Migrate sentry node to admin vlan
This:
-
Actually installs the reverse proxy part to serve sentry request
-
Update varnish reverse proxy to allow specific icinga checks (to conserve actual sentry checks as is).
-
No impact on riverside node regarding sentry (besides its vagrant ip change)
-
Installs a rewrite rule on the pergamon reverse proxy to conserve the sentry.s.o resolution as is the time the ttl expiry happens [1]
-
[1] sentry.s.o will change from targetting pergamon to targetting swh-rproxy3.inria.fr
Related to T3891
Test Plan
riverside (but cannot octo-diff it as the fqdn changes)
pergamon (reverse-proxy, dns) impacted:
$ $SWH_PUPPET_ENVIRONMENT_HOME/bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details --to staging pergamon
...
diff origin/production/pergamon.softwareheritage.org current/pergamon.softwareheritage.org
*******************************************
- Apache::Mod[proxy]
*******************************************
- Apache::Mod[proxy_http]
*******************************************
Apache::Vhost[sentry.softwareheritage.org_non-ssl] =>
parameters =>
docroot =>
- /var/www/html
+ /var/www
manage_docroot =>
- false
+ true
*******************************************
Apache::Vhost[sentry.softwareheritage.org_ssl] =>
parameters =>
docroot =>
- /var/www/html
+ /var/www
manage_docroot =>
- false
+ true
proxy_pass =>
- [{"path"=>"/", "url"=>"http://riverside.internal.softwareheritage.org:9000/"}]
proxy_preserve_host =>
- true
+ false
request_headers =>
- ["set X-Forwarded-Proto \"https\"", "set X-Forwarded-Port \"443\""]
rewrites =>
+ [{"rewrite_rule"=>["^.*$ http://riverside.internal.admin.swh.network"]}]
ssl_cert =>
- /etc/ssl/certs/letsencrypt/sentry/cert.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem
ssl_chain =>
- /etc/ssl/certs/letsencrypt/sentry/chain.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem
ssl_key =>
- /etc/ssl/certs/letsencrypt/sentry/privkey.pem
+ /etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem
*******************************************
Concat::Fragment[sentry.softwareheritage.org_non-ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat::Fragment[sentry.softwareheritage.org_non-ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
- Concat::Fragment[sentry.softwareheritage.org_ssl-proxy]
*******************************************
- Concat::Fragment[sentry.softwareheritage.org_ssl-requestheader]
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org_ssl-rewrite] =>
parameters =>
"order": 190
"target": "25-sentry.softwareheritage.org_ssl.conf"
"content": >>>
## Rewrite rules
RewriteEngine On
RewriteRule ^.*$ http://riverside.internal.admin.swh.network
<<<
*******************************************
Concat::Fragment[sentry.softwareheritage.org_ssl-ssl] =>
parameters =>
content =>
@@ -2,7 +2,7 @@
## SSL directives
SSLEngine on
- SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry/cert.pem"
- SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry/privkey.pem"
- SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry/chain.pem"
+ SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
+ SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
+ SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
*******************************************
Concat_fragment[sentry.softwareheritage.org_non-ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat_fragment[sentry.softwareheritage.org_non-ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-directories] =>
parameters =>
content =>
@@ -1,6 +1,6 @@
_
- ## Directories, there should at least be a declaration for /var/www/html
+ ## Directories, there should at least be a declaration for /var/www
_
- <Directory "/var/www/html">
+ <Directory "/var/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-docroot] =>
parameters =>
content =>
@@ -1,3 +1,3 @@
_
## Vhost docroot
- DocumentRoot "/var/www/html"
+ DocumentRoot "/var/www"
*******************************************
- Concat_fragment[sentry.softwareheritage.org_ssl-proxy]
*******************************************
- Concat_fragment[sentry.softwareheritage.org_ssl-requestheader]
*******************************************
+ Concat_fragment[sentry.softwareheritage.org_ssl-rewrite] =>
parameters =>
"order": 190
"tag": "25-sentry.softwareheritage.org_ssl.conf"
"target": "25-sentry.softwareheritage.org_ssl.conf"
"content": >>>
## Rewrite rules
RewriteEngine On
RewriteRule ^.*$ http://riverside.internal.admin.swh.network
<<<
*******************************************
Concat_fragment[sentry.softwareheritage.org_ssl-ssl] =>
parameters =>
content =>
@@ -2,7 +2,7 @@
## SSL directives
SSLEngine on
- SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry/cert.pem"
- SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry/privkey.pem"
- SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry/chain.pem"
+ SSLCertificateFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
+ SSLCertificateKeyFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
+ SSLCertificateChainFile "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
*******************************************
+ Exec[letsencrypt certonly sentry.softwareheritage.org] =>
parameters =>
"command": "certbot --text --agree-tos --non-interactive certonly --rsa-key-size 4096 --cert-name 'sentry.softwareheritage.org' -d 'sentry.softwareheritage.org' --authenticator manual --preferred-challenges dns --manual-public-ip-logging-ok --manual-auth-hook '/usr/local/bin/letsencrypt_gandi_livedns auth' --manual-cleanup-hook '/usr/local/bin/letsencrypt_gandi_livedns cleanup' --deploy-hook '/usr/local/bin/letsencrypt_puppet_export'"
"environment": []
"path": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"provider": "shell"
"unless": "/usr/local/sbin/letsencrypt-domain-validation /etc/letsencrypt/live/sentry.softwareheritage.org/cert.pem 'sentry.softwareheritage.org'"
*******************************************
- Exec[letsencrypt certonly sentry]
*******************************************
- File[/etc/apache2/mods-available/proxy.conf]
*******************************************
- File[/etc/apache2/mods-available/proxy.load]
*******************************************
- File[/etc/apache2/mods-available/proxy_http.load]
*******************************************
- File[/etc/apache2/mods-enabled/proxy.conf]
*******************************************
- File[/etc/apache2/mods-enabled/proxy.load]
*******************************************
- File[/etc/apache2/mods-enabled/proxy_http.load]
*******************************************
...
