ocf_www: proxy apphost vhosts directly from nginx

oliver-ni · oliver-ni · commit 4bd670bed5b3 · 2026-04-06T05:22:44.000-07:00
Have nginx talk to apphost.ocf.berkeley.edu directly instead of
going through Apache. Apache no longer needs SSL support so drop
apache::mod::ssl and ocf_www::ssl.
diff --git a/modules/ocf_www/files/build-vhosts b/modules/ocf_www/files/build-vhosts
@@ -417,14 +417,9 @@ def main():
 
         web_vhosts = get_vhosts()
 
-        # Apache config (existing behavior)
+        # Apache config (web vhosts only; apphost vhosts are proxied
+        # directly by nginx and don't need Apache backend vhosts)
         apache_config = build_config(
-            prod_app_vhosts,
-            jinja_env.get_template('vhost-web.jinja'),
-            dev_config=args.dev,
-        )
-        apache_config += '\n\n'
-        apache_config += build_config(
             web_vhosts,
             jinja_env.get_template('vhost-web.jinja'),
             dev_config=args.dev,
diff --git a/modules/ocf_www/files/vhost-web-nginx.jinja b/modules/ocf_www/files/vhost-web-nginx.jinja
@@ -22,6 +22,18 @@ server {
     location / {
         {% if vhost.is_redirect %}
         return {{vhost.redirect_type}} {{vhost.redirect_dest}}$request_uri;
+        {% elif vhost.is_apphost and vhost.disabled %}
+        proxy_pass http://127.0.0.1:{{backend_port}};
+        proxy_set_header Host unavailable.ocf.berkeley.edu;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        {% elif vhost.is_apphost %}
+        proxy_pass https://apphost.ocf.berkeley.edu;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
         {% else %}
         proxy_pass http://127.0.0.1:{{backend_port}};
         proxy_set_header Host $host;
@@ -40,7 +52,7 @@ server {
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Real-IP $remote_addr;
-        proxy_pass http://127.0.0.1:{{backend_port}};
+        proxy_pass https://apphost.ocf.berkeley.edu;
     }
     {% endfor %}
 
diff --git a/modules/ocf_www/files/vhost-web.jinja b/modules/ocf_www/files/vhost-web.jinja
@@ -9,12 +9,6 @@
         # 301 redirects are more correct, but get cached forever by dumb browsers.
         # Doesn't matter too much for vhosts.
         RewriteRule ^(.*)$ {{vhost.redirect_dest}}$1 [L,R={{vhost.redirect_type}}]
-    {% elif vhost.is_apphost %}
-        RequestHeader set X-Forwarded-Proto https
-        ProxyPreserveHost On
-        SSLProxyEngine on
-        # Proxy to apphost server
-        ProxyPass / https://apphost.ocf.berkeley.edu/ upgrade=websocket
     {% elif vhost.disabled %}
         # Proxy to the local "unavailable" vhost, which serves up a friendly
         # "your website is rekt" page.
diff --git a/modules/ocf_www/manifests/init.pp b/modules/ocf_www/manifests/init.pp
@@ -69,13 +69,8 @@
       backport_on => 'stretch';
   }
 
-  # Apache no longer serves SSL directly (nginx handles it), but mod_ssl is
-  # still needed for SSLProxyEngine (outbound HTTPS to apphost).
-  include apache::mod::ssl
-
   include ocf_www::lets_encrypt
   include ocf_www::logging
-  include ocf_www::ssl
 
   # sites
   include ocf_www::site::ocfweb_redirects
