feat(ocf_www): move nginx to 80/443, apache to backend-only

feat(ocf_www): move nginx to 80/443, apache to backend-only

Author: jaysa68

modules/ocf_www/files/build-vhosts

@@ -417,15 +417,18 @@ def main():
 
         web_vhosts = get_vhosts()
 
-        # Apache config (existing behavior)
+        # Exclude web vhosts that overlap with app vhosts (app vhosts
+        # take priority and are proxied directly to apphost by nginx)
+        web_only_vhosts = {
+            domain: conf
+            for domain, conf in web_vhosts.items()
+            if domain not in prod_app_vhosts
+        }
+
+        # Apache config (web-only vhosts; apphost vhosts are proxied
+        # directly by nginx and don't need Apache backend vhosts)
         apache_config = build_config(
-            prod_app_vhosts,
-            jinja_env.get_template('vhost-web.jinja'),
-            dev_config=args.dev,
-        )
-        apache_config += '\n\n'
-        apache_config += build_config(
-            web_vhosts,
+            web_only_vhosts,
             jinja_env.get_template('vhost-web.jinja'),
             dev_config=args.dev,
         )
@@ -438,7 +441,7 @@ def main():
         )
         nginx_config += '\n\n'
         nginx_config += build_config(
-            web_vhosts,
+            web_only_vhosts,
             jinja_env.get_template('vhost-web-nginx.jinja'),
             dev_config=args.dev,
         )

modules/ocf_www/files/vhost-web-nginx.jinja

@@ -1,10 +1,9 @@
 # {{vhost.comment}}
-# CR-soon oliverni: move to 80/443
 
 {% if vhost.ssl %}
 server {
-    listen 8443 ssl http2;
-    listen [::]:8443 ssl http2;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name "{{vhost.fqdn}}";
 
     ssl_certificate {{vhost.ssl.bundle}};
@@ -32,15 +31,28 @@ server {
         {% endif %}
     }
 
+    {% for ws_location in vhost.websocket_locations %}
+    location /{{ws_location}} {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_pass http://127.0.0.1:{{backend_port}};
+    }
+    {% endfor %}
+
     access_log /var/log/nginx/vhost-access.log vhost;
 }
 {% endif %}
 
-{% if not vhost.ssl or vhost.is_redirect %}
+{% if not vhost.ssl %}
 # HTTP (redirect or non-SSL)
 server {
-    listen 8080;
-    listen [::]:8080;
+    listen 80;
+    listen [::]:80;
     server_name "{{vhost.fqdn}}";
 
     location /.well-known/ {
@@ -50,12 +62,11 @@ server {
     location / {
         {% if vhost.is_redirect %}
         return {{vhost.redirect_type}} {{vhost.redirect_dest}}$request_uri;
-        {% elif vhost.ssl %}
-        return 301 {{vhost.canonical_url}}$request_uri;
         {% else %}
         proxy_pass http://127.0.0.1:{{backend_port}};
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Real-IP $remote_addr;
         {% endif %}
     }

modules/ocf_www/files/vhost-web.jinja

@@ -1,35 +1,17 @@
+{% if not vhost.is_redirect %}
 # {{vhost.comment}}
-{% set ports = [vhost.port, backend_port] if vhost.ssl else [vhost.port] %}
-{% for port in ports %}
-<VirtualHost *:{{port}}>
+<VirtualHost 127.0.0.1:{{backend_port}}>
     ServerName {{vhost.fqdn}}
     ServerAdmin {{vhost.contact_email}}
 
-    {% if vhost.ssl and port != backend_port %}
-        # SSL
-        SSLEngine on
-        SSLCertificateFile {{vhost.ssl.bundle}}
-        SSLCertificateKeyFile {{vhost.ssl.key}}
-        Protocols h2 http/1.1
-    {% endif %}
+    # Trust X-Forwarded-Proto from nginx so %{HTTPS} works in .htaccess
+    SetEnvIf X-Forwarded-Proto "https" HTTPS=on
 
-    {% if vhost.is_redirect %}
-        RewriteEngine on
-        RewriteCond %{REQUEST_URI} !^/\.well-known/
-        # 301 redirects are more correct, but get cached forever by dumb browsers.
-        # Doesn't matter too much for vhosts.
-        RewriteRule ^(.*)$ {{vhost.redirect_dest}}$1 [L,R={{vhost.redirect_type}}]
-    {% elif vhost.is_apphost %}
-        RequestHeader set X-Forwarded-Proto https
-        ProxyPreserveHost On
-        SSLProxyEngine on
-        # Proxy to apphost server
-        ProxyPass / https://apphost.ocf.berkeley.edu/ upgrade=websocket
-    {% elif vhost.disabled %}
+    {% if vhost.disabled %}
         # Proxy to the local "unavailable" vhost, which serves up a friendly
         # "your website is rekt" page.
         RequestHeader set Host unavailable.ocf.berkeley.edu
-        ProxyPass / http://127.0.0.1/
+        ProxyPass / http://127.0.0.1:{{backend_port}}/
     {% else %}
         DocumentRoot {{vhost.docroot}}
 
