← Back to team overview

launchpad-reviewers team mailing list archive

[Merge] ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master

 

Colin Watson has proposed merging ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master.

Commit message:
charm: Separate restricted librarian vhost configuration

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/448400

I'd hoped to avoid this and to be able to combine the public and restricted librarians onto a single set of IP addresses, but the restricted librarian relies on wildcard DNS (*.restricted.launchpadlibrarian.net etc.), and Let's Encrypt only supports wildcard SANs if you're using the DNS-01 challenge type, which I don't think we can easily arrange in our environment.  As such, we'll need separate frontends for each of the public and restricted librarians, which means having a separate implementation of the `vhost-config` interface for each of them.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master.
diff --git a/charm/launchpad-librarian/metadata.yaml b/charm/launchpad-librarian/metadata.yaml
index f114ffa..520008b 100644
--- a/charm/launchpad-librarian/metadata.yaml
+++ b/charm/launchpad-librarian/metadata.yaml
@@ -21,3 +21,5 @@ provides:
     interface: http
   vhost-config:
     interface: apache-vhost-config
+  restricted-vhost-config:
+    interface: apache-vhost-config
diff --git a/charm/launchpad-librarian/reactive/launchpad-librarian.py b/charm/launchpad-librarian/reactive/launchpad-librarian.py
index 2cd20c0..7675da2 100644
--- a/charm/launchpad-librarian/reactive/launchpad-librarian.py
+++ b/charm/launchpad-librarian/reactive/launchpad-librarian.py
@@ -337,3 +337,44 @@ def configure_vhost():
 )
 def deconfigure_vhost():
     remove_state("launchpad.vhost.configured")
+
+
+@when(
+    "config.set.domain_librarian",
+    "restricted-vhost-config.available",
+    "service.configured",
+)
+@when_not("launchpad.restricted-vhost.configured")
+def configure_restricted_vhost():
+    vhost_config = endpoint_from_flag("restricted-vhost-config.available")
+    config = dict(hookenv.config())
+    config["domain_librarian_aliases"] = yaml.safe_load(
+        config["domain_librarian_aliases"]
+    )
+    vhost_config.publish_vhosts(
+        [
+            vhost_config.make_vhost(
+                80,
+                templating.render(
+                    "vhosts/restricted-librarian-http.conf.j2", None, config
+                ),
+            ),
+            vhost_config.make_vhost(
+                443,
+                templating.render(
+                    "vhosts/restricted-librarian-https.conf.j2", None, config
+                ),
+            ),
+        ]
+    )
+    set_state("launchpad.restricted-vhost.configured")
+
+
+@when("launchpad.restricted-vhost.configured")
+@when_not_all(
+    "config.set.domain_librarian",
+    "restricted-vhost-config.available",
+    "service.configured",
+)
+def deconfigure_restricted_vhost():
+    remove_state("launchpad.restricted-vhost.configured")
diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
index e36fc5f..eadba68 100644
--- a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
+++ b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
@@ -23,15 +23,3 @@
     ProxyPassReverse / balancer://cached-launchpad-librarian-download/
 </VirtualHost>
 
-<VirtualHost *:80>
-    ServerName wildcard.restricted.{{ domain_librarian }}
-    ServerAlias *.restricted.{{ domain_librarian }}
-
-    CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
-    ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
-
-    # The restricted librarian is only available over HTTPS.
-    RewriteEngine on
-    RewriteRule ^/(.*)$ - [R=403,L]
-</VirtualHost>
-
diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
index 2fd8431..5cdfe66 100644
--- a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
+++ b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
@@ -35,40 +35,3 @@
     ProxyPassReverse / balancer://cached-launchpad-librarian-download/
 </VirtualHost>
 
-<VirtualHost *:443>
-    ServerName wildcard.restricted.{{ domain_librarian }}
-    ServerAlias *.restricted.{{ domain_librarian }}
-
-    SSLEngine on
-    SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
-    SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
-{%- if ssl_chain_required %}
-    SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
-{%- endif %}
-
-    CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
-    ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
-
-    # Make build log files auto-decompress and be viewable from the browser.
-    <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
-        AddEncoding x-gzip gz
-    </Location>
-
-    SetEnv force-proxy-request-1.0 1
-
-    ProxyRequests off
-    <Proxy *>
-        Require all granted
-    </Proxy>
-
-    ProxyPreserveHost on
-    # nocanon per https://portal.admin.canonical.com/C42560 to avoid
-    # problems with Launchpad's handling of e.g. %2B.
-    ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
-    ProxyPassReverse / balancer://cached-launchpad-librarian-download/
-
-    <Location />
-        Header set Cache-Control "max-age=604800"
-    </Location>
-</VirtualHost>
-
diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
new file mode 100644
index 0000000..3613a8b
--- /dev/null
+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
@@ -0,0 +1,12 @@
+<VirtualHost *:80>
+    ServerName wildcard.restricted.{{ domain_librarian }}
+    ServerAlias *.restricted.{{ domain_librarian }}
+
+    CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
+    ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
+
+    # The restricted librarian is only available over HTTPS.
+    RewriteEngine on
+    RewriteRule ^/(.*)$ - [R=403,L]
+</VirtualHost>
+
diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
new file mode 100644
index 0000000..f1d7dd8
--- /dev/null
+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
@@ -0,0 +1,37 @@
+<VirtualHost *:443>
+    ServerName wildcard.restricted.{{ domain_librarian }}
+    ServerAlias *.restricted.{{ domain_librarian }}
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
+    SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
+{%- if ssl_chain_required %}
+    SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
+{%- endif %}
+
+    CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
+    ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
+
+    # Make build log files auto-decompress and be viewable from the browser.
+    <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
+        AddEncoding x-gzip gz
+    </Location>
+
+    SetEnv force-proxy-request-1.0 1
+
+    ProxyRequests off
+    <Proxy *>
+        Require all granted
+    </Proxy>
+
+    ProxyPreserveHost on
+    # nocanon per https://portal.admin.canonical.com/C42560 to avoid
+    # problems with Launchpad's handling of e.g. %2B.
+    ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
+    ProxyPassReverse / balancer://cached-launchpad-librarian-download/
+
+    <Location />
+        Header set Cache-Control "max-age=604800"
+    </Location>
+</VirtualHost>
+