- use the already existing multiplexed configuration to rely on
- banco
- saam
- Add support of basic authentication if needed on varnish vhosts
- declare basic auth users for staging and production objstorage
Related to T3621
Details
Details
- Reviewers
olasd - Group Reviewers
System administrators - Maniphest Tasks
- T3621: Create a production read-only objstorage
- Commits
- rSPSITE4f19b14f25c0: Deploy a read-only objstorage on moma
example of the basic auth section in the varnish configuration:
if ( 1 == 1 # noop expression to be syntactically correct with the following && && ! req.http.Authorization ~ "Basic c3doLXByb2Q6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX2F1dGg6OnN3aC1wcm9k" && ! req.http.Authorization ~ "Basic ZW5lYS1wcm9kOnN3aDo6ZGVwbG95OjpvYmpzdG9yYWdlOjpyZXZlcnNlX3Byb3h5OjpiYXNpY19hdXRoOjplbmVhLXByb2Q=" ) { return(synth(401, "Restricted")); }
octocatalog-diffs:
- rp0.staging
diff origin/production/rp0.internal.staging.swh.network current/rp0.internal.staging.swh.network ******************************************* File[/etc/varnish/includes/50_vhost_objstorage.staging.swh.network.vcl] => parameters => content => @@ -15,4 +15,10 @@ return(synth(850, "Moved permanently")); } else { + if ( 1 == 1 # noop expression to be syntaxivly correct with the following && + && ! req.http.Authorization ~ "Basic c3doLXN0Zzpzd2g6OmRlcGxveTo6b2Jqc3RvcmFnZTo6cmV2ZXJzZV9wcm94eTo6YmFzaWNfYXV0aDo6c3doLXN0Zw==" + && ! req.http.Authorization ~ "Basic ZW5lYS1zdGc6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX2F1dGg6OmVuZWEtc3Rn" + ) { + return(synth(401, "Restricted")); + } set req.http.X-Forwarded-Proto = "https"; set req.backend_hint = objstorage; ******************************************* Profile::Varnish::Vcl_include[vhost_objstorage.staging.swh.network] => parameters => content => @@ -15,4 +15,10 @@ return(synth(850, "Moved permanently")); } else { + if ( 1 == 1 # noop expression to be syntaxivly correct with the following && + && ! req.http.Authorization ~ "Basic c3doLXN0Zzpzd2g6OmRlcGxveTo6b2Jqc3RvcmFnZTo6cmV2ZXJzZV9wcm94eTo6YmFzaWNfYXV0aDo6c3doLXN0Zw==" + && ! req.http.Authorization ~ "Basic ZW5lYS1zdGc6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX2F1dGg6OmVuZWEtc3Rn" + ) { + return(synth(401, "Restricted")); + } set req.http.X-Forwarded-Proto = "https"; set req.backend_hint = objstorage; ******************************************* Profile::Varnish::Vhost[deposit.staging.swh.network] => parameters => basic_auth => + false ******************************************* Profile::Varnish::Vhost[objstorage.staging.swh.network] => parameters => basic_auth => + true basic_auth_strings => + ["c3doLXN0Zzpzd2g6OmRlcGxveTo6b2Jqc3RvcmFnZTo6cmV2ZXJzZV9wcm94eTo6YmFzaWNfYXV0aDo6c3doLXN0Zw==", "ZW5lYS1zdGc6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX2F1dGg6OmVuZWEtc3Rn"] ******************************************* Profile::Varnish::Vhost[webapp.staging.swh.network] => parameters => basic_auth => + false ******************************************* Varnish::Vcl[/etc/varnish/includes/50_vhost_objstorage.staging.swh.network.vcl] => parameters => content => @@ -15,4 +15,10 @@ return(synth(850, "Moved permanently")); } else { + if ( 1 == 1 # noop expression to be syntaxivly correct with the following && + && ! req.http.Authorization ~ "Basic c3doLXN0Zzpzd2g6OmRlcGxveTo6b2Jqc3RvcmFnZTo6cmV2ZXJzZV9wcm94eTo6YmFzaWNfYXV0aDo6c3doLXN0Zw==" + && ! req.http.Authorization ~ "Basic ZW5lYS1zdGc6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX2F1dGg6OmVuZWEtc3Rn" + ) { + return(synth(401, "Restricted")); + } set req.http.X-Forwarded-Proto = "https"; set req.backend_hint = objstorage; ******************************************* *** End octocatalog-diff on rp0.internal.staging.swh.network
- moma:
