From 0cfedd2318fe50f87506635cb6e1c75e46934c35 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 2 Jun 2021 13:25:49 +1000 Subject: [PATCH] Add static eavesdrop.openstack.org site We are trying to replace eavesdrop01.openstack.org The main landing page serves meeting information which has been moved to a static site served from AFS at meeting.opendev.org. Redirect everything to there. The IRC logs are currently still hosted on eavesdrop01, so while we work on migrating these, proxy meeting.opendev.org/ to this server. Note this will be a no-op until we move the DNS, but we should make the eavesdrop acme records before merging. Change-Id: I5c9c23e619dbe930a77f657b5cd6fdd862034301 --- .../host_vars/static01.opendev.org.yaml | 2 ++ .../handlers/main.yaml | 3 ++ .../files/50-eavesdrop.openstack.org.conf | 33 +++++++++++++++++++ .../static/files/50-meetings.opendev.org.conf | 6 ++++ playbooks/roles/static/tasks/main.yaml | 11 +++++++ testinfra/test_static.py | 7 ++++ 6 files changed, 62 insertions(+) create mode 100644 playbooks/roles/static/files/50-eavesdrop.openstack.org.conf diff --git a/inventory/service/host_vars/static01.opendev.org.yaml b/inventory/service/host_vars/static01.opendev.org.yaml index 5bf870b2fc..93861f73f6 100644 --- a/inventory/service/host_vars/static01.opendev.org.yaml +++ b/inventory/service/host_vars/static01.opendev.org.yaml @@ -23,6 +23,8 @@ letsencrypt_certs: - docs.openstack.org static01-docs-starlingx-io: - docs.starlingx.io + static01-eavesdrop-openstack-org: + - eavesdrop.openstack.org static01-glance-openstack-org: - glance.openstack.org static01-git-airshipit-org: diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml index 5e70ba75d6..eabc2f589e 100644 --- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml +++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml @@ -66,6 +66,9 @@ - name: letsencrypt updated static01-docs-starlingx-io include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml +- name: letsencrypt updated static01-eavesdrop-openstack-org + include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml + - name: letsencrypt updated static01-glance-openstack-org include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml diff --git a/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf b/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf new file mode 100644 index 0000000000..d58ec137ab --- /dev/null +++ b/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf @@ -0,0 +1,33 @@ + + ServerName eavesdrop.openstack.org + + RewriteEngine On + + RewriteRule ^/(.*) https://meetings.opendev.org/$1 [last,redirect=permanent] + + LogLevel warn + ErrorLog /var/log/apache2/eavesdrop.openstack.org_error.log + CustomLog /var/log/apache2/eavesdrop.openstack.org_access.log combined + ServerSignature Off + + + + ServerName eavesdrop.openstack.org + + SSLCertificateFile /etc/letsencrypt-certs/eavesdrop.openstack.org/eavesdrop.openstack.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/eavesdrop.openstack.org/eavesdrop.openstack.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/eavesdrop.openstack.org/ca.cer + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + RewriteEngine On + + RewriteRule ^/(.*) https://meetings.opendev.org/$1 [last,redirect=permanent] + + LogLevel warn + ErrorLog /var/log/apache2/eavesdrop.openstack.org_error.log + CustomLog /var/log/apache2/eavesdrop.openstack.org_access.log combined + ServerSignature Off + diff --git a/playbooks/roles/static/files/50-meetings.opendev.org.conf b/playbooks/roles/static/files/50-meetings.opendev.org.conf index 3be197f9e6..9441d43409 100644 --- a/playbooks/roles/static/files/50-meetings.opendev.org.conf +++ b/playbooks/roles/static/files/50-meetings.opendev.org.conf @@ -25,6 +25,12 @@ Define AFS_ROOT /afs/openstack.org/project/meetings.opendev.org SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on + ProxyPass "/irclogs" "http://eavesdrop01.openstack.org/irclogs" ttl=120 keepalive=On retry=0 + ProxyPassReverse "/irclogs" "http://eavesdrop01.openstack.org/irclogs" + + ProxyPass "/meetings" "http://eavesdrop01.openstack.org/meetings" ttl=120 keepalive=On retry=0 + ProxyPassReverse "/meetings" "http://eavesdrop01.openstack.org/meetings" + Options Indexes FollowSymLinks MultiViews AllowOverrideList Redirect RedirectMatch diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml index 7135fb914b..d0dab8af65 100644 --- a/playbooks/roles/static/tasks/main.yaml +++ b/playbooks/roles/static/tasks/main.yaml @@ -61,6 +61,16 @@ state: present name: headers +- name: Proxy module + apache2_module: + state: present + name: proxy + +- name: HTTP Proxy module + apache2_module: + state: present + name: proxy_http + - name: Copy apache tuning copy: src: apache-connection-tuning @@ -88,6 +98,7 @@ - 50-docs.opendev.org - 50-docs.openstack.org - 50-docs.starlingx.io + - 50-eavesdrop.openstack.org - 50-governance.openstack.org - 50-glance.openstack.org - 50-horizon.openstack.org diff --git a/testinfra/test_static.py b/testinfra/test_static.py index 444452b768..5545becd41 100644 --- a/testinfra/test_static.py +++ b/testinfra/test_static.py @@ -226,6 +226,13 @@ def test_meetings_opendev_org(host): 'https://meetings.opendev.org/') assert 'IRC channels and meetings' in cmd.stdout +def test_eavesdrop_openstack_org(host): + cmd = host.run('curl --insecure ' + '--resolve eavesdrop.openstack.org:443:127.0.0.1 ' + 'https://eavesdrop.openstack.org/') + assert '301 Moved Permanently' in cmd.stdout + assert 'https://meetings.opendev.org' in cmd.stdout + ci_redirects = ( ('/jenkins-job-builder', 'https://docs.openstack.org/infra/jenkins-job-builder'), ('/nodepool', 'https://docs.openstack.org/infra/nodepool'),