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/cert.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/chain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/fullchain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/fullchain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0600"
"notify": ["Class[Apache::Service]"]
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org] =>
parameters =>
"ensure": "directory"
"group": "root"
"mode": "0755"
"owner": "root"
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/cert.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/chain.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/fullchain.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry/privkey.pem]
*******************************************
- File[/etc/ssl/certs/letsencrypt/sentry]
*******************************************
+ File[/var/www] =>
parameters =>
"ensure": "directory"
"group": "root"
"owner": "root"
*******************************************
+ Letsencrypt::Certonly[sentry.softwareheritage.org] =>
parameters =>
"additional_args": ["--authenticator manual", "--preferred-challenges dns", "--manual-public-ip-logging-ok", "--manual-auth-hook '/usr/local/bin/letsencrypt_gandi_livedns auth'", "--manual-cleanup-hook '/usr/local/bin/letsencrypt_gandi_livedns cleanup'", "--deploy-hook '/usr/local/bin/letsencrypt_puppet_export'"]
"cert_name": "sentry.softwareheritage.org"
"config_dir": "/etc/letsencrypt"
"cron_hour": 4
"cron_minute": 15
"cron_monthday": ["*"]
"custom_plugin": true
"deploy_hook_commands": []
"domains": ["sentry.softwareheritage.org"]
"ensure": "present"
"environment": []
"key_size": 4096
"letsencrypt_command": "certbot"
"manage_cron": false
"plugin": "standalone"
"post_hook_commands": []
"pre_hook_commands": []
"suppress_cron_output": false
"webroot_paths": []
*******************************************
- Letsencrypt::Certonly[sentry]
*******************************************
+ Profile::Letsencrypt::Certificate[sentry.softwareheritage.org] =>
parameters =>
"basename": "sentry.softwareheritage.org"
"privkey_group": "root"
"privkey_mode": "0600"
"privkey_owner": "root"
*******************************************
- Profile::Letsencrypt::Certificate[sentry]
*******************************************
- Profile::Reverse_proxy[sentry]
*******************************************
*** End octocatalog-diff on pergamon.softwareheritage.org
rp1:
$ $SWH_PUPPET_ENVIRONMENT_HOME/bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details --to staging rp1.internal.admin.swh.network
...
diff origin/production/rp1.internal.admin.swh.network current/rp1.internal.admin.swh.network
*******************************************
+ Concat::Fragment[/etc/varnish/includes.vcl:sentry] =>
parameters =>
"content": "include \"includes/01_sentry.vcl\";"
"order": "01"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat::Fragment[/etc/varnish/includes.vcl:vhost_sentry.softwareheritage.org] =>
parameters =>
"content": "include \"includes/50_vhost_sentry.softwareheritage.org.vcl\";"
"order": "50"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat::Fragment[hitch::domain sentry.softwareheritage.org] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "10"
"target": "/etc/hitch/hitch.conf"
"content": >>>
pem-file = "/etc/hitch/sentry.softwareheritage.org.pem"
<<<
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org cacert] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "03"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org cert] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "02"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org dhparams] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "04"
"source": "/etc/hitch/dhparams.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat::Fragment[sentry.softwareheritage.org key] =>
parameters =>
"notify": "Class[Hitch::Service]"
"order": "01"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat[/etc/hitch/sentry.softwareheritage.org.pem] =>
parameters =>
"backup": "puppet"
"ensure": "present"
"ensure_newline": false
"force": false
"format": "plain"
"group": "_hitch"
"mode": "0640"
"notify": "Class[Hitch::Service]"
"order": "alpha"
"owner": "root"
"path": "/etc/hitch/sentry.softwareheritage.org.pem"
"replace": true
"show_diff": true
"warn": false
*******************************************
+ Concat_file[/etc/hitch/sentry.softwareheritage.org.pem] =>
parameters =>
"backup": "puppet"
"ensure_newline": false
"force": false
"format": "plain"
"group": "_hitch"
"mode": "0640"
"order": "alpha"
"owner": "root"
"replace": true
"show_diff": true
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[/etc/varnish/includes.vcl:sentry] =>
parameters =>
"content": "include \"includes/01_sentry.vcl\";"
"order": "01"
"tag": "_etc_varnish_includes.vcl"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat_fragment[/etc/varnish/includes.vcl:vhost_sentry.softwareheritage.org] =>
parameters =>
"content": "include \"includes/50_vhost_sentry.softwareheritage.org.vcl\";"
"order": "50"
"tag": "_etc_varnish_includes.vcl"
"target": "/etc/varnish/includes.vcl"
