Freeze break request: [2 patches] Allow internal hosts to connect to the Varnish port and configure apache correctly
Patrick Uiterwijk
puiterwijk at redhat.com
Thu Mar 5 01:03:06 UTC 2015
Note: I updated patch 2 to remove the changes in the wgSquidServersNoPurge value: those changes should NOT have included the port number.
With kind regards,
Patrick Uiterwijk
Fedora Infra
----- Original Message -----
> ========================== PATCH 1/2 ==========================
> commit 3f625948af36dc8047ffcbba0496bf008d77fcb5
> Author: Patrick Uiterwijk <puiterwijk at redhat.com>
> Date: Thu Mar 5 00:41:37 2015 +0000
>
> Allow direct varnish access for internal hosts
>
> This allows internal that are in the purge acl to issue purge requests.
> Apache won't forward purge, since it doesn't know what that is.
>
> diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
> index 3953b71..c86440a 100644
> --- a/inventory/group_vars/proxies
> +++ b/inventory/group_vars/proxies
> @@ -34,10 +34,14 @@ custom_rules: [
> '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
> '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
>
> - # only allow varnish from localhost
> + # allow varnish from localhost
> '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
> '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
>
> + # also allow varnish from internal for purge requests
> + '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
> + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
> +
> # Allow koschei.cloud to talk to the inbound fedmsg relay.
> '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
> # Allow jenkins.cloud to talk to the inbound fedmsg relay.
> diff --git a/inventory/group_vars/proxies-stg
> b/inventory/group_vars/proxies-stg
> index 1b8fef2..2520ff1 100644
> --- a/inventory/group_vars/proxies-stg
> +++ b/inventory/group_vars/proxies-stg
> @@ -33,10 +33,14 @@ custom_rules: [
> '-A INPUT -p tcp -m tcp -s 10.5.126.13 --dport 873 -j ACCEPT',
> '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
>
> - # only allow varnish from localhost
> + # allow varnish from localhost
> '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT',
> '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
>
> + # also allow varnish from internal for purge requests
> + '-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT',
> + '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 6081 -j ACCEPT',
> +
> # Allow koschei.cloud to talk to the inbound fedmsg relay.
> '-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.151 -j ACCEPT',
> # Allow jenkins.cloud to talk to the inbound fedmsg relay.
>
>
>
> ========================== PATCH 2/2 ==========================
commit 2d8118cb4b20d4f5341cb4bb4028c38bb2353122
Author: Patrick Uiterwijk <puiterwijk at redhat.com>
Date: Thu Mar 5 00:56:10 2015 +0000
Fix mediawiki to determine proxies and send correct PURGE requests
As commented: wgSquidServers is the set it sends a PURGE request to
diff --git a/roles/mediawiki/templates/LocalSettings.php.fp.j2 b/roles/mediawiki/templates/LocalSettings.php.fp.j2
index a8e0142..2c46482 100644
--- a/roles/mediawiki/templates/LocalSettings.php.fp.j2
+++ b/roles/mediawiki/templates/LocalSettings.php.fp.j2
@@ -322,9 +322,10 @@ $wgSkipSkins = array("chick", "cologneblue", "monobook", "myskin", "nostalgia",
$wgSVGConverter = 'rsvg';
-#We use apache, but apparently it's the same difference
+# This series of settings is used for reverse proxies
$wgUseSquid = true;
-$wgSquidServers = array(
+# The SquidNoPurge setting is used to determine reverse proxies
+$wgSquidServersNoPurge = array(
{% if environment == "staging" %}
# proxy01.stg
"10.5.126.88",
@@ -368,7 +369,32 @@ $wgSquidServers = array(
"192.168.1.17",
{% endif %}
);
-$wgSquidServersNoPurge = array('127.0.0.1');
+# This setting is used to send PURGE requests to varnish on reverse proxies upon page changes
+$wgSquidServers = array(
+{% if environment == "staging" %}
+ # proxy01.stg
+ "10.5.126.88:6081",
+{% else %}
+ # proxy01
+ "10.5.126.52:6081",
+ # proxy02
+ "192.168.1.12:6081",
+ # proxy03
+ "192.168.1.7:6081",
+ # proxy04
+ "192.168.1.14:6081",
+ # proxy06
+ "192.168.1.63:6081",
+ # proxy07
+ "192.168.1.52:6081",
+ # proxy08
+ "192.168.1.78:6081",
+ # proxy09
+ "192.168.1.15:6081",
+ # proxy10
+ "10.5.126.51:6081",
+{% endif %}
+);
$wgSquidMaxage = 432000;
# Don't add rel="nofollow"
More information about the infrastructure
mailing list