Portal:Toolforge/Admin/Legacy redirector for webservices
In 2020, a change happened to how Toolforge webservices are accessed from the internet.
- The domain changed from tools.wmflabs.org to toolforge.org.
- The URL scheme changed from tools.wmflabs.org/<toolname>/ to <toolname>.toolforge.org/.
To preserve legacy URLs as working endpoints, we deployed a mechanism called legacy redirector that is meant stay online for as long as we consider it useful (forever?).
How it works
In a separate server from the main front proxy, there is an nginx server that loads a LUA script. This script checks if the tool is allowed to have a legacy redirect (we don't want to allow the legacy redirect for newer webservices), by checking a static list.
The legacy FQDN tools.wmflabs.org must point to this VM, so users can access it directly from the internet (TODO: floating IP?)
Then, the end client will see a HTTP status code 301 moved permanently, pointing to the new domain/URL scheme.
The static list is generated by checking the front proxy redis for registered webservices in the grid and by checking ingresses in the kubernetes cluster. There is a helper script to generate the list, should we need to update it:
A simple virtual machine with the puppet role
role::wmcs::toolforge::legacy_redirector and the following hiera configuration:
profile::toolforge::canonical_domain: toolforge.org profile::toolforge::canonical_scheme: https:// profile::toolforge::proxy::do_https: true
Note that these values are the default in the puppet profile manifest, so it's OK if we don't set then explicitly anyway.
In the case of toolsbeta, the hiera config needs to be:
profile::toolforge::canonical_domain: toolsbeta.wmflabs.org profile::toolforge::canonical_scheme: http:// profile::toolforge::proxy::do_https: false
The most important service in the server is the nginx service, which has a very simplified configuration. Logs can be found at /var/log/nginx/access.log and /var/log/nginx/error.log.