - allow_ypbind +# # tags: +# # - selinux diff --git a/roles/geoip-city-wsgi/app/tasks/main.yml b/roles/geoip-city-wsgi/app/tasks/main.yml index 2fa547f0a8..04e52e66f9 100644 --- a/roles/geoip-city-wsgi/app/tasks/main.yml +++ b/roles/geoip-city-wsgi/app/tasks/main.yml @@ -8,6 +8,8 @@ yum: name=python-paste-deploy state=present tags: - packages + - geoip-city-wsgi + - geoip-city-wsgi/app - name: install geoip-city-wsgi.conf file copy: > @@ -21,6 +23,8 @@ tags: - geoip_config - config + - geoip-city-wsgi + - geoip-city-wsgi/app - name: setup /usr/share/geoip-city-wsgi directory file: > @@ -32,6 +36,8 @@ tags: - geoip_config - config + - geoip-city-wsgi + - geoip-city-wsgi/app - name: install geoip-city.wsgi file copy: > @@ -45,3 +51,5 @@ tags: - geoip_config - config + - geoip-city-wsgi + - geoip-city-wsgi/app diff --git a/roles/geoip-city-wsgi/proxy/files/globe.png b/roles/geoip-city-wsgi/proxy/files/globe.png new file mode 100644 index 0000000000..59fa7470ab Binary files /dev/null and b/roles/geoip-city-wsgi/proxy/files/globe.png differ diff --git a/roles/geoip-city-wsgi/proxy/files/index.html b/roles/geoip-city-wsgi/proxy/files/index.html new file mode 100644 index 0000000000..5ba340449d --- /dev/null +++ b/roles/geoip-city-wsgi/proxy/files/index.html @@ -0,0 +1,40 @@ + + + + + + +
+

geoip

+

+ This service is running + geoip city wsgi. +

+ Try it out! +
+
Original + globe image by Minnesota Historical Society GFDL or CC-BY-SA-3.0, + via Wikimedia Commons. +
+

+
+ + + diff --git a/roles/geoip-city-wsgi/proxy/tasks/main.yml b/roles/geoip-city-wsgi/proxy/tasks/main.yml new file mode 100644 index 0000000000..9358f42f04 --- /dev/null +++ b/roles/geoip-city-wsgi/proxy/tasks/main.yml @@ -0,0 +1,25 @@ +- name: Copy in the proxy conf + template: > + src=geoip-city-wsgi-proxy.conf + dest=/etc/httpd/conf.d/{{website}}/geoip-city-wsgi-proxy.conf + owner=root group=root mode=0644 + notify: + - restart httpd + tags: + - geoip-city-wsgi + - geoip-city-wsgi/proxy + +- name: Make a dir for our fancy about page. So chic! + file: dest=/srv/web/geoip state=directory mode=0644 owner=root group=root + tags: + - geoip-city-wsgi + - geoip-city-wsgi/proxy + +- name: "Copy in the fancy about page stuff. It's like wsgi with geoip aioli" + copy: src={{item}} dest=/srv/web/geoip/{{item}} mode=0644 owner=root group=root + with_items: + - index.html + - globe.png + tags: + - geoip-city-wsgi + - geoip-city-wsgi/proxy diff --git a/roles/geoip-city-wsgi/proxy/templates/geoip-city-wsgi-proxy.conf b/roles/geoip-city-wsgi/proxy/templates/geoip-city-wsgi-proxy.conf new file mode 100644 index 0000000000..a47a72eefc --- /dev/null +++ b/roles/geoip-city-wsgi/proxy/templates/geoip-city-wsgi-proxy.conf @@ -0,0 +1,6 @@ +RewriteEngine On + +RewriteRule ^/city(.*) {{proxyurl}}/city$1 [P,L] +ProxyPassReverse /city {{proxyurl}}/city + +Alias / /srv/web/geoip/