Hi all, Could I get +1s for the below patch? Thanks, Patrick >From 46dc8281edb9b874075525b1756ed0cfa0f91575 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> Date: Wed, 6 Mar 2019 21:11:12 +0100 Subject: [PATCH] Add rabbitmq proxying to the proxies Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> --- inventory/group_vars/proxies | 5 +++++ inventory/group_vars/proxies-stg | 5 +++++ roles/haproxy/templates/haproxy.cfg | 28 ++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 4b97c2ae3..8901de118 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -17,6 +17,11 @@ tcp_ports: [ # This is for TCP krb5 1088, + # This is for RabbitMQ public access + 5671, + # This is for RabbitMQ internal-public access + 15671, + # This is for the haproxy HTML stats page # TODO -- there's no need for this to be wide open to the world. With this # in place, you can visit https://apps.fedoraproject.org:8080 and get the diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg index 7aeb745e7..f5590beff 100644 --- a/inventory/group_vars/proxies-stg +++ b/inventory/group_vars/proxies-stg @@ -17,6 +17,11 @@ tcp_ports: [ # This is for TCP krb5 1088, + # This is for RabbitMQ public access + 5671, + # This is for RabbitMQ internal-public access + 15671, + # This is for the haproxy HTML stats page # TODO -- there's no need for this to be wide open to the world. With this # in place, you can visit https://apps.fedoraproject.org:8080 and get the diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 29bb567b7..0b4835fcd 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -565,6 +565,34 @@ backend copr-backend option httpchk GET /api_3/ {% endif %} +{% if datacenter == "phx2" %} +# These ports are for proxying rabbitmq (AMQP) protocol through. +# At this moment, internal- and public-rabbitmq both point to the exact same set of +# brokers on the backend, but the internal- is intended for applications we directly control. +# This allows us to move to a separate cluster for public access if that became necessary +# on just the infra side, with no need to ask users to change anything. +frontend internal-rabbitmq + mode tcp + bind 0.0.0.0:15671 + default_backend rabbitmq + +frontend public-rabbitmq + mode tcp + bind 0.0.0.0:5671 + default_backend rabbitmq + +backend rabbitmq + mode tcp + option tcplog + balance roundrobin + maxconn 16384 + server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384 +{% if env == "production %} + server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384 + server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384 +{% endif %} +{% endif %} + # Apache doesn't handle the initial connection here like the other proxy # entries. This proxy also doesn't use the http mode like the others. # stunnel should be sitting on port 9939 (public) and redirecting -- 2.20.1 _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx