Re: [FBR] Make RabbitMQ cluster publicly available via proxies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 6 Mar 2019 at 15:30, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> On 3/6/19 12:25 PM, Patrick Uiterwijk wrote:
> > Hi all,
> >
> > Could I get +1s for the below patch?
>
> +1, but do we need also:
>

+!

> * some rabbitmq config to add a vhost that doesn't require a user/cert
> for ro access?
>
> and
>
> * RHIT ticket to open those ports on proxy01/10?

Yes. Only a couple of ports are open on proxy01/10


> kevin
> --
> >
> > Thanks,
> > Patrick
> >
> >
> >
> > From 46dc8281edb9b874075525b1756ed0cfa0f91575 Mon Sep 17 00:00:00 2001
> > From: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
> > Date: Wed, 6 Mar 2019 21:11:12 +0100
> > Subject: [PATCH] Add rabbitmq proxying to the proxies
> >
> > Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
> > ---
> >  inventory/group_vars/proxies        |  5 +++++
> >  inventory/group_vars/proxies-stg    |  5 +++++
> >  roles/haproxy/templates/haproxy.cfg | 28 ++++++++++++++++++++++++++++
> >  3 files changed, 38 insertions(+)
> >
> > diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
> > index 4b97c2ae3..8901de118 100644
> > --- a/inventory/group_vars/proxies
> > +++ b/inventory/group_vars/proxies
> > @@ -17,6 +17,11 @@ tcp_ports: [
> >      # This is for TCP krb5
> >      1088,
> >
> > +    # This is for RabbitMQ public access
> > +    5671,
> > +    # This is for RabbitMQ internal-public access
> > +    15671,
> > +
> >      # This is for the haproxy HTML stats page
> >      # TODO -- there's no need for this to be wide open to the world.  With this
> >      # in place, you can visit https://apps.fedoraproject.org:8080 and get the
> > diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg
> > index 7aeb745e7..f5590beff 100644
> > --- a/inventory/group_vars/proxies-stg
> > +++ b/inventory/group_vars/proxies-stg
> > @@ -17,6 +17,11 @@ tcp_ports: [
> >      # This is for TCP krb5
> >      1088,
> >
> > +    # This is for RabbitMQ public access
> > +    5671,
> > +    # This is for RabbitMQ internal-public access
> > +    15671,
> > +
> >      # This is for the haproxy HTML stats page
> >      # TODO -- there's no need for this to be wide open to the world.  With this
> >      # in place, you can visit https://apps.fedoraproject.org:8080 and get the
> > diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
> > index 29bb567b7..0b4835fcd 100644
> > --- a/roles/haproxy/templates/haproxy.cfg
> > +++ b/roles/haproxy/templates/haproxy.cfg
> > @@ -565,6 +565,34 @@ backend copr-backend
> >      option  httpchk GET /api_3/
> >  {% endif %}
> >
> > +{% if datacenter == "phx2" %}
> > +# These ports are for proxying rabbitmq (AMQP) protocol through.
> > +# At this moment, internal- and public-rabbitmq both point to the exact same set of
> > +#  brokers on the backend, but the internal- is intended for applications we directly control.
> > +# This allows us to move to a separate cluster for public access if that became necessary
> > +#  on just the infra side, with no need to ask users to change anything.
> > +frontend internal-rabbitmq
> > +    mode tcp
> > +    bind 0.0.0.0:15671
> > +    default_backend rabbitmq
> > +
> > +frontend public-rabbitmq
> > +    mode tcp
> > +    bind 0.0.0.0:5671
> > +    default_backend rabbitmq
> > +
> > +backend rabbitmq
> > +    mode tcp
> > +    option tcplog
> > +    balance roundrobin
> > +    maxconn 16384
> > +    server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384
> > +{% if env == "production %}
> > +    server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384
> > +    server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384
> > +{% endif %}
> > +{% endif %}
> > +
> >  # Apache doesn't handle the initial connection here like the other proxy
> >  # entries.  This proxy also doesn't use the http mode like the others.
> >  # stunnel should be sitting on port 9939 (public) and redirecting
> >
>
>
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx



-- 
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux