⚓ T2747 Create the reverse proxy to expose the staging services publicly

		Status	Assigned	Task
		Migrated	gitlab-migration	T2650 Network refactoring - step 1
		Migrated	gitlab-migration	T2747 Create the reverse proxy to expose the staging services publicly

ardumont triaged this task as Normal priority.Nov 2 2020, 11:00 AM

ardumont created this task.

ardumont added a parent task: T2650: Network refactoring - step 1.

ardumont mentioned this in T2650: Network refactoring - step 1.Nov 2 2020, 11:02 AM

Current state of the frontend services (webapp, deposit) is described in the following graph:

current-state.svg12 KBDownload

source code: P852

Here is the desired staging reverse proxy schema:

reverse-proxy.svg14 KBDownload

source: P853

Looks good to me !

ardumont changed the task status from Open to Work in Progress.Nov 4 2020, 4:17 PM

Reverse proxy referenced in the inventory app [1] [2]

[1] https://inventory.internal.softwareheritage.org/virtualization/virtual-machines/87/
[2] https://inventory.internal.softwareheritage.org/ipam/prefixes/8/ip-addresses/

ardumont mentioned this in rSENV6b0e70316294: Vagrantfile: Reference a new staging-rp "reverse proxy" node.Nov 4 2020, 6:30 PM

ardumont mentioned this in rSPPRIVC40740da06d0d: Adapt censored password for the gunicorn-swh-webapp service.Nov 5 2020, 12:30 PM

Puppet web api roles (deposit, webapp) got reworked from [1] to [2] so their name and intent are clearer.

This now declares the following roles and deploys them accordingly (this does
not change anything in production):

swh_rp_webapp: webapp with reverse proxy as before (deployed on node webapp0.azure)
swh_rp_webapps: webapp and deposit with reverse proxy behavior as before (deployed on node moma)
swh_webapp: only webapp service, no more hitch/varnish (deployed on node webapp.staging)
swh_deposit: only deposit service no more hitch/varnish (deploy on node deposit.staging)

Introducing as expressed above the new swh_reverse_proxy role (for a dedicated
reverse proxy node to create). This is the node which will serve the purpose of
reverse proxy in front of swh_webapp and swh_deposit role for the staging
nodes.

All this is currently in the T2747_reverse_proxy git branch in the swh-site
repository (vagrant + octocatalog-diff happy so far, with no change on
production node \o/).

We need to create the new reverse proxy node now.

[1]

current-puppet-roles.svg15 KBDownload

source code: P855

[2]

current-puppet-roles.svg15 KBDownload

source code: P856

vsellier added a subscriber: vsellier.Nov 5 2020, 2:05 PM

ardumont mentioned this in rSPREeb885320c363: modules/node/main: Ignore "clone" property update.Nov 5 2020, 2:36 PM

ardumont mentioned this in rSPREd9a7e419648c: modules/node/variables: Use new debian buster template.

ardumont added a revision: D4419: staging: Reference the new staging reverse proxy node.Nov 5 2020, 2:37 PM

ardumont added a revision: D4421: Add staging reverse proxy role.Nov 5 2020, 7:50 PM

vsellier added a revision: D4422: adapt the debian buster template to be used by terraform.Nov 6 2020, 9:58 AM

vsellier added a commit: rSPREf2fae17af485: adapt the debian buster template to be used by terraform.Nov 6 2020, 10:03 AM

ardumont mentioned this in rSPREeedfa0619c12: modules/node: Use the latest debian-buster template.Nov 6 2020, 10:07 AM

ardumont added a revision: D4423: terraform/modules/node/main: Define custom facts puppet needs to run.Nov 6 2020, 10:08 AM

ardumont added a revision: D4424: terraform/proxmox: Make the ssh connection work.Nov 6 2020, 10:10 AM

ardumont added a commit: rSPREb591b57db6f0: terraform/modules/node/main: Define custom facts puppet needs to run.Nov 6 2020, 10:17 AM

ardumont added a commit: rSPRE6b734c0e56ec: terraform/proxmox: Make the ssh connection work.Nov 6 2020, 10:24 AM

ardumont added a commit: rSPRE9daad9118432: staging: Reference the new staging reverse proxy node.Nov 6 2020, 10:31 AM

ardumont added a commit: rSPSITEa18f8fc74d15: Bootstrap staging reverse proxy (role, profile).Nov 6 2020, 10:36 AM

ardumont added a commit: rSPSITEebb015428bff: Define common apache configuration in staging/common.yaml.

