Portal:Cloud VPS/Admin/Web proxy

The web proxy (aka dynamicproxy aka novaproxy aka Yuviproxy) mechanism powers the Cloud VPS web proxy service. It's powered by Nginx, OpenResty, a Redis backend and a Python API to manage it. The setup is hosted in the project-proxy (proxy-codfw1dev in codfw1dev) Cloud VPS project.

The web proxy is running in two VMs in a Keepalived HA setting. The public floating IP is pointed to a (static) Neutron VIP, that Keepalived assigns to the "active" instance.

How to find the public floating IP and the Neutron VIP it points to:

cloudcontrol1005:~$ sudo wmcs-openstack floating ip list --project project-proxy

How to find which VM is currently the "active" one:

# Grep for the Neutron VIP in both VMs
proxy-XX:~$ ip a |grep $NEUTRON_VIP

# You can also check the keepalived logs to see state transitions
proxy-XX:~$ sudo journalctl -u keepalived.service

To enable the use of a delegated wmcloud.org subdomain (or some other domain managed in Designate) on the proxy, follow these steps:

1. Ensure a subdomain delegation is a good idea for the specific use case.
2. Delegate the specific subdomain in Designate to the project using wmcs-makedomain if it's not delegated already. To check, see the domain listing in Horizon or in openstack-browser for that specific project.
3. Provision the TLS certificates in the project-proxy-acme-chief prefix hiera:
   1. Add the project ID to profile::acme_chief::cloud::designate_sync_project_names if not there already.
   2. Add the names to an existing profile::acme_chief::certificates entry if there's a related zone already configured or add a new certificate definition. By convention, custom domains have certificates with names starting with custom, e.g. customtools for Toolforge and Toolsbeta.
4. Run Puppet on the active project-proxy acme-chief host.
5. Add the zone to profile::wmcs::novaproxy::supported_zones in the proxy Hiera prefix.

   profile::wmcs::novaproxy::supported_zones:
     catalyst-dev.wmcloud.org.:  # The FQDN of the new subdomain
       acmechief_cert: customcatalyst-dev  # The name of the record added to profile::acme_chief::certificates
       id: 35699886-add9-4ad3-88d7-5b2829f8c72c  # The delegated subdomain's Designate record UUID
       project: 7209100e0e744a4fbdf447534d4eb825  # The Cloud VPS project ID, not the project name.
       shared: false # False to restrict use of the subdomain to the delegated Cloud VPS project
   

6. Run Puppet on the proxy instances, starting with the passive.

To enable the use of a custom (non-Designate managed) domain with the web proxy:

1. Ensure a custom domain is a good idea for the specific use case.
2. Ensure the domain name is pointed to the proxy following the instructions on Help:Using a web proxy to reach Cloud VPS servers from the internet#Vanity domains.
3. Provision the TLS certificates by adding an entry to the profile::acme_chief::certificates entry in project-proxy-acme-chief Hiera. By convention, custom domains have certificates with names starting with custom. Note that you will need to set challenge: http-01, and all possible domain names will need to be added one by one as wildcard certificates are not supported.
4. Run Puppet on the active project-proxy acme-chief host.
5. Add the zone to profile::wmcs::novaproxy::supported_zones in the proxy Hiera prefix. Leave id (the designate zone ID) as empty, and set apex: true if using the configured root domain for a proxy is wanted.

The default behavior of novaproxy is to hide the actual user's IP address from a proxied service. This helps protect end-user privacy and also reduces the risk of a Cloud VPS project accidentally leaking private information. There are however use cases that really need the visitor's apparent IP to be exposed. Generally this is used for some form of vandal or content harvesting protection.

To expose visitor IP addresses to a backend service, add the webproxy name (for example utrs.wmflabs.org) to the list of proxies in the profile::wmcs::novaproxy::xff_fqdns Project Puppet hiera setting via Horizon. This will configure the proxy to send the IP it sees for the user in an X-Forwared-For header attached to each request.

• Nova Resource:Project-proxy
• Help:Using a web proxy to reach Cloud VPS servers from the internet