commit f65c9e8735e3b15def0592f4a343c77fbd23f77b Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Wed Jul 31 15:21:04 2019 +0200 Sync kojipkgs roles/kojipkgs/files/kojipkgs.conf | 87 --------------------- roles/kojipkgs/files/squid.conf | 35 +++++--- roles/kojipkgs/tasks/main.yml | 71 +++-------------- roles/kojipkgs/templates/kojipkgs.conf | 133 ++++++++++++++++++++++++++++++++ 4 files changed, 168 insertions(+), 158 deletions(-) --- diff --git a/roles/kojipkgs/files/squid.conf b/roles/kojipkgs/files/squid.conf index 4e0b01e..a515ffc 100644 --- a/roles/kojipkgs/files/squid.conf +++ b/roles/kojipkgs/files/squid.conf @@ -1,8 +1,7 @@ http_port 80 accel defaultsite=kojipkgs.fedoraproject.org -https_port 443 accel defaultsite=kojipkgs.fedoraproject.org cert=/etc/pki/tls/certs/wildcard-2014.squid.cert key=/etc/pki/tls/private/wildcard-2014.fedoraproject.org.key cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA options=NO_SSLv2,NO_SSLv3 +https_port 443 accel defaultsite=kojipkgs.rpmfusion.org cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=kojipkgs -hierarchy_stoplist cgi-bin ? cache_swap_low 98 cache_swap_high 99 @@ -36,9 +35,9 @@ acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT -acl our_sites dstdomain kojipkgs.fedoraproject.org kojipkgs01.phx2.fedoraproject.org -acl phx2 src 10.5.125.0/24 10.5.127.0/24 -acl pdc src 10.5.126.134/32 +acl our_sites dstdomain kojipkgs.rpmfusion.org kojipkgs01.online.rpmfusion.org +acl online_stg src 192.168.0.0/16 +acl online src 192.168.0.0/16 acl repo_url urlpath_regex -i ^/repo/ acl kojipkgs urlpath_regex -i \.(rpm|log|sig)$ acl mash urlpath_regex -i ^/mash/ @@ -48,8 +47,9 @@ acl compose urlpath_regex -i ^/compose/ # Here is where we use the above acls # -# Allow phx2 to repos dir and deny everyone else -http_access allow phx2 repo_url +# Allow online and stg builders in the createrepo channel to repos dir and deny everyone else +http_access allow online repo_url +http_access allow online-stg repo_url http_access deny repo_url # Only allow cachemanager from localhost @@ -59,6 +59,10 @@ http_access deny cachemanager # Let the pdc-backend inspect the composes http_access allow pdc compose +# Let the proxies access things +http_access allow proxies +follow_x_forwarded_for allow proxies + # Do not allow non safe ports or connect on anything but ssl ports http_access deny !Safe_ports http_access deny CONNECT !SSL_ports @@ -77,6 +81,10 @@ cache_peer_access kojipkgs deny all cache deny mash cache deny compose +# Do not cache any non-redistributable content +# (this would cache the HIT for sign-bridge and then serve it to others) +cache deny nonredist + # Do cache all rpms/log/sigs otherwise cache allow kojipkgs cache deny all @@ -87,13 +95,14 @@ coredump_dir /var/spool/squid pid_filename /var/run/squid/squid.pid # Run in smp mode with 8 workers -workers 8 +# smp mode seems to cause problems with partial downloads and hangs. +#workers 8 # In smp mode you have to specify per worker cache dirs # Also you have to manually run squid -z -F -f /etc/squid/squid.conf # to create these dirs. -if ${process_number} = 9 - # nothing -else - cache_dir ufs /var/spool/squid/${process_number} 10000 16 256 -endif +#if ${process_number} = 9 +# # nothing +#else +# cache_dir ufs /var/spool/squid/${process_number} 10000 16 256 +#endif diff --git a/roles/kojipkgs/tasks/main.yml b/roles/kojipkgs/tasks/main.yml index 816ca0d..2987cc0 100644 --- a/roles/kojipkgs/tasks/main.yml +++ b/roles/kojipkgs/tasks/main.yml @@ -1,75 +1,26 @@ -# -# This is before squid is installed on initial setup so it runs on squid install -# -- name: add squid tmpfiles.d to make run dir for smp ipc sockets. - copy: src=squid-tmpfiles dest=/etc/tmpfiles.d/squid.conf owner=root group=root mode=644 - tags: - - packages - - kojipkgs - -- name: install squid server packages - yum: name={{ item }} state=present - with_items: - - squid - - httpd - - mod_ssl - - libsemanage-python - tags: - - packages - - kojipkgs - -- name: make nfs mount directories - file: state=directory path={{ item }} owner=root group=root mode=755 - with_items: - - /mnt/rpmfusion_koji - - /mnt/rpmfusion_app - - /mnt/rpmfusion_app/app - - /pub - tags: - - kojipkgs - -- name: make mnt/koji directory - file: state=link src=/mnt/rpmfusion_koji/koji dest=/mnt/koji owner=root group=root - tags: - - kojipkgs - -- name: set seboolean for squid server - seboolean: name=httpd_can_network_connect state=true persistent=true - tags: - - kojipkgs - - name: set seboolean for nfs httpd seboolean: name=httpd_use_nfs state=true persistent=true tags: - kojipkgs -- name: install squid config files - copy: src={{ item }} dest=/etc/squid/{{ item }} owner=root group=root mode=644 - with_items: - - squid.conf - - cachemgr.conf - notify: - - restart squid - tags: - - kojipkgs - -- name: install apache config files for squid +- name: install apache config files for local apache copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=644 with_items: - - kojipkgs.conf - infrastructure.conf notify: - reload httpd tags: - kojipkgs -- name: make sure httpd ssl.conf is not around (conflicts with squid) - file: dest=/etc/httpd/conf.d/ssl.conf state=absent +- name: install apache config templates for local apache + template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=644 + with_items: + - kojipkgs.conf notify: - reload httpd tags: - kojipkgs - + - name: make sure httpd listens on port 8080 lineinfile: dest=/etc/httpd/conf/httpd.conf state=present regexp="^Listen 80" line="Listen 8080" notify: @@ -77,8 +28,12 @@ tags: - kojipkgs -- name: set squid to start on boot - service: name=squid enabled=true state=running +- name: make a mnt/koji link + file: state=link src=/mnt/fedora_koji/koji dest=/mnt/koji + tags: + - kojipkgs + +- name: disable welcome.conf giving a 403 on / (needed for monitoring) + copy: content="# welcome.conf disabled" dest=/etc/httpd/conf.d/welcome.conf tags: - - services - kojipkgs diff --git a/roles/kojipkgs/templates/kojipkgs.conf b/roles/kojipkgs/templates/kojipkgs.conf new file mode 100644 index 0000000..16fe6e9 --- /dev/null +++ b/roles/kojipkgs/templates/kojipkgs.conf @@ -0,0 +1,133 @@ +ServerName https://kojipkgs.fedoraproject.org +MaxRequestWorkers 512 +ServerLimit 512 + +RequestHeader unset Accept-Encoding early + +CustomLog "| /usr/sbin/rotatelogs /var/log/httpd/{{inventory_hostname}}-access.log.%Y-%m-%d 86400" combined +ErrorLog "| /usr/sbin/rotatelogs /var/log/httpd/{{inventory_hostname}}-error.log.%Y-%m-%d 86400" + +Alias /atomic /mnt/rpmfusion_koji/koji/ostree +Alias /ostree /mnt/rpmfusion_koji/koji/ostree + +<Directory /mnt/rpmfusion_koji/koji/ostree> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /atomic-cd /mnt/rpmfusion_koji/koji/atomic-cd + +<Directory /mnt/rpmfusion_koji/koji/atomic-cd> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /packages /mnt/rpmfusion_koji/koji/packages +Alias /toplink/packages /mnt/rpmfusion_koji/koji/packages + +<Directory /mnt/rpmfusion_koji/koji/packages> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /repos-dist /mnt/rpmfusion_koji/koji/repos-dist + +<Directory /mnt/rpmfusion_koji/koji/repos-dist> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /repos /mnt/rpmfusion_koji/koji/repos + +<Directory /mnt/rpmfusion_koji/koji/repos> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /scratch /mnt/rpmfusion_koji/koji/scratch + +<Directory /mnt/rpmfusion_koji/koji/scratch> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /work /mnt/rpmfusion_koji/koji/work + +<Directory /mnt/rpmfusion_koji/koji/work> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /mash /mnt/rpmfusion_koji/koji/mash + +<Directory /mnt/rpmfusion_koji/koji/mash> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /compose /mnt/rpmfusion_koji/koji/compose + +<Directory /mnt/rpmfusion_koji/koji/compose> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /mass-rebuild "/mnt/rpmfusion_koji/koji/mass-rebuild/" + +<Directory "/mnt/rpmfusion_koji/koji/mass-rebuild/"> + Options Indexes FollowSymLinks + Require all granted +</Directory> + +Alias /images /mnt/rpmfusion_koji/koji/images + +<Directory /mnt/rpmfusion_koji/koji/images> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /rhel /mnt/rpmfusion_koji/rhel + +<Directory /mnt/rpmfusion_koji/rhel> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +Alias /pub /pub + +<Directory /pub> + Options Indexes FollowSymLinks + IndexOptions NameWidth=* FancyIndexing + FileETag None + Require all granted +</Directory> + +# This IP is sign-bridge01.phx2.fedoraproject.org. +# It needs to be able to sign openh264 packages. +RewriteCond %{HTTP:X-Forwarded-For} !10.5.125.71 +RewriteRule ".*/.*openh264.*.(x86_64|armv7hl|i686|ppc64|ppc64le|aarch64|s390x).rpm$" "https://fedoraproject.org/wiki/non-distributable-rpms" [R=302,L] + +# Set HSTS header via HTTP since it cannot be easily set in squid, which terminates HTTPS +Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"