Jump to content

Portal:Toolforge/Admin/Legacy redirector for webservices

From Wikitech

In 2020, a change happened to how Toolforge webservices are accessed from the internet.

  • The domain changed from tools.wmflabs.org to toolforge.org.
  • The URL scheme changed from tools.wmflabs.org/<toolname>/ to <toolname>.toolforge.org/.

To preserve legacy URLs as working endpoints, we deployed a mechanism called legacy redirector that is meant stay online for as long as we consider it useful (forever?).

How it works

In a separate server from the main front proxy, there is an nginx server that loads a LUA script. This script checks if the tool is allowed to have a legacy redirect (we don't want to allow the legacy redirect for newer webservices), by checking a static list.
The legacy FQDN tools.wmflabs.org must point to this VM, so users can access it directly from the internet (TODO: floating IP?)

Then, the end client will see a HTTP status code 301 moved permanently, pointing to the new domain/URL scheme.

The static list is generated by checking the front proxy redis for registered webservices in the grid and by checking ingresses in the kubernetes cluster. There is a helper script to generate the list, should we need to update it:

Arturo's page, wmcs-generate-legacy-redirector-map.py script.


A simple virtual machine with the puppet role role::wmcs::toolforge::legacy_redirector and the following hiera configuration:

profile::toolforge::canonical_domain: toolforge.org
profile::toolforge::canonical_scheme: https://
profile::toolforge::proxy::do_https: true

Note that these values are the default in the puppet profile manifest, so it's OK if we don't set then explicitly anyway.

In the case of toolsbeta, the hiera config needs to be:

profile::toolforge::canonical_domain: toolsbeta.wmflabs.org
profile::toolforge::canonical_scheme: http://
profile::toolforge::proxy::do_https: false

The most important service in the server is the nginx service, which has a very simplified configuration. Logs can be found at /var/log/nginx/access.log and /var/log/nginx/error.log.

See also