feat(ocf_www): move nginx to 80/443, apache to backend-only

Author: oliver-ni

modules/ocf_www/files/vhost-web-nginx.jinja

@@ -1,10 +1,9 @@
 # {{vhost.comment}}
-# CR-soon oliverni: move to 80/443
 
 {% if vhost.ssl %}
 server {
-    listen 8443 ssl http2;
-    listen [::]:8443 ssl http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name "{{vhost.fqdn}}";
 
     ssl_certificate {{vhost.ssl.bundle}};
@@ -32,15 +31,28 @@ server {
         {% endif %}
     }
 
+    {% for ws_location in vhost.websocket_locations %}
+    location /{{ws_location}} {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_pass http://127.0.0.1:{{backend_port}};
+    }
+    {% endfor %}
+
     access_log /var/log/nginx/vhost-access.log vhost;
 }
 {% endif %}
 
 {% if not vhost.ssl or vhost.is_redirect %}
 # HTTP (redirect or non-SSL)
 server {
-    listen 8080;
-    listen [::]:8080;
+    listen 80;
+    listen [::]:80;
     server_name "{{vhost.fqdn}}";
 
     location /.well-known/ {

modules/ocf_www/files/vhost-web.jinja

@@ -1,18 +1,8 @@
 # {{vhost.comment}}
-{% set ports = [vhost.port, backend_port] if vhost.ssl else [vhost.port] %}
-{% for port in ports %}
-<VirtualHost *:{{port}}>
+<VirtualHost 127.0.0.1:{{backend_port}}>
     ServerName {{vhost.fqdn}}
     ServerAdmin {{vhost.contact_email}}
 
-    {% if vhost.ssl and port != backend_port %}
-        # SSL
-        SSLEngine on
-        SSLCertificateFile {{vhost.ssl.bundle}}
-        SSLCertificateKeyFile {{vhost.ssl.key}}
-        Protocols h2 http/1.1
-    {% endif %}
-
     {% if vhost.is_redirect %}
         RewriteEngine on
         RewriteCond %{REQUEST_URI} !^/\.well-known/
@@ -29,7 +19,7 @@
         # Proxy to the local "unavailable" vhost, which serves up a friendly
         # "your website is rekt" page.
         RequestHeader set Host unavailable.ocf.berkeley.edu
-        ProxyPass / http://127.0.0.1/
+        ProxyPass / http://127.0.0.1:{{backend_port}}/
     {% else %}
         DocumentRoot {{vhost.docroot}}
 
@@ -61,4 +51,3 @@
 
     UserDir disabled
 </VirtualHost>
-{% endfor %}

modules/ocf_www/manifests/init.pp

@@ -12,28 +12,31 @@
 # www.ocf.berkeley.edu, which is by far the most complicated domain.
 #
 # Nginx sits in front of Apache for slowloris protection.
-# CR-soon oliverni: swap nginx to 80/443, apache to 127.0.0.1:$backend_port only
+# Nginx handles 80/443, Apache only listens on 127.0.0.1:$backend_port.
 class ocf_www {
   # Port Apache listens on as nginx's backend (plain HTTP on localhost).
   # Must match BACKEND_PORT in build-vhosts.
-  # Phase 2: make this the only Apache port and bind to 127.0.0.1.
   $backend_port = 16767
+
+  # All Apache vhosts are backend-only (nginx handles 80/443).
+  Apache::Vhost {
+    ip   => '127.0.0.1',
+    port => $backend_port,
+  }
+
   include ocf::acct
   include ocf::extrapackages
   include ocf::firewall::allow_web
   include ocf::limits
   include ocf::tmpfs
   include ocf::ssl::default
 
-  # enables the http2 module
-  apache::mod { 'http2': }
-
   class { 'ocf::nfs':
     cron => false,
     web  => false,
   }
 
