Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/inventory/group_vars/proxies
Kevin Fenzi 9eed96e3d6 proxies: open ocp4 api port in both stg and prod 
This fixes ticket 10521.

Basically we want to just open the api. It requires auth to do anything
and other openshift instances have it available, so it shouldn't
hopefully expose us to too much risk. With ocp3 the api was part of the
normal port/web flow, but with ocp4 it's a seperate port.

This also adds new workers to haproxy. I can drop that part if it's
controversal, but it should be fine I would think.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-03-03 22:29:37 +00:00

102 lines
4.7 KiB
Text
Raw Blame History

---
# Define resources for this group of hosts here.
blocked_ip_v6: []
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
collectd_apache: true
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
Using Apache -> haproxy, these hosts contact app servers and
other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
balanced via dns and geoIP and are spread all over the place.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
# allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
# also allow varnish from internal for purge requests
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
# Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.58 -j ACCEPT',
# Allow openqa01 to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',
# For Zanata
# See files/httpd/website_id_fp_o_zanata.conf for info
'-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- sysadmin-web
ipa_host_group: proxies
ipa_host_group_desc: Proxies between internal hosts and the Internet
lvm_size: 50000
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
maxrequestworkers: 1500
mem_size: 8192
nagios_Check_Services:
swap: false
nat_rules: [
# For Zanata, redirect 443/tcp -> 43342/tcp for TLS reasons
# See files/httpd/website_id_fp_o_zanata.conf for info
'-A PREROUTING -s 209.132.183.252 -p tcp --dport 443 -j REDIRECT --to 44342']
num_cpus: 6
ocp_masters:
- bootstrap.ocp.iad2.fedoraproject.org
- ocp01.ocp.iad2.fedoraproject.org
- ocp02.ocp.iad2.fedoraproject.org
- ocp03.ocp.iad2.fedoraproject.org
ocp_nodes:
- worker01.ocp.iad2.fedoraproject.org
- worker02.ocp.iad2.fedoraproject.org
- worker03.ocp.iad2.fedoraproject.org
- worker04.ocp.iad2.fedoraproject.org
- worker05.ocp.iad2.fedoraproject.org
- worker06.ocp.iad2.fedoraproject.org
openshift_masters:
- os-master01.vpn.fedoraproject.org
- os-master02.vpn.fedoraproject.org
- os-master03.vpn.fedoraproject.org
openshift_nodes:
- os-node01.vpn.fedoraproject.org
- os-node02.vpn.fedoraproject.org
- os-node03.vpn.fedoraproject.org
postvpnservices:
- haproxy
- varnish
primary_auth_source: ipa
tcp_ports: [
# For apache, generally.
80, 443,
# This is for TCP krb5
1088,
# This is for RabbitMQ public access
5671,
# openshift 4 api
6443,
# This is for RabbitMQ internal-public access
15671,
# This is for the haproxy HTML stats page
# TODO -- there's no need for this to be wide open to the world. With this
# in place, you can visit https://apps.fedoraproject.org:8080 and get the
# haproxy stats page. We should close this and just have admins go through
# the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
8080,
# This is for TOTP
8443,
# For fedmsg websocket server over stunnel
9939,
# For fedmsg raw zeromq socket (outbound)
9940,
# 9941 is closed generally, is for the inbound fedmsg and is covered in
# custom_rules
]
varnish_group: proxies
Reference in a new issue View git blame Copy permalink