From 0cfedd2318fe50f87506635cb6e1c75e46934c35 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Wed, 2 Jun 2021 13:25:49 +1000
Subject: [PATCH] Add static eavesdrop.openstack.org site
We are trying to replace eavesdrop01.openstack.org
The main landing page serves meeting information which has been moved
to a static site served from AFS at meeting.opendev.org. Redirect
everything to there.
The IRC logs are currently still hosted on eavesdrop01, so while we
work on migrating these, proxy meeting.opendev.org/<irclogs|meetings>
to this server.
Note this will be a no-op until we move the DNS, but we should make
the eavesdrop acme records before merging.
Change-Id: I5c9c23e619dbe930a77f657b5cd6fdd862034301
---
.../host_vars/static01.opendev.org.yaml | 2 ++
.../handlers/main.yaml | 3 ++
.../files/50-eavesdrop.openstack.org.conf | 33 +++++++++++++++++++
.../static/files/50-meetings.opendev.org.conf | 6 ++++
playbooks/roles/static/tasks/main.yaml | 11 +++++++
testinfra/test_static.py | 7 ++++
6 files changed, 62 insertions(+)
create mode 100644 playbooks/roles/static/files/50-eavesdrop.openstack.org.conf
diff --git a/inventory/service/host_vars/static01.opendev.org.yaml b/inventory/service/host_vars/static01.opendev.org.yaml
index 5bf870b2fc..93861f73f6 100644
--- a/inventory/service/host_vars/static01.opendev.org.yaml
+++ b/inventory/service/host_vars/static01.opendev.org.yaml
@@ -23,6 +23,8 @@ letsencrypt_certs:
- docs.openstack.org
static01-docs-starlingx-io:
- docs.starlingx.io
+ static01-eavesdrop-openstack-org:
+ - eavesdrop.openstack.org
static01-glance-openstack-org:
- glance.openstack.org
static01-git-airshipit-org:
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
index 5e70ba75d6..eabc2f589e 100644
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@@ -66,6 +66,9 @@
- name: letsencrypt updated static01-docs-starlingx-io
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+- name: letsencrypt updated static01-eavesdrop-openstack-org
+ include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
- name: letsencrypt updated static01-glance-openstack-org
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
diff --git a/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf b/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf
new file mode 100644
index 0000000000..d58ec137ab
--- /dev/null
+++ b/playbooks/roles/static/files/50-eavesdrop.openstack.org.conf
@@ -0,0 +1,33 @@
+<VirtualHost *:80>
+ ServerName eavesdrop.openstack.org
+
+ RewriteEngine On
+
+ RewriteRule ^/(.*) https://meetings.opendev.org/$1 [last,redirect=permanent]
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/eavesdrop.openstack.org_error.log
+ CustomLog /var/log/apache2/eavesdrop.openstack.org_access.log combined
+ ServerSignature Off
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName eavesdrop.openstack.org
+
+ SSLCertificateFile /etc/letsencrypt-certs/eavesdrop.openstack.org/eavesdrop.openstack.org.cer
+ SSLCertificateKeyFile /etc/letsencrypt-certs/eavesdrop.openstack.org/eavesdrop.openstack.org.key
+ SSLCertificateChainFile /etc/letsencrypt-certs/eavesdrop.openstack.org/ca.cer
+ SSLProtocol All -SSLv2 -SSLv3
+ # Note: this list should ensure ciphers that provide forward secrecy
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+
+ RewriteEngine On
+
+ RewriteRule ^/(.*) https://meetings.opendev.org/$1 [last,redirect=permanent]
+
+ LogLevel warn
+ ErrorLog /var/log/apache2/eavesdrop.openstack.org_error.log
+ CustomLog /var/log/apache2/eavesdrop.openstack.org_access.log combined
+ ServerSignature Off
+</VirtualHost>
diff --git a/playbooks/roles/static/files/50-meetings.opendev.org.conf b/playbooks/roles/static/files/50-meetings.opendev.org.conf
index 3be197f9e6..9441d43409 100644
--- a/playbooks/roles/static/files/50-meetings.opendev.org.conf
+++ b/playbooks/roles/static/files/50-meetings.opendev.org.conf
@@ -25,6 +25,12 @@ Define AFS_ROOT /afs/openstack.org/project/meetings.opendev.org
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
+ ProxyPass "/irclogs" "http://eavesdrop01.openstack.org/irclogs" ttl=120 keepalive=On retry=0
+ ProxyPassReverse "/irclogs" "http://eavesdrop01.openstack.org/irclogs"
+
+ ProxyPass "/meetings" "http://eavesdrop01.openstack.org/meetings" ttl=120 keepalive=On retry=0
+ ProxyPassReverse "/meetings" "http://eavesdrop01.openstack.org/meetings"
+
<Directory ${AFS_ROOT}>
Options Indexes FollowSymLinks MultiViews
AllowOverrideList Redirect RedirectMatch
diff --git a/playbooks/roles/static/tasks/main.yaml b/playbooks/roles/static/tasks/main.yaml
index 7135fb914b..d0dab8af65 100644
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@@ -61,6 +61,16 @@
state: present
name: headers
+- name: Proxy module
+ apache2_module:
+ state: present
+ name: proxy
+
+- name: HTTP Proxy module
+ apache2_module:
+ state: present
+ name: proxy_http
+
- name: Copy apache tuning
copy:
src: apache-connection-tuning
@@ -88,6 +98,7 @@
- 50-docs.opendev.org
- 50-docs.openstack.org
- 50-docs.starlingx.io
+ - 50-eavesdrop.openstack.org
- 50-governance.openstack.org
- 50-glance.openstack.org
- 50-horizon.openstack.org
diff --git a/testinfra/test_static.py b/testinfra/test_static.py
index 444452b768..5545becd41 100644
--- a/testinfra/test_static.py
+++ b/testinfra/test_static.py
@@ -226,6 +226,13 @@ def test_meetings_opendev_org(host):
'https://meetings.opendev.org/')
assert 'IRC channels and meetings' in cmd.stdout
+def test_eavesdrop_openstack_org(host):
+ cmd = host.run('curl --insecure '
+ '--resolve eavesdrop.openstack.org:443:127.0.0.1 '
+ 'https://eavesdrop.openstack.org/')
+ assert '301 Moved Permanently' in cmd.stdout
+ assert 'https://meetings.opendev.org' in cmd.stdout
+
ci_redirects = (
('/jenkins-job-builder', 'https://docs.openstack.org/infra/jenkins-job-builder'),
('/nodepool', 'https://docs.openstack.org/infra/nodepool'),