On Wed, 6 Mar 2019 at 15:30, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > On 3/6/19 12:25 PM, Patrick Uiterwijk wrote: > > Hi all, > > > > Could I get +1s for the below patch? > > +1, but do we need also: > +! > * some rabbitmq config to add a vhost that doesn't require a user/cert > for ro access? > > and > > * RHIT ticket to open those ports on proxy01/10? Yes. Only a couple of ports are open on proxy01/10 > kevin > -- > > > > Thanks, > > Patrick > > > > > > > > From 46dc8281edb9b874075525b1756ed0cfa0f91575 Mon Sep 17 00:00:00 2001 > > From: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> > > Date: Wed, 6 Mar 2019 21:11:12 +0100 > > Subject: [PATCH] Add rabbitmq proxying to the proxies > > > > Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx> > > --- > > inventory/group_vars/proxies | 5 +++++ > > inventory/group_vars/proxies-stg | 5 +++++ > > roles/haproxy/templates/haproxy.cfg | 28 ++++++++++++++++++++++++++++ > > 3 files changed, 38 insertions(+) > > > > diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies > > index 4b97c2ae3..8901de118 100644 > > --- a/inventory/group_vars/proxies > > +++ b/inventory/group_vars/proxies > > @@ -17,6 +17,11 @@ tcp_ports: [ > > # This is for TCP krb5 > > 1088, > > > > + # This is for RabbitMQ public access > > + 5671, > > + # This is for RabbitMQ internal-public access > > + 15671, > > + > > # This is for the haproxy HTML stats page > > # TODO -- there's no need for this to be wide open to the world. With this > > # in place, you can visit https://apps.fedoraproject.org:8080 and get the > > diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg > > index 7aeb745e7..f5590beff 100644 > > --- a/inventory/group_vars/proxies-stg > > +++ b/inventory/group_vars/proxies-stg > > @@ -17,6 +17,11 @@ tcp_ports: [ > > # This is for TCP krb5 > > 1088, > > > > + # This is for RabbitMQ public access > > + 5671, > > + # This is for RabbitMQ internal-public access > > + 15671, > > + > > # This is for the haproxy HTML stats page > > # TODO -- there's no need for this to be wide open to the world. With this > > # in place, you can visit https://apps.fedoraproject.org:8080 and get the > > diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg > > index 29bb567b7..0b4835fcd 100644 > > --- a/roles/haproxy/templates/haproxy.cfg > > +++ b/roles/haproxy/templates/haproxy.cfg > > @@ -565,6 +565,34 @@ backend copr-backend > > option httpchk GET /api_3/ > > {% endif %} > > > > +{% if datacenter == "phx2" %} > > +# These ports are for proxying rabbitmq (AMQP) protocol through. > > +# At this moment, internal- and public-rabbitmq both point to the exact same set of > > +# brokers on the backend, but the internal- is intended for applications we directly control. > > +# This allows us to move to a separate cluster for public access if that became necessary > > +# on just the infra side, with no need to ask users to change anything. > > +frontend internal-rabbitmq > > + mode tcp > > + bind 0.0.0.0:15671 > > + default_backend rabbitmq > > + > > +frontend public-rabbitmq > > + mode tcp > > + bind 0.0.0.0:5671 > > + default_backend rabbitmq > > + > > +backend rabbitmq > > + mode tcp > > + option tcplog > > + balance roundrobin > > + maxconn 16384 > > + server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384 > > +{% if env == "production %} > > + server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384 > > + server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384 > > +{% endif %} > > +{% endif %} > > + > > # Apache doesn't handle the initial connection here like the other proxy > > # entries. This proxy also doesn't use the http mode like the others. > > # stunnel should be sitting on port 9939 (public) and redirecting > > > > > _______________________________________________ > infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx