Freeze break request: [2 patches] Allow internal hosts to connect to the Varnish port and configure apache correctly

Patrick Uiterwijk puiterwijk at redhat.com
Thu Mar 5 01:03:06 UTC 2015 

Note: I updated patch 2 to remove the changes in the wgSquidServersNoPurge value: those changes should NOT have included the port number.

With kind regards,
Patrick Uiterwijk
Fedora Infra

----- Original Message -----
> ========================== PATCH 1/2 ==========================
> commit 3f625948af36dc8047ffcbba0496bf008d77fcb5
> Author: Patrick Uiterwijk <puiterwijk at redhat.com>
> Date:   Thu Mar 5 00:41:37 2015 +0000
> 
>     Allow direct varnish access for internal hosts
>     
>     This allows internal that are in the purge acl to issue purge requests.
>     Apache won't forward purge, since it doesn't know what that is.
> 
> diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
> index 3953b71..c86440a 100644
> --- a/inventory/group_vars/proxies
> +++ b/inventory/group_vars/proxies
> @@ -34,10 +34,14 @@ custom_rules: [
>      '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
>      '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
>  
> -    # only allow varnish from localhost
> +    # allow varnish from localhost
>      '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
>      '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
>  
> +    # also allow varnish from internal for purge requests
> +    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
> +    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
> +
>      # Allow koschei.cloud to talk to the inbound fedmsg relay.
>      '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
>      # Allow jenkins.cloud to talk to the inbound fedmsg relay.
> diff --git a/inventory/group_vars/proxies-stg
> b/inventory/group_vars/proxies-stg
> index 1b8fef2..2520ff1 100644
> --- a/inventory/group_vars/proxies-stg
> +++ b/inventory/group_vars/proxies-stg
> @@ -33,10 +33,14 @@ custom_rules: [
>      '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
>      '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
>  
> -    # only allow varnish from localhost
> +    # allow varnish from localhost
>      '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
>      '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
>  
> +    # also allow varnish from internal for purge requests
> +    '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
> +    '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
> +
>      # Allow koschei.cloud to talk to the inbound fedmsg relay.
>      '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
>      # Allow jenkins.cloud to talk to the inbound fedmsg relay.
> 
> 
> 
> ========================== PATCH 2/2 ==========================
commit 2d8118cb4b20d4f5341cb4bb4028c38bb2353122
Author: Patrick Uiterwijk <puiterwijk at redhat.com>
Date:   Thu Mar 5 00:56:10 2015 +0000

    Fix mediawiki to determine proxies and send correct PURGE requests
    
    As commented: wgSquidServers is the set it sends a PURGE request to

diff --git a/roles/mediawiki/templates/LocalSettings.php.fp.j2 b/roles/mediawiki/templates/LocalSettings.php.fp.j2
index a8e0142..2c46482 100644
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@@ -322,9 +322,10 @@ $wgSkipSkins = array("chick", "cologneblue", "monobook", "myskin", "nostalgia",
 
 $wgSVGConverter = 'rsvg';
 
-#We use apache, but apparently it's the same difference
+# This series of settings is used for reverse proxies
 $wgUseSquid = true;
-$wgSquidServers = array(
+# The SquidNoPurge setting is used to determine reverse proxies
+$wgSquidServersNoPurge = array(
 {% if environment == "staging" %}
     # proxy01.stg
     "10.5.126.88",
@@ -368,7 +369,32 @@ $wgSquidServers = array(
     "192.168.1.17",
 {% endif %}
 );
-$wgSquidServersNoPurge = array('127.0.0.1');
+# This setting is used to send PURGE requests to varnish on reverse proxies upon page changes
+$wgSquidServers = array(
+{% if environment == "staging" %}
+    # proxy01.stg
+    "10.5.126.88:6081",
+{% else %}
+    # proxy01
+    "10.5.126.52:6081",
+    # proxy02
+    "192.168.1.12:6081",
+    # proxy03
+    "192.168.1.7:6081",
+    # proxy04
+    "192.168.1.14:6081",
+    # proxy06
+    "192.168.1.63:6081",
+    # proxy07
+    "192.168.1.52:6081",
+    # proxy08
+    "192.168.1.78:6081",
+    # proxy09
+    "192.168.1.15:6081",
+    # proxy10
+    "10.5.126.51:6081",
+{% endif %}
+);
 $wgSquidMaxage = 432000;
 
 # Don't add rel="nofollow"

More information about the infrastructure mailing list