*******************************************
+ Concat_fragment[hitch::domain sentry.softwareheritage.org] =>
parameters =>
"order": "10"
"tag": "_etc_hitch_hitch.conf"
"target": "/etc/hitch/hitch.conf"
"content": >>>
pem-file = "/etc/hitch/sentry.softwareheritage.org.pem"
<<<
*******************************************
+ Concat_fragment[sentry.softwareheritage.org cacert] =>
parameters =>
"order": "03"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org cert] =>
parameters =>
"order": "02"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org dhparams] =>
parameters =>
"order": "04"
"source": "/etc/hitch/dhparams.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ Concat_fragment[sentry.softwareheritage.org key] =>
parameters =>
"order": "01"
"source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
"tag": "_etc_hitch_sentry.softwareheritage.org.pem"
"target": "/etc/hitch/sentry.softwareheritage.org.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/cert.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/chain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/fullchain.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0644"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/fullchain.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem] =>
parameters =>
"ensure": "present"
"group": "root"
"mode": "0600"
"owner": "root"
"source": "puppet:///le_certs/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ File[/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org] =>
parameters =>
"ensure": "directory"
"group": "root"
"mode": "0755"
"owner": "root"
*******************************************
+ File[/etc/varnish/includes/01_sentry.vcl] =>
parameters =>
"group": "root"
"mode": "0644"
"notify": "Exec[vcl_reload]"
"owner": "root"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "riverside.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ File[/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl] =>
parameters =>
"group": "root"
"mode": "0644"
"notify": "Exec[vcl_reload]"
"owner": "root"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
+ Hitch::Domain[sentry.softwareheritage.org] =>
parameters =>
"cacert_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/chain.pem"
"cert_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/cert.pem"
"default": false
"ensure": "present"
"key_source": "/etc/ssl/certs/letsencrypt/sentry.softwareheritage.org/privkey.pem"
*******************************************
+ Profile::Hitch::Ssl_cert[sentry.softwareheritage.org] =>
parameters =>
"ssl_cert_name": "sentry.softwareheritage.org"
*******************************************
+ Profile::Letsencrypt::Certificate[sentry.softwareheritage.org] =>
parameters =>
"basename": "sentry.softwareheritage.org"
"privkey_group": "root"
"privkey_mode": "0600"
"privkey_owner": "root"
*******************************************
+ Profile::Varnish::Vcl_include[sentry] =>
parameters =>
"basename": "sentry"
"order": "01"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "riverside.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ Profile::Varnish::Vcl_include[vhost_sentry.softwareheritage.org] =>
parameters =>
"basename": "vhost_sentry.softwareheritage.org"
"order": "50"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
+ Profile::Varnish::Vhost[sentry.softwareheritage.org] =>
parameters =>
"aliases": []
"backend_http_host": "riverside.internal.admin.swh.network"
"backend_http_port": "80"
"backend_name": "sentry"
"basic_auth": false
"hsts_max_age": 15768000
"order": "50"
"servername": "sentry.softwareheritage.org"
"websocket_support": false
*******************************************
+ Varnish::Vcl[/etc/varnish/includes/01_sentry.vcl] =>
parameters =>
"file": "/etc/varnish/includes/01_sentry.vcl"
"content": >>>
# backend_default.vcl
#
# Default backend definition.
#
# File managed by puppet. All modifications will be lost.
backend sentry
{
.host = "riverside.internal.admin.swh.network";
.port = "80";
}
<<<
*******************************************
+ Varnish::Vcl[/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl] =>
parameters =>
"file": "/etc/varnish/includes/50_vhost_sentry.softwareheritage.org.vcl"
"content": >>>
# vhost_sentry.softwareheritage.org.vcl
#
# Settings for the sentry.softwareheritage.org vhost
#
# File managed by puppet. All modifications will be lost.
sub vcl_recv {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
var.set("known-vhost", "yes");
if (std.port(server.ip) == 80) {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(850, "Moved permanently"));
} else {
set req.http.X-Forwarded-Proto = "https";
set req.backend_hint = sentry;
}
}
}
sub vcl_deliver {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (std.port(server.ip) != 80) {
set resp.http.Strict-Transport-Security = "max-age=15768000;";
}
}
}
sub vcl_synth {
if (
req.http.host ~ "^(?i)sentry\.softwareheritage\.org(:[0-9]+)?$"
) {
if (resp.status == 401) {
set resp.http.WWW-Authenticate = "Basic";
return(deliver);
}
}
}
<<<
*******************************************
*** End octocatalog-diff on rp1.internal.admin.swh.network
Migrated from D7045 (view on Phabricator)