Freeze break request: [2 patches] Allow internal hosts to connect to the Varnish port and configure apache correctly

Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> · Wed, 4 Mar 2015 19:58:56 -0500 (EST)

========================== PATCH 1/2 ==========================
commit 3f625948af36dc8047ffcbba0496bf008d77fcb5
Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date:   Thu Mar 5 00:41:37 2015 +0000

    Allow direct varnish access for internal hosts
    
    This allows internal that are in the purge acl to issue purge requests.
    Apache won't forward purge, since it doesn't know what that is.

diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 3953b71..c86440a 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -34,10 +34,14 @@ custom_rules: [
     '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
 
-    # only allow varnish from localhost
+    # allow varnish from localhost
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
 
+    # also allow varnish from internal for purge requests
+    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
     # Allow koschei.cloud to talk to the inbound fedmsg relay.
     '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
     # Allow jenkins.cloud to talk to the inbound fedmsg relay.
diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg
index 1b8fef2..2520ff1 100644
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -33,10 +33,14 @@ custom_rules: [
     '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
 
-    # only allow varnish from localhost
+    # allow varnish from localhost
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
     '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
 
+    # also allow varnish from internal for purge requests
+    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
     # Allow koschei.cloud to talk to the inbound fedmsg relay.
     '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
     # Allow jenkins.cloud to talk to the inbound fedmsg relay.



========================== PATCH 2/2 ==========================
commit baac9baa8b20ceda6e422acd7bf9a7f9f2a5686f
Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
Date:   Thu Mar 5 00:56:10 2015 +0000

    Fix mediawiki to determine proxies and send correct PURGE requests
    
    As commented: wgSquidServers is the set it sends a PURGE request to

diff --git a/roles/mediawiki/templates/LocalSettings.php.fp.j2 b/roles/mediawiki/templates/LocalSettings.php.fp.j2
index a8e0142..b2620e0 100644
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@@ -322,15 +322,16 @@ $wgSkipSkins = array("chick", "cologneblue", "monobook", "myskin", "nostalgia",
 
 $wgSVGConverter = 'rsvg';
 
-#We use apache, but apparently it's the same difference
+# This series of settings is used for reverse proxies
 $wgUseSquid = true;
-$wgSquidServers = array(
+# The SquidNoPurge setting is used to determine reverse proxies
+$wgSquidServersNoPurge = array(
 {% if environment == "staging" %}
     # proxy01.stg
-    "10.5.126.88",
+    "10.5.126.88:6081",
 {% else %}
     # proxy01
-    "10.5.126.52",
+    "10.5.126.52:6081",
     "192.168.1.11",
 
     # proxy02
@@ -368,7 +369,32 @@ $wgSquidServers = array(
     "192.168.1.17",
 {% endif %}
 );
-$wgSquidServersNoPurge = array('127.0.0.1');
+# This setting is used to send PURGE requests to varnish on reverse proxies upon page changes
+$wgSquidServers = array(
+{% if environment == "staging" %}
+    # proxy01.stg
+    "10.5.126.88:6081",
+{% else %}
+    # proxy01
+    "10.5.126.52:6081",
+    # proxy02
+    "192.168.1.12:6081",
+    # proxy03
+    "192.168.1.7:6081",
+    # proxy04
+    "192.168.1.14:6081",
+    # proxy06
+    "192.168.1.63:6081",
+    # proxy07
+    "192.168.1.52:6081",
+    # proxy08
+    "192.168.1.78:6081",
+    # proxy09
+    "192.168.1.15:6081",
+    # proxy10
+    "10.5.126.51:6081",
+{% endif %}
+);
 $wgSquidMaxage = 432000;
 
 # Don't add rel="nofollow" 
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure








