diff --git a/data/common/common.yaml b/data/common/common.yaml --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -1677,6 +1677,8 @@ - localhost - "::1" +swh::deploy::deposit::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" + # aliases are pulled from letsencrypt::certificates[$swh::deploy::deposit::vhost::letsencrypt_cert] swh::deploy::deposit::vhost::letsencrypt_cert: deposit_production swh::deploy::deposit::url: https://deposit.softwareheritage.org @@ -1828,6 +1830,8 @@ swh::deploy::webapp::backend::http_timeout: 3600 swh::deploy::webapp::backend::reload_mercy: 3600 +swh::deploy::webapp::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}" + # aliases are pulled from letsencrypt::certificates[$swh::deploy::webapp::vhost::letsencrypt_cert] swh::deploy::webapp::vhost::letsencrypt_cert: archive_production swh::deploy::webapp::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" diff --git a/data/deployments/production/common.yaml b/data/deployments/production/common.yaml new file mode 100644 --- /dev/null +++ b/data/deployments/production/common.yaml @@ -0,0 +1,3 @@ +swh::deploy::deposit::reverse_proxy::backend_http_host: "::1" +swh::deploy::webapp::reverse_proxy::backend_http_host: "::1" + diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml --- a/data/deployments/staging/common.yaml +++ b/data/deployments/staging/common.yaml @@ -101,7 +101,10 @@ - journal0.internal.staging.swh.network swh::deploy::deposit::vhost::letsencrypt_cert: deposit_staging +swh::deploy::deposit::reverse_proxy::backend_http_host: deposit.internal.staging.swh.network + swh::deploy::webapp::vhost::letsencrypt_cert: archive_staging +swh::deploy::webapp::reverse_proxy::backend_http_host: webapp.internal.staging.swh.network swh::postgresql::version: '12' swh::postgresql::port: 5433 diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp --- a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp +++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp @@ -10,6 +10,8 @@ each($service_names) |$service_name| { # Retrieve certificate name $cert_name = lookup("swh::deploy::${service_name}::vhost::letsencrypt_cert") + $backend_http_host = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_host") + $backend_http_port = lookup("swh::deploy::${service_name}::reverse_proxy::backend_http_port") # Retrieve the list of vhosts $vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains'] @@ -23,8 +25,11 @@ realize(::Profile::Hitch::Ssl_cert[$cert_name]) ::profile::varnish::vhost {$vhost_name: - aliases => $vhost_aliases, - hsts_max_age => lookup('strict_transport_security::max_age'), + aliases => $vhost_aliases, + backend_name => $service_name, + backend_http_host => $backend_http_host, + backend_http_port => $backend_http_port, + hsts_max_age => lookup('strict_transport_security::max_age'), } $icinga_checks_file = lookup('icinga2::exported_checks::filename') diff --git a/site-modules/profile/manifests/varnish.pp b/site-modules/profile/manifests/varnish.pp --- a/site-modules/profile/manifests/varnish.pp +++ b/site-modules/profile/manifests/varnish.pp @@ -76,5 +76,8 @@ order => '00', } - include ::profile::varnish::default_vcls + ::profile::varnish::vcl_include {'synth_redirect': + order => '10', + content => file('profile/varnish/synth_redirect.vcl'), + } } diff --git a/site-modules/profile/manifests/varnish/default_vcls.pp b/site-modules/profile/manifests/varnish/default_vcls.pp deleted file mode 100644 --- a/site-modules/profile/manifests/varnish/default_vcls.pp +++ /dev/null @@ -1,13 +0,0 @@ -# Default VCLs included with the varnish profile - -class profile::varnish::default_vcls { - ::profile::varnish::vcl_include {'backend_default': - order => '01', - content => template('profile/varnish/backend_default.vcl.erb'), - } - - ::profile::varnish::vcl_include {'synth_redirect': - order => '10', - content => file('profile/varnish/synth_redirect.vcl'), - } -} diff --git a/site-modules/profile/manifests/varnish/vhost.pp b/site-modules/profile/manifests/varnish/vhost.pp --- a/site-modules/profile/manifests/varnish/vhost.pp +++ b/site-modules/profile/manifests/varnish/vhost.pp @@ -4,10 +4,19 @@ String $servername = $title, String $order = '50', Array[String] $aliases = [], + String $backend_name, + String $backend_http_host, + String $backend_http_port, Optional[String] $vcl_recv_extra = undef, Optional[String] $vcl_deliver_extra = undef, Variant[Undef, String, Integer[1]] $hsts_max_age = undef, ) { + + ::profile::varnish::vcl_include {$backend_name: + order => '01', + content => template('profile/varnish/backend.vcl.erb'), + } + ::profile::varnish::vcl_include {"vhost_${servername}": order => $order, content => template('profile/varnish/vhost.vcl.erb'), diff --git a/site-modules/profile/templates/varnish/backend.vcl.erb b/site-modules/profile/templates/varnish/backend.vcl.erb new file mode 100644 --- /dev/null +++ b/site-modules/profile/templates/varnish/backend.vcl.erb @@ -0,0 +1,11 @@ +# backend_default.vcl +# +# Default backend definition. +# +# File managed by puppet. All modifications will be lost. + +backend <%= @backend_name %> + { + .host = "<%= @backend_http_host %>"; + .port = "<%= @backend_http_port %>"; +} diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb --- a/site-modules/profile/templates/varnish/vhost.vcl.erb +++ b/site-modules/profile/templates/varnish/vhost.vcl.erb @@ -16,6 +16,7 @@ return(synth(850, "Moved permanently")); } else { set req.http.X_FORWARDED_PROTO = "https"; + set req.backend_hint = <%= @backend_name %>; } <% if @vcl_recv_extra -%> <%= @vcl_recv_extra %>