-  # nginx reverse proxy (test ports for now)
+  # nginx reverse proxy
   include ocf_www::nginx
 
   class {
@@ -66,8 +69,9 @@
       backport_on => 'stretch';
   }
 
-  # Restart apache if any cert changes occur
-  Class['ocf::ssl::default'] ~> Class['Apache::Service']
+  # Apache no longer serves SSL directly (nginx handles it), but mod_ssl is
+  # still needed for SSLProxyEngine (outbound HTTPS to apphost).
+  include apache::mod::ssl
 
   include ocf_www::lets_encrypt
   include ocf_www::logging

modules/ocf_www/manifests/nginx.pp

@@ -1,15 +1,12 @@
 # Nginx reverse proxy in front of Apache for slowloris protection.
-# CR-soon oliverni: move to 80/443, put apache on 127.0.0.1:$backend_port
 #
 # Static vhosts (www, shorturl, etc.) are defined here.
 # Dynamic user vhosts come from build-vhosts via /etc/nginx/ocf-vhost.conf.
 class ocf_www::nginx {
   include ocf::ssl::default
-  include ocf_www::nginx::firewall
 
-  # CR-soon oliverni: change listen/ssl ports to 80/443
-  $http_port = 8080
-  $ssl_port  = 8443
+  $http_port = 80
+  $ssl_port  = 443
 
   $backend = "http://127.0.0.1:${ocf_www::backend_port}"
 

modules/ocf_www/manifests/nginx/firewall.pp

@@ -21,42 +21,11 @@
     ],
   }
 
-  apache::vhost { 'accounts':
-    *         => $accounts_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'accounts-backend':
-    *    => $accounts_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'accounts-http-redirect':
-    servername      => 'accounts.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-accounts',
-      'dev-accounts.ocf.berkeley.edu',
-      'accounts',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $accounts_canonical_url;
+    * => $accounts_options,
   }
 
   # wiki
-  $wiki_canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-wiki.ocf.berkeley.edu/',
-    'prod' => 'https://wiki.ocf.berkeley.edu/',
-  }
-
   $wiki_options = {
     servername    => 'wiki.ocf.berkeley.edu',
     serveraliases => ['dev-wiki.ocf.berkeley.edu'],
@@ -67,42 +36,11 @@
     ],
   }
 
-  apache::vhost { 'wiki':
-    *         => $wiki_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'wiki-backend':
-    *    => $wiki_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'wiki-http-redirect':
-    servername      => 'wiki.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-wiki',
-      'dev-wiki.ocf.berkeley.edu',
-      'wiki',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $wiki_canonical_url;
+    * => $wiki_options,
   }
 
   # hello
-  $hello_canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-hello.ocf.berkeley.edu/',
-    'prod' => 'https://hello.ocf.berkeley.edu/',
-  }
-
   $hello_options = {
     servername    => 'hello.ocf.berkeley.edu',
     serveraliases => [
@@ -118,35 +56,7 @@
     ],
   }
 
-  apache::vhost { 'hello':
-    *         => $hello_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'hello-backend':
-    *    => $hello_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'hello-http-redirect':
-    servername      => 'hello.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-hello',
-      'dev-hello.ocf.berkeley.edu',
-      'dev-staff.ocf.berkeley.edu',
-      'hello',
-      'staff.ocf.berkeley.edu',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $hello_canonical_url;
+    * => $hello_options,
   }
 }

modules/ocf_www/manifests/site/ocfweb_redirects.pp

@@ -1,9 +1,4 @@
 class ocf_www::site::shorturl {
-  $canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-ocf-io.ocf.berkeley.edu/',
-    'prod' => 'https://ocf.io/',
-  }
-
   $shorturl_options = {
     servername    => 'ocf.io',
     serveraliases => ['dev-ocf-io.ocf.berkeley.edu', 'www.ocf.io'],
@@ -171,30 +166,7 @@
     ],
   }
 
-  apache::vhost { 'shorturl':
-    *         => $shorturl_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'shorturl-backend':
-    *    => $shorturl_options,
-    port => $ocf_www::backend_port,
-  }
-
-  # canonical redirects
-  apache::vhost { 'shorturl-http-redirect':
-    servername      => 'ocf.io',
-    serveraliases   => ['dev-ocf-io.ocf.berkeley.edu', 'www.ocf.io'],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $canonical_url;
+    * => $shorturl_options,
   }
 }

modules/ocf_www/manifests/site/shorturl.pp

@@ -39,24 +39,7 @@
     ],
   }
 
-  apache::vhost { 'unavailable':
-    *    => $options,
-    port => 80,
-  }
-
-  apache::vhost { 'https-unavailable':
-    *         => $options,
-    port      => 443,
-
-    ssl       => true,
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'unavailable-backend':
-    *    => $options,
-    port => $ocf_www::backend_port,
+    * => $options,
   }
 }