launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #30345
[Merge] ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master
Colin Watson has proposed merging ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master.
Commit message:
charm: Separate restricted librarian vhost configuration
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/448400
I'd hoped to avoid this and to be able to combine the public and restricted librarians onto a single set of IP addresses, but the restricted librarian relies on wildcard DNS (*.restricted.launchpadlibrarian.net etc.), and Let's Encrypt only supports wildcard SANs if you're using the DNS-01 challenge type, which I don't think we can easily arrange in our environment. As such, we'll need separate frontends for each of the public and restricted librarians, which means having a separate implementation of the `vhost-config` interface for each of them.
--
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:charm-librarian-restricted-frontend-relation into launchpad:master.
diff --git a/charm/launchpad-librarian/metadata.yaml b/charm/launchpad-librarian/metadata.yaml
index f114ffa..520008b 100644
--- a/charm/launchpad-librarian/metadata.yaml
+++ b/charm/launchpad-librarian/metadata.yaml
@@ -21,3 +21,5 @@ provides:
interface: http
vhost-config:
interface: apache-vhost-config
+ restricted-vhost-config:
+ interface: apache-vhost-config
diff --git a/charm/launchpad-librarian/reactive/launchpad-librarian.py b/charm/launchpad-librarian/reactive/launchpad-librarian.py
index 2cd20c0..7675da2 100644
--- a/charm/launchpad-librarian/reactive/launchpad-librarian.py
+++ b/charm/launchpad-librarian/reactive/launchpad-librarian.py
@@ -337,3 +337,44 @@ def configure_vhost():
)
def deconfigure_vhost():
remove_state("launchpad.vhost.configured")
+
+
+@when(
+ "config.set.domain_librarian",
+ "restricted-vhost-config.available",
+ "service.configured",
+)
+@when_not("launchpad.restricted-vhost.configured")
+def configure_restricted_vhost():
+ vhost_config = endpoint_from_flag("restricted-vhost-config.available")
+ config = dict(hookenv.config())
+ config["domain_librarian_aliases"] = yaml.safe_load(
+ config["domain_librarian_aliases"]
+ )
+ vhost_config.publish_vhosts(
+ [
+ vhost_config.make_vhost(
+ 80,
+ templating.render(
+ "vhosts/restricted-librarian-http.conf.j2", None, config
+ ),
+ ),
+ vhost_config.make_vhost(
+ 443,
+ templating.render(
+ "vhosts/restricted-librarian-https.conf.j2", None, config
+ ),
+ ),
+ ]
+ )
+ set_state("launchpad.restricted-vhost.configured")
+
+
+@when("launchpad.restricted-vhost.configured")
+@when_not_all(
+ "config.set.domain_librarian",
+ "restricted-vhost-config.available",
+ "service.configured",
+)
+def deconfigure_restricted_vhost():
+ remove_state("launchpad.restricted-vhost.configured")
diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
index e36fc5f..eadba68 100644
--- a/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
+++ b/charm/launchpad-librarian/templates/vhosts/librarian-http.conf.j2
@@ -23,15 +23,3 @@
ProxyPassReverse / balancer://cached-launchpad-librarian-download/
</VirtualHost>
-<VirtualHost *:80>
- ServerName wildcard.restricted.{{ domain_librarian }}
- ServerAlias *.restricted.{{ domain_librarian }}
-
- CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
- ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
-
- # The restricted librarian is only available over HTTPS.
- RewriteEngine on
- RewriteRule ^/(.*)$ - [R=403,L]
-</VirtualHost>
-
diff --git a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
index 2fd8431..5cdfe66 100644
--- a/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
+++ b/charm/launchpad-librarian/templates/vhosts/librarian-https.conf.j2
@@ -35,40 +35,3 @@
ProxyPassReverse / balancer://cached-launchpad-librarian-download/
</VirtualHost>
-<VirtualHost *:443>
- ServerName wildcard.restricted.{{ domain_librarian }}
- ServerAlias *.restricted.{{ domain_librarian }}
-
- SSLEngine on
- SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
- SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
-{%- if ssl_chain_required %}
- SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
-{%- endif %}
-
- CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
- ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
-
- # Make build log files auto-decompress and be viewable from the browser.
- <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
- AddEncoding x-gzip gz
- </Location>
-
- SetEnv force-proxy-request-1.0 1
-
- ProxyRequests off
- <Proxy *>
- Require all granted
- </Proxy>
-
- ProxyPreserveHost on
- # nocanon per https://portal.admin.canonical.com/C42560 to avoid
- # problems with Launchpad's handling of e.g. %2B.
- ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
- ProxyPassReverse / balancer://cached-launchpad-librarian-download/
-
- <Location />
- Header set Cache-Control "max-age=604800"
- </Location>
-</VirtualHost>
-
diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
new file mode 100644
index 0000000..3613a8b
--- /dev/null
+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-http.conf.j2
@@ -0,0 +1,12 @@
+<VirtualHost *:80>
+ ServerName wildcard.restricted.{{ domain_librarian }}
+ ServerAlias *.restricted.{{ domain_librarian }}
+
+ CustomLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-access.log combined
+ ErrorLog /var/log/apache2/wildcard.restricted.{{ domain_librarian }}-error.log
+
+ # The restricted librarian is only available over HTTPS.
+ RewriteEngine on
+ RewriteRule ^/(.*)$ - [R=403,L]
+</VirtualHost>
+
diff --git a/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2 b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
new file mode 100644
index 0000000..f1d7dd8
--- /dev/null
+++ b/charm/launchpad-librarian/templates/vhosts/restricted-librarian-https.conf.j2
@@ -0,0 +1,37 @@
+<VirtualHost *:443>
+ ServerName wildcard.restricted.{{ domain_librarian }}
+ ServerAlias *.restricted.{{ domain_librarian }}
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/{{ domain_librarian }}.crt
+ SSLCertificateKeyFile /etc/ssl/private/{{ domain_librarian }}.key
+{%- if ssl_chain_required %}
+ SSLCertificateChainFile /etc/ssl/private/{{ domain_librarian }}_chain.crt
+{%- endif %}
+
+ CustomLog /var/log/apache2/{{ domain_librarian }}-access.log combined
+ ErrorLog /var/log/apache2/{{ domain_librarian }}-error.log
+
+ # Make build log files auto-decompress and be viewable from the browser.
+ <Location ~ ".*/buildlog_[^/]*\.txt\.gz">
+ AddEncoding x-gzip gz
+ </Location>
+
+ SetEnv force-proxy-request-1.0 1
+
+ ProxyRequests off
+ <Proxy *>
+ Require all granted
+ </Proxy>
+
+ ProxyPreserveHost on
+ # nocanon per https://portal.admin.canonical.com/C42560 to avoid
+ # problems with Launchpad's handling of e.g. %2B.
+ ProxyPass / balancer://cached-launchpad-librarian-download/ nocanon
+ ProxyPassReverse / balancer://cached-launchpad-librarian-download/
+
+ <Location />
+ Header set Cache-Control "max-age=604800"
+ </Location>
+</VirtualHost>
+