Hi,
as noted on https://pagure.io/fedora-infrastructure/issue/8109, I did finish the DNS switch so fedora magazine should now be avaliable without the proxy.
This was done because the previous setup did trigger alerts resulting in the reverse proxy being blocked, resulting in random failure from people until someone (a admin) fixed it. Since that's just going to be a whack-a-mole game (as we will always trigger alert from proxies, due to the setup), we removed the proxy from the equation.
In practice, it do change a few details: - the certificate. Now, this is a letsencrypt one, not a digicert one. - the blog is ip v4 only
If anything is broken, do not hesitate to ping me or report the problem using the usual way.
For now, I keep the setup so it can be reversed easily (just a rapid DNS change) if any problem is discovered. I will clean the config later once enough time as passed.
Thanks for continuing to work on this, Michael. I'm not sure I understand the proxy trouble, but that's OK. The Magazine seems to be working well for daily use so far. If something changes we'll let you know!
Paul
On Tue, Aug 27, 2019 at 8:34 AM Michael Scherer mscherer@redhat.com wrote:
Hi,
as noted on https://pagure.io/fedora-infrastructure/issue/8109, I did finish the DNS switch so fedora magazine should now be avaliable without the proxy.
This was done because the previous setup did trigger alerts resulting in the reverse proxy being blocked, resulting in random failure from people until someone (a admin) fixed it. Since that's just going to be a whack-a-mole game (as we will always trigger alert from proxies, due to the setup), we removed the proxy from the equation.
In practice, it do change a few details:
- the certificate. Now, this is a letsencrypt one, not a digicert one.
- the blog is ip v4 only
If anything is broken, do not hesitate to ping me or report the problem using the usual way.
For now, I keep the setup so it can be reversed easily (just a rapid DNS change) if any problem is discovered. I will clean the config later once enough time as passed.
-- Michael Scherer / He/Il/Er/Él Sysadmin, Community Infrastructure
Fedora Magazine mailing list -- magazine@lists.fedoraproject.org To unsubscribe send an email to magazine-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/magazine@lists.fedoraproject.o...
On Tue, 27 Aug 2019, Paul Frields wrote:
Thanks for continuing to work on this, Michael. I'm not sure I understand the proxy trouble, but that's OK. The Magazine seems to be working well for daily use so far. If something changes we'll let you know!
In practice, it do change a few details:
- the certificate. Now, this is a letsencrypt one, not a digicert one.
- the blog is ip v4 only
I don't see any problem with letsencrypt. But why not include the IPv6 of the server in DNS? Why would a proxy be required to support IPv6? Does Wordpress somehow not support IPv6 or something, and the proxy was used to work around that?
Le mardi 27 août 2019 à 10:06 -0400, Stuart D. Gathman a écrit :
On Tue, 27 Aug 2019, Paul Frields wrote:
Thanks for continuing to work on this, Michael. I'm not sure I understand the proxy trouble, but that's OK. The Magazine seems to be working well for daily use so far. If something changes we'll let you know!
In practice, it do change a few details:
- the certificate. Now, this is a letsencrypt one, not a digicert
one.
- the blog is ip v4 only
I don't see any problem with letsencrypt.
yeah, just warning people to not panic if they see the cert got changed;
But why not include the IPv6 of the server in DNS?
Our provider (wpengine) only support ipv4 AFAIK.
Why would a proxy be required to support IPv6? Does Wordpress somehow not support IPv6 or something, and the proxy was used to work around that?
No, the proxy was used for the old installation (like last month) in Fedora cloud. It was setup this way so the certificate (a digicert one, so 3 years but not automated) could be managed by the infra team for all websites at once. The IP v6 was just a side effect of being hosted on Fedora infra managed systems.
We moved out of the cloud to a hoted wordpress provider, so we had to get a new certificate, hence the switch to lets encrypt. And a new IP, hence the warning
I warned people, in case some folks have some fancy browser plugin that verify certificates, this kind of stuff (principle of least surprise).
magazine@lists.fedoraproject.org
-
Michael Scherer -
Paul Frields -
Stuart D. Gathman