Try setting up geoip-city-wsgi/proxy.

playbooks/groups/proxies-reverseproxy.yml

@@ -267,7 +267,8 @@
     localpath: /freemedia
     proxyurl: http://localhost:10011
 
-  - role: httpd/reverseproxy
+  # This one gets its own role (instead of httpd/reverseproxy) so that it can
+  # copy in some silly static resources (globe.png, index.html)
+  - role: geoip-city-wsgi/proxy
     website: geoip.fedoraproject.org
-    destname: geoip-city-wsgi-proxy
     proxyurl: http://localhost:10029

playbooks/groups/proxies.yml

@@ -39,6 +39,8 @@
   - include: "{{ tasks }}/yumrepos.yml"
   - include: "{{ tasks }}/2fa_client.yml"
   - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/apache.yml"
+  - include: "{{ tasks }}/mod_wsgi.yml"
 
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
@@ -51,19 +53,18 @@
   # - review-stats::build (bapp0*)
   # - membership-map::build (bapp0*)
   #
-  # - iptables rules for fedmsg inbound
-  # - sebooleans
-  # - semanage_port
-  # - semanagefcontext
   # - geoipwsgi app itself
   #
+  ## TBD
+  # - sysctl ip_conntrack_max bits  - do we still need this on rhel7?
+  # - semanage ports.. we're likely going to need one for every app.
+  # - sebooleans.. let's try running first, see what gets blocked, and then
+  #                selectively enable where semanage port fails
+  #
   ## Not going to do
   # - smolt::proxy -- note going to do this.  smolt is dead.  long live smolt.
   # - domainnotarget stuff - only smolt used this
   #
-  ## TBD
-  # - sysctl ip_conntrack_max bits  - do we still need this on rhel7?
-  #
 
 # After setting up the "basics" of the proxy hosts above, here below we break
 # out the proxy-specific configuration into a couple different sub-playbooks.
@@ -77,3 +78,32 @@
 - include: proxies-fedora-web.yml
 - include: proxies-haproxy.yml
 - include: proxies-miscellaneous.yml
+
+#- name: Some after the after stuff for proxies.
+#  hosts: proxies-stg
+#  user: root
+#  gather_facts: False
+#
+#  vars_files:
+#   - /srv/web/infra/ansible/vars/global.yml
+#   - "{{ private }}/vars.yml"
+#   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+#
+#  tasks:
+#
+#  ## TODO - we should audit each one of these sebooleans to make sure they're
+#  ## really necessary.  The proxies are more forward-facing than other machines
+#  ## so we should take a little more care..
+#  ## Really, before we are generally allowing httpd to do stuff carte blanche,
+#  ## we should lock things down with 'semanage port' first.  See
+#  ## roles/fedmsg/base/ for an example.
+#  #
+#  #- name: Set some sebooleans
+#  #  seboolean: name={{item}} state=true persistent=true
+#  #  with_items:
+#  #  - httpd_can_network_connect_db
+#  #  - httpd_can_network_relay
+#  #  - httpd_can_network_connect
+#  #  - allow_ypbind
+#  #  tags:
+#  #  - selinux

roles/geoip-city-wsgi/app/tasks/main.yml

@@ -8,6 +8,8 @@
   yum: name=python-paste-deploy state=present
   tags:
   - packages
+  - geoip-city-wsgi
+  - geoip-city-wsgi/app
 
 - name: install geoip-city-wsgi.conf file 
   copy: >
@@ -21,6 +23,8 @@
   tags:
   - geoip_config
   - config
+  - geoip-city-wsgi
+  - geoip-city-wsgi/app
 
 - name: setup /usr/share/geoip-city-wsgi directory
   file: >
@@ -32,6 +36,8 @@
   tags:
   - geoip_config
   - config
+  - geoip-city-wsgi
+  - geoip-city-wsgi/app
 
 - name: install geoip-city.wsgi file
   copy: >
@@ -45,3 +51,5 @@
   tags:
   - geoip_config
   - config
+  - geoip-city-wsgi
+  - geoip-city-wsgi/app

roles/geoip-city-wsgi/proxy/files/index.html

@@ -0,0 +1,40 @@
+<html><head>
+<meta http-equiv="content-type" content="text/html; charset=windows-1252">
+    <link type="text/css" rel="stylesheet" href="https://apps.fedoraproject.org/bootstrap/css/bootstrap.min.css">
+    <style>
+      body {
+        background: url(globe.png) no-repeat center center fixed;
+        -webkit-background-size: cover;
+        -moz-background-size: cover;
+        -o-background-size: cover;
+        background-size: cover;
+      }
+      #textbits {
+        position: fixed;
+        top:300px;
+        left: 75px;
+        max-width: 375px;
+      }
+      .footer {
+        padding: 40px;
+      }
+    </style>
+  </head>
+  <body>
+  <div id="textbits">
+    <h1>geoip</h1>
+      <p class="lead">
+        This service is running
+        <a href="https://github.com/fedora-infra/geoip-city-wsgi">geoip city wsgi</a>.
+        </p><hr>
+        <a class="btn btn-default" href="https://geoip.fedoraproject.org/city">Try it out!</a>
+        <div class="clearfix"></div>
+        <div class="footer text-center"><small class="text-muted"><a href="https://commons.wikimedia.org/wiki/File:3quarter_globe.jpg">Original
+              globe image</a> by Minnesota Historical Society <a href="http://www.gnu.org/copyleft/fdl.html">GFDL</a> or <a href="http://creativecommons.org/licenses/by-sa/3.0">CC-BY-SA-3.0</a>,
+              via Wikimedia Commons.
+        </small></div>
+      <p></p>
+    </div>
+  
+
+</body></html>

roles/geoip-city-wsgi/proxy/tasks/main.yml

@@ -0,0 +1,25 @@
+- name: Copy in the proxy conf
+  template: >
+    src=geoip-city-wsgi-proxy.conf
+    dest=/etc/httpd/conf.d/{{website}}/geoip-city-wsgi-proxy.conf
+    owner=root group=root mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - geoip-city-wsgi
+  - geoip-city-wsgi/proxy
+
+- name: Make a dir for our fancy about page.  So chic!
+  file: dest=/srv/web/geoip state=directory mode=0644 owner=root group=root
+  tags:
+  - geoip-city-wsgi
+  - geoip-city-wsgi/proxy
+
+- name: "Copy in the fancy about page stuff.  It's like wsgi with geoip aioli"
+  copy: src={{item}} dest=/srv/web/geoip/{{item}} mode=0644 owner=root group=root
+  with_items:
+  - index.html
+  - globe.png
+  tags:
+  - geoip-city-wsgi
+  - geoip-city-wsgi/proxy

roles/geoip-city-wsgi/proxy/templates/geoip-city-wsgi-proxy.conf

@@ -0,0 +1,6 @@
+RewriteEngine On
+
+RewriteRule ^/city(.*) {{proxyurl}}/city$1 [P,L]
+ProxyPassReverse /city {{proxyurl}}/city
+
+Alias / /srv/web/geoip/