diff origin/production/moma.softwareheritage.org current/moma.softwareheritage.org ******************************************* + Concat::Fragment[/etc/varnish/includes.vcl:objstorage] => parameters => "content": "include \"includes/01_objstorage.vcl\";", "order": "01", "target": "/etc/varnish/includes.vcl" ******************************************* + Concat::Fragment[/etc/varnish/includes.vcl:vhost_objstorage.softwareheritage.org] => parameters => "content": "include \"includes/50_vhost_objstorage.softwareheritage.org.vcl\... "order": "50", "target": "/etc/varnish/includes.vcl" ******************************************* + Concat::Fragment[hitch::domain objstorage_production] => parameters => "content": "pem-file = \"/etc/hitch/objstorage_production.pem\"\n", "notify": "Class[Hitch::Service]", "order": "10", "target": "/etc/hitch/hitch.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-500-6666cd76f96956469e7be39d750cc7d9] => parameters => "content": "\n location / {\n proxy_pass http://swh-objstorag... "order": 500, "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-default-500-6666cd76f96956469e7be39d750cc7d9] => parameters => "content": "\n location / {\n index index.html index.htm index.php;\... "order": 500, "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-default-footer] => parameters => "content": "}\n", "order": "699", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-default-header] => parameters => "content": "# MANAGED BY PUPPET\nserver {\n listen moma.internal.softwarehe... "order": "001", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-footer] => parameters => "content": "}\n", "order": "699", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat::Fragment[nginx-swh-objstorage-header] => parameters => "content": "# MANAGED BY PUPPET\nserver {\n listen moma.internal.softwarehe... "order": "001", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat::Fragment[objstorage_production cacert] => parameters => "notify": "Class[Hitch::Service]", "order": "03", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/chain.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat::Fragment[objstorage_production cert] => parameters => "notify": "Class[Hitch::Service]", "order": "02", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/cert.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat::Fragment[objstorage_production dhparams] => parameters => "notify": "Class[Hitch::Service]", "order": "04", "source": "/etc/hitch/dhparams.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat::Fragment[objstorage_production key] => parameters => "notify": "Class[Hitch::Service]", "order": "01", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/privkey.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat::Fragment[swh-objstorage-gunicorn_upstream_footer] => parameters => "content": "}\n", "order": "90", "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat::Fragment[swh-objstorage-gunicorn_upstream_header] => parameters => "content": "# MANAGED BY PUPPET\nupstream swh-objstorage-gunicorn {\n", "order": "10", "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat::Fragment[swh-objstorage-gunicorn_upstream_member_gunicorn-objstorage] => parameters => "content": " server unix:/run/gunicorn/swh-objstorage/gunicorn.sock;\n", "order": 40, "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat[/etc/hitch/objstorage_production.pem] => parameters => "backup": "puppet", "ensure": "present", "ensure_newline": false, "force": false, "format": "plain", "group": "_hitch", "mode": "0640", "notify": "Class[Hitch::Service]", "order": "alpha", "owner": "root", "path": "/etc/hitch/objstorage_production.pem", "replace": true, "show_diff": true, "warn": false ******************************************* + Concat[/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf] => parameters => "backup": "puppet", "ensure": "present", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "notify": "Class[Nginx::Service]", "order": "alpha", "owner": "root", "path": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf", "replace": true, "show_diff": true, "warn": false ******************************************* + Concat[/etc/nginx/sites-available/nginx-swh-objstorage-default.conf] => parameters => "backup": "puppet", "ensure": "present", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "notify": "Class[Nginx::Service]", "order": "alpha", "owner": "root", "path": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf", "replace": true, "show_diff": true, "warn": false ******************************************* + Concat[/etc/nginx/sites-available/nginx-swh-objstorage.conf] => parameters => "backup": "puppet", "ensure": "present", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "notify": "Class[Nginx::Service]", "order": "alpha", "owner": "root", "path": "/etc/nginx/sites-available/nginx-swh-objstorage.conf", "replace": true, "show_diff": true, "warn": false ******************************************* + Concat_file[/etc/hitch/objstorage_production.pem] => parameters => "backup": "puppet", "ensure_newline": false, "force": false, "format": "plain", "group": "_hitch", "mode": "0640", "order": "alpha", "owner": "root", "replace": true, "show_diff": true, "tag": "_etc_hitch_objstorage_production.pem" ******************************************* + Concat_file[/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf] => parameters => "backup": "puppet", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "order": "alpha", "owner": "root", "replace": true, "show_diff": true, "tag": "_etc_nginx_conf.d_swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat_file[/etc/nginx/sites-available/nginx-swh-objstorage-default.conf] => parameters => "backup": "puppet", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "order": "alpha", "owner": "root", "replace": true, "show_diff": true, "tag": "_etc_nginx_sites-available_nginx-swh-objstorage-default.conf" ******************************************* + Concat_file[/etc/nginx/sites-available/nginx-swh-objstorage.conf] => parameters => "backup": "puppet", "ensure_newline": false, "force": false, "format": "plain", "group": "root", "mode": "0644", "order": "alpha", "owner": "root", "replace": true, "show_diff": true, "tag": "_etc_nginx_sites-available_nginx-swh-objstorage.conf" ******************************************* + Concat_fragment[/etc/varnish/includes.vcl:objstorage] => parameters => "content": "include \"includes/01_objstorage.vcl\";", "order": "01", "tag": "_etc_varnish_includes.vcl", "target": "/etc/varnish/includes.vcl" ******************************************* + Concat_fragment[/etc/varnish/includes.vcl:vhost_objstorage.softwareheritage.org] => parameters => "content": "include \"includes/50_vhost_objstorage.softwareheritage.org.vcl\... "order": "50", "tag": "_etc_varnish_includes.vcl", "target": "/etc/varnish/includes.vcl" ******************************************* + Concat_fragment[hitch::domain objstorage_production] => parameters => "content": "pem-file = \"/etc/hitch/objstorage_production.pem\"\n", "order": "10", "tag": "_etc_hitch_hitch.conf", "target": "/etc/hitch/hitch.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-500-6666cd76f96956469e7be39d750cc7d9] => parameters => "content": "\n location / {\n proxy_pass http://swh-objstorag... "order": 500, "tag": "_etc_nginx_sites-available_nginx-swh-objstorage.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-default-500-6666cd76f96956469e7be39d750cc7d9] => parameters => "content": "\n location / {\n index index.html index.htm index.php;\... "order": 500, "tag": "_etc_nginx_sites-available_nginx-swh-objstorage-default.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-default-footer] => parameters => "content": "}\n", "order": "699", "tag": "_etc_nginx_sites-available_nginx-swh-objstorage-default.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-default-header] => parameters => "content": "# MANAGED BY PUPPET\nserver {\n listen moma.internal.softwarehe... "order": "001", "tag": "_etc_nginx_sites-available_nginx-swh-objstorage-default.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-footer] => parameters => "content": "}\n", "order": "699", "tag": "_etc_nginx_sites-available_nginx-swh-objstorage.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat_fragment[nginx-swh-objstorage-header] => parameters => "content": "# MANAGED BY PUPPET\nserver {\n listen moma.internal.softwarehe... "order": "001", "tag": "_etc_nginx_sites-available_nginx-swh-objstorage.conf", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + Concat_fragment[objstorage_production cacert] => parameters => "order": "03", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/chain.pem", "tag": "_etc_hitch_objstorage_production.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat_fragment[objstorage_production cert] => parameters => "order": "02", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/cert.pem", "tag": "_etc_hitch_objstorage_production.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat_fragment[objstorage_production dhparams] => parameters => "order": "04", "source": "/etc/hitch/dhparams.pem", "tag": "_etc_hitch_objstorage_production.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat_fragment[objstorage_production key] => parameters => "order": "01", "source": "/etc/ssl/certs/letsencrypt/objstorage_production/privkey.pem", "tag": "_etc_hitch_objstorage_production.pem", "target": "/etc/hitch/objstorage_production.pem" ******************************************* + Concat_fragment[swh-objstorage-gunicorn_upstream_footer] => parameters => "content": "}\n", "order": "90", "tag": "_etc_nginx_conf.d_swh-objstorage-gunicorn-upstream.conf", "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat_fragment[swh-objstorage-gunicorn_upstream_header] => parameters => "content": "# MANAGED BY PUPPET\nupstream swh-objstorage-gunicorn {\n", "order": "10", "tag": "_etc_nginx_conf.d_swh-objstorage-gunicorn-upstream.conf", "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + Concat_fragment[swh-objstorage-gunicorn_upstream_member_gunicorn-objstorage] => parameters => "content": " server unix:/run/gunicorn/swh-objstorage/gunicorn.sock;\n", "order": 40, "tag": "_etc_nginx_conf.d_swh-objstorage-gunicorn-upstream.conf", "target": "/etc/nginx/conf.d/swh-objstorage-gunicorn-upstream.conf" ******************************************* + File[/etc/gunicorn/instances/swh-objstorage.cfg] => parameters => "content": "# Gunicorn instance configuration.\n# Managed by puppet (class g... "ensure": "present", "group": "swhstorage", "mode": "0644", "notify": "Service[gunicorn-swh-objstorage]", "owner": "swhstorage" ******************************************* + File[/etc/nginx/sites-enabled/nginx-swh-objstorage-default.conf] => parameters => "ensure": "link", "group": "root", "mode": "0644", "notify": "Class[Nginx::Service]", "owner": "root", "target": "/etc/nginx/sites-available/nginx-swh-objstorage-default.conf" ******************************************* + File[/etc/nginx/sites-enabled/nginx-swh-objstorage.conf] => parameters => "ensure": "link", "group": "root", "mode": "0644", "notify": "Class[Nginx::Service]", "owner": "root", "target": "/etc/nginx/sites-available/nginx-swh-objstorage.conf" ******************************************* + File[/etc/softwareheritage/objstorage/server.yml] => parameters => "content": "---\nobjstorage:\n cls: multiplexer\n args:\n objstorages:\... "ensure": "present", "group": "swhstorage", "mode": "0640", "notify": "Service[gunicorn-swh-objstorage]", "owner": "root" ******************************************* + File[/etc/softwareheritage/objstorage] => parameters => "ensure": "directory", "group": "swhstorage", "mode": "0750", "owner": "root" ******************************************* + File[/etc/ssl/certs/letsencrypt/objstorage_production/cert.pem] => parameters => "ensure": "present", "group": "root", "mode": "0644", "owner": "root", "source": "puppet:///le_certs/objstorage_production/cert.pem" ******************************************* + File[/etc/ssl/certs/letsencrypt/objstorage_production/chain.pem] => parameters => "ensure": "present", "group": "root", "mode": "0644", "owner": "root", "source": "puppet:///le_certs/objstorage_production/chain.pem" ******************************************* + File[/etc/ssl/certs/letsencrypt/objstorage_production/fullchain.pem] => parameters => "ensure": "present", "group": "root", "mode": "0644", "owner": "root", "source": "puppet:///le_certs/objstorage_production/fullchain.pem" ******************************************* + File[/etc/ssl/certs/letsencrypt/objstorage_production/privkey.pem] => parameters => "ensure": "present", "group": "root", "mode": "0600", "owner": "root", "source": "puppet:///le_certs/objstorage_production/privkey.pem" ******************************************* + File[/etc/ssl/certs/letsencrypt/objstorage_production] => parameters => "ensure": "directory", "group": "root", "mode": "0755", "owner": "root" ******************************************* + File[/etc/systemd/system/gunicorn-swh-objstorage.service] => parameters => "content": "# File managed by puppet (class gunicorn::instance swh-objstorag... "ensure": "file", "group": "root", "mode": "0444", "notify": "Class[Systemd::Systemctl::Daemon_reload]", "owner": "root", "show_diff": true ******************************************* + File[/etc/tmpfiles.d/gunicorn-swh-objstorage.conf] => parameters => "ensure": "absent", "group": "root", "mode": "0444", "notify": "Class[Systemd::Tmpfiles]", "owner": "root" ******************************************* + File[/etc/varnish/includes/01_objstorage.vcl] => parameters => "content": "# backend_default.vcl\n#\n# Default backend definition.\n#\n# Fi... "group": "root", "mode": "0644", "notify": "Exec[vcl_reload]", "owner": "root" ******************************************* + File[/etc/varnish/includes/50_vhost_objstorage.softwareheritage.org.vcl] => parameters => "content": "# vhost_objstorage.softwareheritage.org.vcl\n#\n# Settings for t... "group": "root", "mode": "0644", "notify": "Exec[vcl_reload]", "owner": "root" ******************************************* + Gunicorn::Instance[swh-objstorage] => parameters => "config_base_module": "swh.core.api.gunicorn_config", "config_mode": "0644", "ensure": "enabled", "environment": { "SWH_CONFIG_FILENAME": "/etc/softwareheritage/objstorage/server.yml", "SWH_LOG_TARGET": "journal", "SWH_SENTRY_DSN": "https://swh::deploy::objstorage::sentry_token@sentry.so... "SWH_SENTRY_ENVIRONMENT": "production", "SWH_MAIN_PACKAGE": "swh.objstorage" }, "executable": "swh.objstorage.api.server:make_app_from_configfile()", "group": "swhstorage", "log_only_errors": true, "settings": { "bind": "unix:/run/gunicorn/swh-objstorage/gunicorn.sock", "workers": 4, "worker_class": "aiohttp.worker.GunicornWebWorker", "timeout": 3600, "graceful_timeout": 3600, "keepalive": 5, "max_requests": 0, "max_requests_jitter": 0, "statsd_host": "127.0.0.1:8125", "statsd_prefix": "swh-objstorage" }, "user": "swhstorage" ******************************************* + Hitch::Domain[objstorage_production] => parameters => "cacert_source": "/etc/ssl/certs/letsencrypt/objstorage_production/chain.pem... "cert_source": "/etc/ssl/certs/letsencrypt/objstorage_production/cert.pem", "default": false, "ensure": "present", "key_source": "/etc/ssl/certs/letsencrypt/objstorage_production/privkey.pem"... ******************************************* + Nginx::Resource::Location[nginx-swh-objstorage-default-default] => parameters => "add_header": { }, "ensure": "present", "fastcgi_params": "/etc/nginx/fastcgi.conf", "flv": false, "index_files": [ "index.html", "index.htm", "index.php" ], "internal": false, "location": "/", "location_allow": [ ], "location_deny": [ ], "mp4": false, "notify": "Class[Nginx::Service]", "priority": 500, "proxy_connect_timeout": "90s", "proxy_hide_header": [ ], "proxy_ignore_header": [ ], "proxy_pass_header": [ ], "proxy_read_timeout": "90s", "proxy_send_timeout": "90s", "proxy_set_header": [ "Host $host", "X-Real-IP $remote_addr", "X-Forwarded-For $proxy_add_x_forwarded_for", "Proxy \"\"" ], "rewrite_rules": [ ], "server": "nginx-swh-objstorage-default", "ssl": false, "ssl_only": false, "uwsgi_params": "/etc/nginx/uwsgi_params" ******************************************* + Nginx::Resource::Location[nginx-swh-objstorage-default] => parameters => "add_header": { }, "ensure": "present", "fastcgi_params": "/etc/nginx/fastcgi.conf", "flv": false, "index_files": [ "index.html", "index.htm", "index.php" ], "internal": false, "location": "/", "location_allow": [ ], "location_deny": [ ], "mp4": false, "notify": "Class[Nginx::Service]", "priority": 500, "proxy": "http://swh-objstorage-gunicorn", "proxy_buffering": "off", "proxy_connect_timeout": "90s", "proxy_hide_header": [ ], "proxy_ignore_header": [ ], "proxy_pass_header": [ ], "proxy_read_timeout": "3600s", "proxy_send_timeout": "90s", "proxy_set_header": [ "Host $host", "X-Real-IP $remote_addr", "X-Forwarded-For $proxy_add_x_forwarded_for", "Proxy \"\"" ], "rewrite_rules": [ ], "server": "nginx-swh-objstorage", "ssl": false, "ssl_only": false, "uwsgi_params": "/etc/nginx/uwsgi_params" ******************************************* + Nginx::Resource::Server[nginx-swh-objstorage-default] => parameters => "add_header": { }, "ensure": "present", "fastcgi_params": "/etc/nginx/fastcgi.conf", "format_log": "combined", "geo_mappings": { }, "group": "root", "http2": "off", "index_files": [ "index.html", "index.htm", "index.php" ], "ipv6_enable": false, "ipv6_listen_ip": "::", "ipv6_listen_options": "default ipv6only=on", "ipv6_listen_port": 80, "listen_ip": "moma.internal.softwareheritage.org", "listen_options": "default_server", "listen_port": 5003, "listen_unix_socket": "/var/run/nginx.sock", "listen_unix_socket_enable": false, "location_allow": [ ], "location_deny": [ ], "locations": { }, "locations_defaults": { }, "maintenance": true, "maintenance_value": "return 444", "mode": "0644", "owner": "root", "proxy_connect_timeout": "90s", "proxy_hide_header": [ ], "proxy_pass_header": [ ], "proxy_read_timeout": "90s", "proxy_send_timeout": "90s", "proxy_set_header": [ "Host $host", "X-Real-IP $remote_addr", "X-Forwarded-For $proxy_add_x_forwarded_for", "Proxy \"\"" ], "resolver": [ ], "rewrite_non_www_to_www": false, "rewrite_rules": [ ], "rewrite_www_to_non_www": false, "server_name": [ "nginx-swh-objstorage-default" ], "spdy": "off", "ssl": false, "ssl_cache": "shared:SSL:10m", "ssl_ciphers": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC... "ssl_listen_option": true, "ssl_port": 443, "ssl_prefer_server_ciphers": "on", "ssl_protocols": "TLSv1 TLSv1.1 TLSv1.2", "ssl_redirect": false, "ssl_session_timeout": "5m", "ssl_stapling": false, "ssl_stapling_verify": false, "ssl_verify_client": "on", "string_mappings": { }, "use_default_location": true, "uwsgi_params": "/etc/nginx/uwsgi_params" ******************************************* + Nginx::Resource::Server[nginx-swh-objstorage] => parameters => "add_header": { }, "client_max_body_size": "4G", "ensure": "present", "fastcgi_params": "/etc/nginx/fastcgi.conf", "format_log": "combined if=$error_status", "geo_mappings": { }, "group": "root", "http2": "off", "index_files": [ "index.html", "index.htm", "index.php" ], "ipv6_enable": false, "ipv6_listen_ip": "::", "ipv6_listen_options": "default ipv6only=on", "ipv6_listen_port": 80, "listen_ip": "moma.internal.softwareheritage.org", "listen_options": "deferred", "listen_port": 5003, "listen_unix_socket": "/var/run/nginx.sock", "listen_unix_socket_enable": false, "location_allow": [ ], "location_deny": [ ], "locations": { }, "locations_defaults": { }, "maintenance": false, "maintenance_value": "return 503", "mode": "0644", "owner": "root", "proxy": "http://swh-objstorage-gunicorn", "proxy_buffering": "off", "proxy_connect_timeout": "90s", "proxy_hide_header": [ ], "proxy_pass_header": [ ], "proxy_read_timeout": "3600s", "proxy_send_timeout": "90s", "proxy_set_header": [ "Host $host", "X-Real-IP $remote_addr", "X-Forwarded-For $proxy_add_x_forwarded_for", "Proxy \"\"" ], "resolver": [ ], "rewrite_non_www_to_www": false, "rewrite_rules": [ ], "rewrite_www_to_non_www": false, "server_name": [ "objstorage.softwarehritage.org objstorage.internal.softwareheritage.org",... "moma.internal.softwareheritage.org", "moma", "127.0.0.1", "localhost", "::1" ], "spdy": "off", "ssl": false, "ssl_cache": "shared:SSL:10m", "ssl_ciphers": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC... "ssl_listen_option": true, "ssl_port": 443, "ssl_prefer_server_ciphers": "on", "ssl_protocols": "TLSv1 TLSv1.1 TLSv1.2", "ssl_redirect": false, "ssl_session_timeout": "5m", "ssl_stapling": false, "ssl_stapling_verify": false, "ssl_verify_client": "on", "string_mappings": { }, "use_default_location": true, "uwsgi_params": "/etc/nginx/uwsgi_params" ******************************************* + Nginx::Resource::Upstream::Member[gunicorn-objstorage] => parameters => "backup": false, "context": "http", "ensure": "present", "port": 80, "resolve": false, "server": "unix:/run/gunicorn/swh-objstorage/gunicorn.sock", "upstream": "swh-objstorage-gunicorn" ******************************************* + Nginx::Resource::Upstream[swh-objstorage-gunicorn] => parameters => "cfg_append": { }, "cfg_prepend": { }, "context": "http", "ensure": "present", "ip_hash": false, "least_conn": false, "member_defaults": { }, "members": { "gunicorn-objstorage": { "server": "unix:/run/gunicorn/swh-objstorage/gunicorn.sock" } }, "ntlm": false ******************************************* + Package[python3-swh.objstorage.cloud] => parameters => "ensure": "installed" ******************************************* + Package[python3-swh.objstorage] => parameters => "ensure": "present", "notify": [ "Service[gunicorn-swh-objstorage]" ] ******************************************* + Profile::Hitch::Ssl_cert[objstorage_production] => parameters => "ssl_cert_name": "objstorage_production" ******************************************* + Profile::Letsencrypt::Certificate[objstorage_production] => parameters => "basename": "objstorage_production", "privkey_group": "root", "privkey_mode": "0600", "privkey_owner": "root" ******************************************* + Profile::Swh::Deploy::Rpc_server[objstorage] => parameters => "config_key": "objstorage", "executable": "swh.objstorage.api.server:make_app_from_configfile()", "gunicorn_config_base_module": "swh.core.api.gunicorn_config", "http_check_string": "SWH Objstorage API server", "instance_name": "objstorage", "worker": "async" ******************************************* + Profile::Varnish::Vcl_include[objstorage] => parameters => "basename": "objstorage", "content": "# backend_default.vcl\n#\n# Default backend definition.\n#\n# Fi... "order": "01" ******************************************* + Profile::Varnish::Vcl_include[vhost_objstorage.softwareheritage.org] => parameters => "basename": "vhost_objstorage.softwareheritage.org", "content": "# vhost_objstorage.softwareheritage.org.vcl\n#\n# Settings for t... "order": "50" ******************************************* Profile::Varnish::Vhost[archive.softwareheritage.org] => parameters => basic_auth => + false ******************************************* Profile::Varnish::Vhost[deposit.softwareheritage.org] => parameters => basic_auth => + false ******************************************* + Profile::Varnish::Vhost[objstorage.softwareheritage.org] => parameters => "aliases": [ "objstorage.internal.softwareheritage.org" ], "backend_http_host": "moma.internal.softwareheritage.org", "backend_http_port": "5003", "backend_name": "objstorage", "basic_auth": true, "basic_auth_strings": [ "c3doLXByb2Q6c3doOjpkZXBsb3k6Om9ianN0b3JhZ2U6OnJldmVyc2VfcHJveHk6OmJhc2ljX... "ZW5lYS1wcm9kOnN3aDo6ZGVwbG95OjpvYmpzdG9yYWdlOjpyZXZlcnNlX3Byb3h5OjpiYXNpY... ], "hsts_max_age": 15768000, "order": "50", "servername": "objstorage.softwareheritage.org", "websocket_support": false ******************************************* + Service[gunicorn-swh-objstorage] => parameters => "enable": true, "ensure": "running", "restart": "/bin/systemctl reload gunicorn-swh-objstorage.service" ******************************************* + Systemd::Tmpfile[gunicorn-swh-objstorage.conf] => parameters => "ensure": "absent", "filename": "gunicorn-swh-objstorage.conf", "path": "/etc/tmpfiles.d" ******************************************* + Systemd::Unit_file[gunicorn-swh-objstorage.service] => parameters => "content": "# File managed by puppet (class gunicorn::instance swh-objstorag... "ensure": "present", "group": "root", "mode": "0444", "notify": [ "Service[gunicorn-swh-objstorage]" ], "owner": "root", "path": "/etc/systemd/system", "show_diff": true ******************************************* + Varnish::Vcl[/etc/varnish/includes/01_objstorage.vcl] => parameters => "content": "# backend_default.vcl\n#\n# Default backend definition.\n#\n# Fi... "file": "/etc/varnish/includes/01_objstorage.vcl" ******************************************* + Varnish::Vcl[/etc/varnish/includes/50_vhost_objstorage.softwareheritage.org.vcl] => parameters => "content": "# vhost_objstorage.softwareheritage.org.vcl\n#\n# Settings for t... "file": "/etc/varnish/includes/50_vhost_objstorage.softwareheritage.org.vcl"... ******************************************* *** End octocatalog-diff on moma.softwareheritage.org
Diff Detail
Diff Detail
- Repository
- rSPSITE puppet-swh-site
- Lint
Automatic diff as part of commit; lint not applicable. - Unit
Automatic diff as part of commit; unit tests not applicable.
Event Timeline
Comment Actions
Add basic authentication support and activate it in staging too
(main description will be updated accordingly)