Help:Using a web proxy to reach Cloud VPS servers from the internet

Cloud VPS
Cloud VPS technical documentation Cloud VPS and Toolforge at a glance Cloud VPS project Cloud VPS Infrastructure Cloud Services roles and user rights Cloud VPS administrator documentation Help and communication Glossary Technical documentation resources
Instances and access Set up a Cloud VPS Instance Set up a Cloud VPS Instance using MediaWiki-Vagrant Set up a Cloud VPS Instance using LAMP stack Access Cloud Services Instances Access Cloud Services Instances with PuTTY and WinSCP
Security and policies Security groups and firewall settings Configure sudo policies Server groups
Horizon, proxies and puppet About Horizon Manage floating IP addresses Proxy to reach Cloud VPS server Puppet compiler Standalone puppetmaster
Troubleshooting Locale errors LAMP issues
Additional documentation Resize root partition Development recommendations for easily moving to production
v · d · e

This page describes how to create a simple web proxy for a Cloud VPS instance.

For reaching the internet from production servers, see HTTP proxy.

Before you begin

Before you begin, you must:

• Be a Project admin for the project that contains the instance you wish to proxy.
• Enable two-factor authentication on your developer account.
• Set up security groups properly.

Creating a web proxy

1. Go to https://horizon.wikimedia.org/
2. Select your project.
3. Click "DNS" in the left navigation menu.
4. Click "Web Proxies" inside the expanded "DNS" section of the left navigation menu.
5. Click the "Create Proxy" button in the upper right of the page.
6. In the "Hostname" field, enter the hostname that you wish to have as the publicly-visible name for your instance. Important: Enter just the hostname (e.g. 'webtastic'), not the fully qualified name (e.g. 'webtastic.wmflabs.org').
7. Specify the domain for your instance using the “Domain” selector. If you want a domain that is not already present in the menu, a cloud admin (most likely a staff member) will need to create it for you.
8. Select the instance that you're creating a proxy for in the “Backend Instance” selector.
9. Enter the “Backend port” that the proxy should connect to on your instance. This will probably be either the default value of 80 if you are running a normal web server or 8080 if you are using MediaWiki-Vagrant.
10. Click “Create proxy”.

An entry for the new web proxy should appear in the proxy table.

Security groups

You may need to update your security group settings before you can access the instance on an external browser.

Some projects have setup a 'web' security group to make this easier or already added the common 80 and 8080 ports to their default security group.

1. Find "Security Groups" under the "Network" section in the left-hand navigation bar, and select the project you want to make available externally.
2. Add a new rule to open up your proxied port for outside access.
3. Set the start and end port in the rule form to the value you entered for “Backend port” when creating the proxy.
4. Select "tcp" as the protocol
5. CIDR range: 172.16.0.0/21
6. Click "Submit"

You may also have to apply this new (or existing) security group to the instance you want to make available: navigate to "Instances" (in the "Compute" section) and select "Edit Security Groups" from the "Actions" menu of the appropriate instance.

Delete unused a web proxies

Once your instance is no longer in use, make sure to delete the unused web proxy.

Migrate from a *.wmflabs.org proxy to a *.wmcloud.org proxy

Since 2020-07-06, newly created proxies use the wmcloud.org domain by default instead of the legacy wmflabs.org domain. Projects which have been using a *.wmflabs.org proxy can migrate to a *.wmcloud.org proxy by following these steps:

1. Create a new *.wmcloud.org proxy pointing to your backend service
2. Test your service using the new hostname while the related *.wmflabs.org proxy still exists
3. Once you are ready to redirect all traffic to the *.wmcloud.org hostname, just delete the legacy *.wmflabs.org proxy. The Cloud VPS HTTP proxy service will automatically issue a redirect from <host>.wmflabs.org to <host>.wmcloud.org when there is no existing proxy for <host>.wmflabs.org.

Troubleshooting

There are two reasons why web pages cannot be served by a default Cloud VPS instance:

1. Instances are closed off from outside networks with a firewall. You must open holes in the firewall by editing the security groups for your project.
2. Instances are assigned private IP addresses that are only visible from within Cloud VPS. This can be addressed by assigning your instance a public IP or by creating a web proxy.

Communication and support

We communicate and provide support through several primary channels. Please reach out with questions and to join the conversation.

Communicate with us

	Connect	Best for
Phabricator Workboard	#Cloud-Services	Task tracking and bug reporting
IRC Channel	#wikimedia-cloud connect	General discussion and support
Mailing List	cloud@	Information about ongoing initiatives, general discussion and support
Announcement emails	cloud-announce@	Information about critical changes (all messages mirrored to cloud@)
News wiki page	News	Information about major near-term plans
Cloud Services Blog	Clouds & Unicorns	Learning more details about some of our work
Wikimedia Technology Blog	techblog.wikimedia.org	News and stories from the Wikimedia technical movement