From ffb88e54c5e4e30fa61ea1009f3eee62f98ab17c Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 27 Feb 2013 23:46:58 -0800 Subject: openvpn -- added support for optional "free" rate-limited service via special client certificates with the FREE prefix in the common name. --- puppet/modules/site_webapp/templates/config.yml.erb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9cf85f0c..cd67d1fd 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,5 +1,13 @@ +<%- cert_options = @webapp['client_certificates'] -%> production: admins: [admin] domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + +cert_options: + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + free_certs_enabled: <%= @webapp['allow_free'].inspect %> + free_cert_prefix: "<%= cert_options['free_prefix'] %>" -- cgit v1.2.3 From ad62cfdad04c8f8ed9d6454f716c92e850ac53ba Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 17 Mar 2013 13:15:51 -0700 Subject: added support for "limited" service levels (although vpn is not yet actually rate limited). --- puppet/modules/site_webapp/templates/config.yml.erb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index cd67d1fd..af778212 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -6,8 +6,11 @@ production: client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> cert_options: - client_cert_lifespan: <%= cert_options['life_span'].to_i %> - client_cert_bit_size: <%= cert_options['bit_size'].to_i %> - client_cert_hash: <%= cert_options['digest'] %> - free_certs_enabled: <%= @webapp['allow_free'].inspect %> - free_cert_prefix: "<%= cert_options['free_prefix'] %>" + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> + allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> + allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> + limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" + unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" -- cgit v1.2.3 From fbae857865f3e2d61d9e55693c5cce411f7565ca Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 18 Mar 2013 18:24:16 +0100 Subject: Webapp: Use stunnel localhost:5000 for couchdb connection --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index ee521713..d9ecb4b2 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,8 @@ production: prefix: "" - protocol: 'https' + protocol: 'http' host: <%= @couchdb_host %> - port: 6984 + port: 5000 username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 1d14c34e7f4456452d289b23eb1d2ebf00de11b2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 14:26:58 -0400 Subject: turn off automatic updates of couchdb design docs (#1979) --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index d9ecb4b2..3ae255b0 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -3,6 +3,7 @@ production: protocol: 'http' host: <%= @couchdb_host %> port: 5000 + auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From f1b405b503a76526551ac0110cad8798de46dfd8 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:09:34 -0400 Subject: configure site_webapp::haproxy to ship a haproxy config::fragment to setup the haproxy listener 'bigcouch-in'. This haproxy listener is configured to listen on port 4096 (arbitrarily chosen) and balance across the locally configured stunnels to the bigcouch instances It may be that we will need some additional haproxy options for handling persistence, cookies, or other HTTP headers, I'm unsure as of this moment --- .../site_webapp/templates/haproxy_couchdb.cfg.erb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb new file mode 100644 index 00000000..a9bdb923 --- /dev/null +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -0,0 +1,16 @@ + +listen bigcouch-in + mode http + balance roundrobin + + option httplog + option dontlognull + option tcplog + + bind localhost:4096 +<% for port in @local_ports -%> + server couchdb_<%=port%> localhost:<%=port%> +<% end -%> + + + -- cgit v1.2.3 From fe8085f670eb3bca10c5bb0d9890e00a0d9c59d9 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 16:37:56 -0400 Subject: configure webapp haproxy couchdb connection --- puppet/modules/site_webapp/templates/couchdb.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 3ae255b0..4855abd8 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -2,7 +2,7 @@ production: prefix: "" protocol: 'http' host: <%= @couchdb_host %> - port: 5000 + port: <%= @couchdb_port %> auto_update_design_doc: false username: <%= @couchdb_user %> password: <%= @couchdb_password %> -- cgit v1.2.3 From 9c1c74c359f80cf0e61b62befee0ec5cc04ab4c3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Mar 2013 17:41:37 -0400 Subject: create a separate couchdb.yml.admin that contains the couchdb admin privileges, putting the unprivileged ones in as user webapp in couchdb.yml. This allows us to migrate the couchdb design docs on deployment, but use an unprivileged user the remainder of the time --- puppet/modules/site_webapp/templates/couchdb.yml.admin.erb | 9 +++++++++ puppet/modules/site_webapp/templates/couchdb.yml.erb | 4 ++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/site_webapp/templates/couchdb.yml.admin.erb (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb new file mode 100644 index 00000000..a0921add --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb @@ -0,0 +1,9 @@ +production: + prefix: "" + protocol: 'http' + host: <%= @couchdb_host %> + port: <%= @couchdb_port %> + auto_update_design_doc: false + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index 4855abd8..2bef0af5 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -4,6 +4,6 @@ production: host: <%= @couchdb_host %> port: <%= @couchdb_port %> auto_update_design_doc: false - username: <%= @couchdb_user %> - password: <%= @couchdb_password %> + username: <%= @couchdb_webapp_user %> + password: <%= @couchdb_webapp_password %> -- cgit v1.2.3 From 994c0212e86c60fa0f83c379308618b901d240c1 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 9 Apr 2013 14:04:25 -0400 Subject: add a httpchk line to haproxy to properly test if the couchdb is available add the useful http-server-close option set check option on the servers, with a 3 second interval, a one second fastinter (for flapping) and a one second downinter. Set the number of checks for failure to be one (so it will take 3 seconds for a node to fail out) and 2 checks to come back --- puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index a9bdb923..f08161ee 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -2,14 +2,14 @@ listen bigcouch-in mode http balance roundrobin - option httplog option dontlognull - option tcplog - + option httpchk GET / + option http-server-close + bind localhost:4096 <% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> + server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 <% end -%> -- cgit v1.2.3 From 7b6882212da16b7f3e778919f6c8c018c6d1111b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 16 Apr 2013 13:58:43 -0400 Subject: move secret token into the config.yaml --- puppet/modules/site_webapp/templates/config.yml.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index af778212..83348d94 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -4,6 +4,7 @@ production: domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + secret_token: "<%= @secret_token %>" cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> -- cgit v1.2.3 From 14dae1c1f5e2f12a37c6a4e71a89ef2f6a784712 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 22 Apr 2013 15:36:45 -0700 Subject: webapp -- fixed bug in configuration --- puppet/modules/site_webapp/templates/config.yml.erb | 2 -- 1 file changed, 2 deletions(-) (limited to 'puppet/modules/site_webapp/templates') diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 83348d94..df562cd9 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -5,8 +5,6 @@ production: client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> secret_token: "<%= @secret_token %>" - -cert_options: client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> client_cert_hash: <%= cert_options['digest'] %> -- cgit v1.2.3