ardumont added a commit: rSPSITE36269a14938c: Remove reverse proxy behavior from swh::deploy::{deposit, webapp}.

ardumont added a commit: rSPSITE6ad80079e5ad: Rework webapp and deposit roles with and without reverse proxy.

ardumont mentioned this in rSPSITE341a955362ed: deploy.webapp: Fix icinga checks.Nov 6 2020, 11:20 AM

ardumont added a revision: D4440: varnish: use different backends per vhosts.Nov 6 2020, 2:57 PM

ardumont added a commit: rSPSITE83170bb099db: varnish: use different backends per vhosts.Nov 6 2020, 3:12 PM

ardumont added a commit: rSPSITE5d1cc51c6665: reverse_proxy: Expose a backend name to reuse.

ardumont added a commit: rSPSITEaee9a70879b8: reverse_proxy: Declare backend_http_* according to their environment.

ardumont added a revision: D4447: Declare dns records on rp0/webapp/deposit nodes.Nov 9 2020, 12:05 PM

ardumont added a commit: rSPSITE6990707d63db: Declare dns records on rp0/webapp/deposit nodes.Nov 9 2020, 12:09 PM

ardumont added a revision: D4449: Drop staging-rp-{webapp,deposit} which are declared in gandi.Nov 9 2020, 2:41 PM

ardumont added a commit: rSPSITEd25c56ef8dd6: Drop staging-rp-{webapp,deposit} which are declared in gandi.Nov 9 2020, 2:46 PM

A step was achieve in the configuration. The staging services are now accessible from the internet from these addresses :

webapp : https://webapp.staging.swh.network
deposit: https://deposit.staging.swh.network

It remains some monitoring alerts to solve and the counters on the home page of the webapp which seem to display the production numbers (and off course to document the new environment)/

ardumont mentioned this in D4430: doc: rename Getting Started as User Manual and update the content.Nov 10 2020, 9:38 AM

vsellier added a revision: D4454: network: Add an internal route to the public swh network.Nov 10 2020, 11:01 AM

vsellier added a commit: rSPSITEe25589e40654: network: Add an internal route to the public swh network.Nov 10 2020, 11:04 AM

To solve the monitoring alerts [1], we tried to bypass the restriction between the VLAN210 and the VLAN1300 by adding a route between pergamon and VLAN1300 via the firewall (D4454).
The route is well created on pergamon but it seems to be ignored :

root@pergamon:~# traceroute 128.93.166.2
traceroute to 128.93.166.2 (128.93.166.2), 30 hops max, 60 byte packets
 1  louvre.internal.softwareheritage.org (192.168.100.1)  0.185 ms * *

It's the same for other routes :

root@pergamon:~# traceroute 192.168.130.10
traceroute to 192.168.130.10 (192.168.130.10), 30 hops max, 60 byte packets
 1  louvre.internal.softwareheritage.org (192.168.100.1)  0.168 ms * *
 2  pushkin.internal.softwareheritage.org (192.168.100.129)  0.331 ms  0.316 ms  0.307 ms
 3  pushkin.internal.softwareheritage.org (192.168.100.129)  0.426 ms  0.414 ms  0.400 ms

We have manually added a route on louvre but it's ignored due to a masquerading rule used by the internet gateway. We have stopped here to avoid breaking anything

root@louvre:~# ip route add 128.93.166.0/26 via 192.168.100.130 dev ens18

root@louvre:~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.100.0/24    !192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

@olasd we need to discuss with you to identify the best way to move forward

[1] https://icinga.softwareheritage.org/dashboard#!/monitoring/service/show?host=rp0.internal.staging.swh.network&service=swh deposit https certificate
https://icinga.softwareheritage.org/monitoring/list/services?service_problem=1&sort=service_severity#!/monitoring/service/show?host=rp0.internal.staging.swh.network&service=swh webapp https certificate

After double(at least) checking the routed on louvre is working well (the packets are not intercepted by the ip masquerade).
The problem was the DNAT rule on the firewall was not applied because the packets are not entering from the vtnet0 interface (they were simply lost). The DNAT rule was updated to be applied on the vtnet1 (VLAN440) and vtnet0 (VLAN1300) interfaces[1]. Pergamon can now reach the reverse proxy on ports 80/443

[1]: R228:292b3b551b6138d5815a66b3fc2541d21e69891b

NB: The routes on pergamon were not reverted because they should work directly. It's still a point to discuss

ardumont mentioned this in rSENVff0b42651cce: Vagrantfile: Rename rp to rp0.Nov 10 2020, 3:37 PM

vsellier added a revision: D4456: staging monitoring: Fix vhost computation to use public vhost.Nov 10 2020, 3:54 PM

vsellier added a commit: rSPSITE19a95b2ca2b2: staging monitoring: Fix vhost computation to use public vhost.Nov 10 2020, 4:02 PM

This is a schema in complement of the previous ones. It represent a more network oriented interaction between the server and the firewall :

staging-network.svg34 KBDownload

staging-network.drawio3 KBDownload

vsellier added a revision: D4460: staging: Fix internal webapp and deposit communication.Nov 10 2020, 8:19 PM

ardumont added a commit: rSPSITEdd8b01b8ab5d: staging: Fix internal webapp and deposit communication.Nov 12 2020, 3:55 PM

Did a bit of cleanup in related sentry issues which should no longer come back.

Tests from hal-preprod plugged to our staging deposit went fine
Some deposits took place [1] and we can see the resulting ingested origins
in the staging webapp [2]

[1] P866

[2] https://webapp.staging.swh.network/browse/search/?q=preprod&with_visit=true&with_content=true

Email has been sent to swh-devel to announce it and to ask for feedback [1]

In the mean time, the work is done and this task can be closed \o/

[1] P867

ardumont closed this task as Resolved.Nov 17 2020, 11:17 AM

ardumont claimed this task.

ardumont moved this task from Backlog to deployed/landed/monitoring on the System administration board.Jan 6 2021, 3:45 PM

ardumont moved this task from deployed/landed/monitoring to done on the System administration board.Apr 21 2021, 6:58 PM

This task has been migrated to GitLab.

rSPRE sysadm-provisioning
	D4419	rSPRE9daad9118432 staging: Reference the new staging reverse proxy node
	D4424	rSPRE6b734c0e56ec terraform/proxmox: Make the ssh connection work
	D4423	rSPREb591b57db6f0 terraform/modules/node/main: Define custom facts puppet needs to run
	D4422	rSPREf2fae17af485 adapt the debian buster template to be used by terraform
rSPSITE puppet-swh-site
	D4460	rSPSITEdd8b01b8ab5d staging: Fix internal webapp and deposit communication
	D4456	rSPSITE19a95b2ca2b2 staging monitoring: Fix vhost computation to use public vhost
	D4454	rSPSITEe25589e40654 network: Add an internal route to the public swh network
	D4449	rSPSITEd25c56ef8dd6 Drop staging-rp-{webapp,deposit} which are declared in gandi
	D4447	rSPSITE6990707d63db Declare dns records on rp0/webapp/deposit nodes
	D4440	rSPSITEaee9a70879b8 reverse_proxy: Declare backend_http_* according to their environment
	D4440	rSPSITE5d1cc51c6665 reverse_proxy: Expose a backend name to reuse
	D4440	rSPSITE83170bb099db varnish: use different backends per vhosts
	D4421	rSPSITE6ad80079e5ad Rework webapp and deposit roles with and without reverse proxy
	D4421	rSPSITE36269a14938c Remove reverse proxy behavior from swh::deploy::{deposit, webapp}
	D4421	rSPSITEebb015428bff Define common apache configuration in staging/common.yaml
	D4421	rSPSITEa18f8fc74d15 Bootstrap staging reverse proxy (role, profile)

Create the reverse proxy to expose the staging services publicly
Closed, MigratedEdits Locked
Actions

Revisions and Commits

Related Objects
Search...

Event Timeline

Create the reverse proxy to expose the staging services publiclyClosed, MigratedEdits LockedActions

Revisions and Commits

Related ObjectsSearch...

Event Timeline

Create the reverse proxy to expose the staging services publicly
Closed, MigratedEdits Locked
Actions

Related Objects
Search...