Portal:Cloud VPS/Admin/Web proxy

The web proxy (aka dynamicproxy aka novaproxy aka Yuviproxy) mechanism powers the Cloud VPS web proxy service. It's powered by Nginx, OpenResty, a Redis backend and a Python API to manage it. The setup is hosted in the project-proxy Cloud VPS project.

To enable the use of a delegated wmcloud.org subdomain on the proxy, follow these steps:

1. Ensure a subdomain delegation is a good idea for the specific use case.
2. Delegate the specific subdomain in Designate to the project using wmcs-makedomain if it's not delegated already. To check, see the domain listing in Horizon or in openstack-browser for that specific project.
3. Provision the TLS certificates in the project-proxy-acme-chief prefix hiera:
   1. Add the project ID to profile::acme_chief::cloud::designate_sync_project_names if not there already.
   2. Add the names to an existing profile::acme_chief::certificates entry if there's a related zone already configured or add a new certificate definition. By convention, custom domains have certificates with names starting with custom, e.g. customtools for Toolforge and Toolsbeta.
4. Run Puppet on the active project-proxy acme-chief host.
5. Add the zone to profile::wmcs::novaproxy::supported_zones in the proxy Hiera prefix.
6. Run Puppet on the proxy instances, starting with the passive.

The default behavior of novaproxy is to hide the actual user's IP address from a proxied service. This helps protect end-user privacy and also reduces the risk of a Cloud VPS project accidentally leaking private information. There are however use cases that really need the visitor's apparent IP to be exposed. Generally this is used for some form of vandal or content harvesting protection.

To expose visitor IP addresses to a backend service, add the webproxy name (for example utrs.wmflabs.org) to the list of proxies in the profile::wmcs::novaproxy::xff_fqdns Project Puppet hiera setting via Horizon. This will configure the proxy to send the IP it sees for the user in an X-Forwared-For header attached to each request.

• Nova Resource:Project-proxy
• Help:Using a web proxy to reach Cloud VPS servers from the internet