@@ -61,4 +43,4 @@
 
     UserDir disabled
 </VirtualHost>
-{% endfor %}
+{% endif %}

modules/ocf_www/manifests/init.pp

@@ -12,28 +12,31 @@
 # www.ocf.berkeley.edu, which is by far the most complicated domain.
 #
 # Nginx sits in front of Apache for slowloris protection.
-# CR-soon oliverni: swap nginx to 80/443, apache to 127.0.0.1:$backend_port only
+# Nginx handles 80/443, Apache only listens on 127.0.0.1:$backend_port.
 class ocf_www {
   # Port Apache listens on as nginx's backend (plain HTTP on localhost).
   # Must match BACKEND_PORT in build-vhosts.
-  # Phase 2: make this the only Apache port and bind to 127.0.0.1.
   $backend_port = 16767
+
+  # All Apache vhosts are backend-only (nginx handles 80/443).
+  Apache::Vhost {
+    ip   => '127.0.0.1',
+    port => $backend_port,
+  }
+
   include ocf::acct
   include ocf::extrapackages
   include ocf::firewall::allow_web
   include ocf::limits
   include ocf::tmpfs
   include ocf::ssl::default
 
-  # enables the http2 module
-  apache::mod { 'http2': }
-
   class { 'ocf::nfs':
     cron => false,
     web  => false,
   }
 
-  # nginx reverse proxy (test ports for now)
+  # nginx reverse proxy
   include ocf_www::nginx
 
   class {
@@ -66,8 +69,9 @@
       backport_on => 'stretch';
   }
 
-  # Restart apache if any cert changes occur
-  Class['ocf::ssl::default'] ~> Class['Apache::Service']
+  # Apache no longer serves SSL directly (nginx handles it), but mod_ssl is
+  # still needed for SSLProxyEngine (outbound HTTPS to apphost).
+  include apache::mod::ssl
 
   include ocf_www::lets_encrypt
   include ocf_www::logging

modules/ocf_www/manifests/nginx.pp

@@ -1,15 +1,12 @@
 # Nginx reverse proxy in front of Apache for slowloris protection.
-# CR-soon oliverni: move to 80/443, put apache on 127.0.0.1:$backend_port
 #
 # Static vhosts (www, shorturl, etc.) are defined here.
 # Dynamic user vhosts come from build-vhosts via /etc/nginx/ocf-vhost.conf.
 class ocf_www::nginx {
   include ocf::ssl::default
-  include ocf_www::nginx::firewall
 
-  # CR-soon oliverni: change listen/ssl ports to 80/443
-  $http_port = 8080
-  $ssl_port  = 8443
+  $http_port = 80
+  $ssl_port  = 443
 
   $backend = "http://127.0.0.1:${ocf_www::backend_port}"
 

modules/ocf_www/manifests/nginx/firewall.pp

@@ -2,11 +2,6 @@
 # redirect those sites to the appropriate pages on ocfweb.
 class ocf_www::site::ocfweb_redirects {
   # accounts
-  $accounts_canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-accounts.ocf.berkeley.edu/',
-    'prod' => 'https://accounts.ocf.berkeley.edu/',
-  }
-
   $accounts_options = {
     servername    => 'accounts.ocf.berkeley.edu',
     serveraliases => ['dev-accounts.ocf.berkeley.edu'],
@@ -21,42 +16,11 @@
     ],
   }
 
-  apache::vhost { 'accounts':
-    *         => $accounts_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'accounts-backend':
-    *    => $accounts_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'accounts-http-redirect':
-    servername      => 'accounts.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-accounts',
-      'dev-accounts.ocf.berkeley.edu',
-      'accounts',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $accounts_canonical_url;
+    * => $accounts_options,
   }
 
   # wiki
-  $wiki_canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-wiki.ocf.berkeley.edu/',
-    'prod' => 'https://wiki.ocf.berkeley.edu/',
-  }
-
   $wiki_options = {
     servername    => 'wiki.ocf.berkeley.edu',
     serveraliases => ['dev-wiki.ocf.berkeley.edu'],
@@ -67,42 +31,11 @@
     ],
   }
 
-  apache::vhost { 'wiki':
-    *         => $wiki_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'wiki-backend':
-    *    => $wiki_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'wiki-http-redirect':
-    servername      => 'wiki.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-wiki',
-      'dev-wiki.ocf.berkeley.edu',
-      'wiki',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $wiki_canonical_url;
+    * => $wiki_options,
   }
 
   # hello
-  $hello_canonical_url = $::host_env ? {
-    'dev'  => 'https://dev-hello.ocf.berkeley.edu/',
-    'prod' => 'https://hello.ocf.berkeley.edu/',
-  }
-
   $hello_options = {
     servername    => 'hello.ocf.berkeley.edu',
     serveraliases => [
@@ -118,35 +51,7 @@
     ],
   }
 
-  apache::vhost { 'hello':
-    *         => $hello_options,
-    port      => 443,
-    ssl       => true,
-    headers   => ['always set Strict-Transport-Security max-age=31536000'],
-    ssl_key   => "/etc/ssl/private/${::fqdn}.key",
-    ssl_cert  => "/etc/ssl/private/${::fqdn}.crt",
-    ssl_chain => "/etc/ssl/private/${::fqdn}.intermediate",
-  }
-
-  # nginx backend (plain HTTP on localhost)
   apache::vhost { 'hello-backend':
-    *    => $hello_options,
-    port => $ocf_www::backend_port,
-  }
-
-  apache::vhost { 'hello-http-redirect':
-    servername      => 'hello.ocf.berkeley.edu',
-    serveraliases   => [
-      'dev-hello',
-      'dev-hello.ocf.berkeley.edu',
-      'dev-staff.ocf.berkeley.edu',
-      'hello',
-      'staff.ocf.berkeley.edu',
-    ],
-    port            => 80,
-    docroot         => '/var/www/html',
-
-    redirect_status => 'permanent',
-    redirect_dest   => $hello_canonical_url;
+    * => $hello_options,
   }
 }