From eb787777b055da22c7f06806fb848781a68a21b5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 5 Apr 2017 19:07:01 +0000 Subject: [PATCH] make varnish role more general and add in config for a new varnish on kojipkgs --- inventory/group_vars/kojipkgs | 2 + inventory/group_vars/proxies | 2 + inventory/group_vars/proxies-stg | 1 + roles/varnish/files/{varnish => varnish.el7} | 0 roles/varnish/files/varnish.f25 | 32 +++++++ roles/varnish/tasks/main.yml | 21 +++-- roles/varnish/templates/kojipkgs.vcl.j2 | 94 +++++++++++++++++++ .../{proxy.vcl.j2 => proxies.vcl.j2} | 0 8 files changed, 144 insertions(+), 8 deletions(-) rename roles/varnish/files/{varnish => varnish.el7} (100%) create mode 100644 roles/varnish/files/varnish.f25 create mode 100644 roles/varnish/templates/kojipkgs.vcl.j2 rename roles/varnish/templates/{proxy.vcl.j2 => proxies.vcl.j2} (100%) diff --git a/inventory/group_vars/kojipkgs b/inventory/group_vars/kojipkgs index d9745dbe35..94b14ced4c 100644 --- a/inventory/group_vars/kojipkgs +++ b/inventory/group_vars/kojipkgs @@ -15,6 +15,8 @@ tcp_ports: [80, 443, 8080] fas_client_groups: sysadmin-releng,sysadmin-noc +varnish_group: kojipkgs + # For the MOTD csi_security_category: Moderate csi_primary_contact: Fedora admins - admin@fedoraproject.org diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index e5767e78e7..a39282ee67 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -88,6 +88,8 @@ fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran collectd_apache: true +varnish_group: proxies + # For the MOTD csi_security_category: Moderate csi_primary_contact: Fedora Admins - admin@fedoraproject.org diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg index 7988338b7a..04083b7d32 100644 --- a/inventory/group_vars/proxies-stg +++ b/inventory/group_vars/proxies-stg @@ -76,6 +76,7 @@ custom_rules: [ fas_client_groups: sysadmin-noc,fi-apprentice,sysadmin-web,sysadmin-veteran collectd_apache: true +varnish_group: proxies # For the MOTD csi_security_category: Moderate diff --git a/roles/varnish/files/varnish b/roles/varnish/files/varnish.el7 similarity index 100% rename from roles/varnish/files/varnish rename to roles/varnish/files/varnish.el7 diff --git a/roles/varnish/files/varnish.f25 b/roles/varnish/files/varnish.f25 new file mode 100644 index 0000000000..a348db526b --- /dev/null +++ b/roles/varnish/files/varnish.f25 @@ -0,0 +1,32 @@ +# Varnish environment configuration description. This was derived from +# the old style sysconfig/defaults settings + +# Set this to 1 to make systemd reload try to switch VCL without restart. +RELOAD_VCL=1 + +# Main configuration file. You probably want to change it. +VARNISH_VCL_CONF=/etc/varnish/default.vcl + +# Default address and port to bind to. Blank address means all IPv4 +# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted +# quad, or an IPv6 address in brackets. +# VARNISH_LISTEN_ADDRESS=192.168.1.5 +VARNISH_LISTEN_PORT=6081 + +# Admin interface listen address and port +VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 +VARNISH_ADMIN_LISTEN_PORT=6082 + +# Shared secret file for admin interface +VARNISH_SECRET_FILE=/etc/varnish/secret + +# Backend storage specification, see Storage Types in the varnishd(5) +# man page for details. +VARNISH_STORAGE="malloc,256M" + +# User and group for the varnishd worker processes +VARNISH_USER=varnish +VARNISH_GROUP=varnish + +# Other options, see the man page varnishd(1) +#DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300" diff --git a/roles/varnish/tasks/main.yml b/roles/varnish/tasks/main.yml index cede840941..5fb573df43 100644 --- a/roles/varnish/tasks/main.yml +++ b/roles/varnish/tasks/main.yml @@ -15,19 +15,24 @@ - varnish - selinux -- name: install varnish /etc/sysconfig/varnish - copy: src={{ item.file }} dest={{ item.dest }} - owner=root group=root - with_items: - - { file: varnish, dest: /etc/sysconfig/varnish } +- name: install varnish /etc/sysconfig/varnish file (el7 + copy: src=varnish.el7 dest=/etc/sysconfig/varnish owner=root group=root notify: - restart varnish tags: - varnish + when: ansible_distribution_major_version|int == 7 -- name: install /etc/varnish/default.vcl - template: src=proxy.vcl.j2 dest=/etc/varnish/default.vcl - owner=root group=root +- name: install varnish /etc/sysconfig/varnish file (fedora) + copy: src=varnish.f25 dest=/etc/varnish/varnish.params owner=root group=root + notify: + - restart varnish + tags: + - varnish + when: ansible_distribution_major_version|int > 24 + +- name: install /etc/varnish/default.vcl (proxies) + template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root notify: - restart varnish tags: diff --git a/roles/varnish/templates/kojipkgs.vcl.j2 b/roles/varnish/templates/kojipkgs.vcl.j2 new file mode 100644 index 0000000000..e21c96a4e9 --- /dev/null +++ b/roles/varnish/templates/kojipkgs.vcl.j2 @@ -0,0 +1,94 @@ +vcl 5.0; + +import directors; + +# +# These nets/machines are allowed /repo access +# +acl repoallowed { + "10.5.125.0"/24; + "10.5.127.0"/24; + "10.5.129.0"/24; + "10.5.126.14"/32; + "10.5.126.223"/32; + "10.5.126.224"/32; + "10.5.126.225"/32; + "10.5.126.226"/32; +} + +acl pdc { + "10.5.126.134"/32; +} + +acl proxies { + "10.5.126.51"/32; + "10.5.126.52"/32; +} + +acl purge { + "127.0.0.1"/32; +} + +backend local-apache { + .host = "127.0.0.1"; + .port = "8080"; + .probe = { + .url = "/"; + .interval = 5s; + .timeout = 1s; + .window = 5; + .threshold = 3; } +} + +sub vcl_synth { + set resp.http.Content-Type = "text/html; charset=utf-8"; + set resp.http.Retry-After = "5"; + synthetic( {" + + + "} + resp.status + " " + resp.reason + {" + + +

Error "} + resp.status + " " + resp.reason + {"

+

"} + resp.reason + {"

+

Guru Meditation:

+

XID: "} + req.xid + {"

+
+

Varnish cache server on {{ inventory_hostname }}

+ + +"} ); + return (deliver); +} + +sub vcl_recv { + if (req.method == "PURGE") { + if (!client.ip ~ purge) { + return (synth(405, "Not allowed")); + } + return(purge); + } + + if (req.url ~ "^/repo/") { + if (client.ip ~ repoallowed) { + set req.backend_hint = apache-local; + unset req.http.cookie; + set req.http.clear-cookies = "yes"; + } + else { + return(synth(403, "Access denied.")); + } + } + if (req.url ~ "^/mash/") { + set req.backend_hint = apache-local; + return (pipe); + } + if (req.url ~ "^/compose/") { + set req.backend_hint = apache-local; + return (pipe); + } +# +# deny the open264 rpms and such +# if (req.url ~ openh264) +# +} diff --git a/roles/varnish/templates/proxy.vcl.j2 b/roles/varnish/templates/proxies.vcl.j2 similarity index 100% rename from roles/varnish/templates/proxy.vcl.j2 rename to roles/varnish/templates/proxies.vcl.j2