Note: I updated patch 2 to remove the changes in the wgSquidServersNoPurge value: those
changes should NOT have included the port number.
With kind regards,
Patrick Uiterwijk
Fedora Infra
----- Original Message -----
========================== PATCH 1/2 ==========================
commit 3f625948af36dc8047ffcbba0496bf008d77fcb5
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Thu Mar 5 00:41:37 2015 +0000
Allow direct varnish access for internal hosts
This allows internal that are in the purge acl to issue purge requests.
Apache won't forward purge, since it doesn't know what that is.
diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 3953b71..c86440a 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -34,10 +34,14 @@ custom_rules: [
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
- # only allow varnish from localhost
+ # allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
+ # also allow varnish from internal for purge requests
+ '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+ '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
# Allow koschei.cloud to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
# Allow jenkins.cloud to talk to the inbound fedmsg relay.
diff --git a/inventory/group_vars/proxies-stg
b/inventory/group_vars/proxies-stg
index 1b8fef2..2520ff1 100644
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -33,10 +33,14 @@ custom_rules: [
'-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
- # only allow varnish from localhost
+ # allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
+ # also allow varnish from internal for purge requests
+ '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
+ '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
+
# Allow koschei.cloud to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
# Allow jenkins.cloud to talk to the inbound fedmsg relay.
========================== PATCH 2/2 ==========================
commit
2d8118cb4b20d4f5341cb4bb4028c38bb2353122
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Thu Mar 5 00:56:10 2015 +0000
Fix mediawiki to determine proxies and send correct PURGE requests
As commented: wgSquidServers is the set it sends a PURGE request to
diff --git a/roles/mediawiki/templates/LocalSettings.php.fp.j2
b/roles/mediawiki/templates/LocalSettings.php.fp.j2
index a8e0142..2c46482 100644
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@@ -322,9 +322,10 @@ $wgSkipSkins = array("chick", "cologneblue",
"monobook", "myskin", "nostalgia",
$wgSVGConverter = 'rsvg';
-#We use apache, but apparently it's the same difference
+# This series of settings is used for reverse proxies
$wgUseSquid = true;
-$wgSquidServers = array(
+# The SquidNoPurge setting is used to determine reverse proxies
+$wgSquidServersNoPurge = array(
{% if environment == "staging" %}
# proxy01.stg
"10.5.126.88",
@@ -368,7 +369,32 @@ $wgSquidServers = array(
"192.168.1.17",
{% endif %}
);
-$wgSquidServersNoPurge = array('127.0.0.1');
+# This setting is used to send PURGE requests to varnish on reverse proxies upon page
changes
+$wgSquidServers = array(
+{% if environment == "staging" %}
+ # proxy01.stg
+ "10.5.126.88:6081",
+{% else %}
+ # proxy01
+ "10.5.126.52:6081",
+ # proxy02
+ "192.168.1.12:6081",
+ # proxy03
+ "192.168.1.7:6081",
+ # proxy04
+ "192.168.1.14:6081",
+ # proxy06
+ "192.168.1.63:6081",
+ # proxy07
+ "192.168.1.52:6081",
+ # proxy08
+ "192.168.1.78:6081",
+ # proxy09
+ "192.168.1.15:6081",
+ # proxy10
+ "10.5.126.51:6081",
+{% endif %}
+);
$wgSquidMaxage = 432000;
# Don't add rel="nofollow"