Commit Graph

34 Commits

Author SHA1 Message Date
Monty Taylor bb91e9cd68 Retire repo
Depends-On: https://review.opendev.org/720892
Change-Id: Ie5c4c64b1eb37054a6a3dcaa9bb4cb36c81e53ef
2020-04-22 10:18:55 -05:00
Colleen Murphy cec0248653 Fix scope of vhost template variables
Dynamic scoping for variables in ERB templates was removed in puppet
4[1] which means that the variables defined in the
manifest cannot be found when it is referenced in
the httpd::vhost defined type and will be evaluated as nil when
puppet runs. Use the scope object instead to be explicit about the
variable's source. The scope object and scope.lookupvar return :undef
instead of nil if the variable is undefined, and we expect it to
sometimes be undefined, so handle that too.

[1] https://puppet.com/docs/puppet/4.10/lang_updating_manifests.html#dynamic-scoping-in-erb

Change-Id: Ie9d943424aafa5d1d09586dc2cb61441c6d2628b
2018-04-28 00:55:00 +02:00
Jeremy Stanley 5b9395aea1 Refuse external connections to the API
The Etherpad API is only useful for authenticated access via the
secret API key, which resides on the server's filesystem. It can
already be accessed from localhost over the nodejs listener socket,
so doesn't need to be reachable through the external Apache proxy.
Refuse connections to it through Apache in an effort to reduce
exposure to future unauthenticated or authentication bypass bugs in
the API implementation.

Change-Id: Ia5cf2f15c21eb397eeb878c81cd3c7a29f5aecbd
2018-04-11 16:45:15 +00:00
Ian Wienand 7cf08e1e39 Xenial: add a service file
Add a service file for later Ubuntu versions.  Centralise the logging
into init.pp as it's not as easy to get logs to file from stdout/err
via systemd.  Fix up the logrotation while we're there

Change-Id: I43ea764d070fb44502bda0c845485769dace6ff3
2017-12-20 14:57:00 +11:00
Clark Boylan f8d123d2ba Fix a couple openid parameters
This needs to be a proper url, also our attempt at looking up the var
was not working, just use the same lookup of vhost_name that is used
elsewhere and known to work.

Change-Id: If906f69688bf4412f50fcfafc05861b957ce42a8
2017-01-06 10:30:49 -08:00
Clark Boylan 9816851524 Support openid authentication
Whether to thwart spam or to make more private pads add support for very
simple auth mechanism using mod_auth_openid.

Change-Id: Ife0daf670a20afde46516c60f877e1da8026758a
2016-11-15 14:05:18 -08:00
Yolanda Robla 939595bedc Add missing Gemfile to the project
All our puppet projects rely on a Gemfile for tests
to run. This was missing, so add here as well.

Also fix the linter errors that this new Gemfile
addition is causing.

Change-Id: I24143df44c313ea76472649bb9a6fa0ce4536307
2016-03-11 13:50:36 +01:00
Clark Boylan a22fd5a2a9 Set higher nofile limit for node in init script
You must build additional pylons ... I mean we need more file
descriptors. Set that in upstart directly since it does not respect
limits.conf.

This rewrites the upstart job to be more upstarty so that the limits can
be applied without su undoing the work.

Change-Id: Ibf670f07d75c4ffcf333c971d03c620f839b04d3
2015-10-27 00:13:29 -07:00
James E. Blair 9babba139e Support apache /server-status
Change-Id: I554cd3a219c20f80b45bc9a45c793a0642ad17e6
2015-09-08 10:43:56 -07:00
James E. Blair 605ec41b30 Fix websocket configuration
Enable the proxy_websocket module.

Correct the ProxyPass directives in use with websockets.  The
current versions result in 404 on socket.io.js because they strip
the socket.io component of the path.

Change-Id: I3505b4e9693602ec04baec2487871ce57a6dc7a6
2015-09-02 10:15:11 -07:00
James E. Blair cc8e0cbad8 Switch to proxypass with retry=0 for etherpad
We think Apache may be caching 503 responses (possibly themselves
a result of [1]).  Set retry=0 so that we do not cache any failures
and switch to proxypass so that we can set that option.

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=37770

Change-Id: Ibd1087bc8feb288bfb8f66f4e6de61ebe8414233
2015-08-19 11:19:13 -07:00
Paul Belanger fb1bd34b87 Fix variable access warnings
Change-Id: I53392a930d5d71fadf36388e09b6d8b355865c3f
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-07-09 16:33:01 -04:00
Jenkins 368bc81802 Merge "Add support for Apache mod_proxy_wstunnel" 2015-04-16 14:43:05 +00:00
Jenkins 9ae143a09f Merge "Enable websockets transport on Etherpad" 2015-04-16 14:42:56 +00:00
Clark Boylan e0ecfcd1f7 Don't host robots.txt from etherpad repo install
Updating the robots.txt in the etherpad vcsrepo makes it hard to manage
that repo properly. Solve this by serving the static robots.txt file
directly from apache rather than via etherpad service. Use a mod_rewrite
since we are already using that to set up the proxying.

Change-Id: Iccccf1ef194060490512e6550c22bdb9d3478ba8
2015-03-16 09:45:34 -07:00
Ricardo Carrillo Cruz 9896474346 Add support for Apache mod_proxy_wstunnel
This change allows Apache servers with mod_proxy_wstunnel enabled
to pass thru Websocket connections to Etherpad, providing the
browser supports that.

Change-Id: I4f595f456e0d280c6f05958a36552213dd6cf1e2
2015-02-11 12:33:04 +00:00
Ricardo Carrillo Cruz 9f3f069321 Enable websockets transport on Etherpad
This can enhance the user experience, as most modern web browsers
are capable of using Websockets.
Due to SocketIO fallback mechanism, if Websocket is not available
the next transport in the list will be used, so this change would
still work like before where Websockets is not possible.
Please note that Apache must be able to pass thru websockets to
the Etherpad nodejs server, the module mod_proxy_wstunnel is
needed for that, but it's only available as a package for
Apache 2.4.
I will create another change for etherpad-dev that adds
that module and sync up with infra root members to upgrade the server
to Trusty (it comes with Apache 2.4, Precise still comes with 2.2).

Change-Id: I30f425f7bf7dfeec1a2128e2caf7253459bccc21
2015-01-30 14:35:29 +00:00
Dmitry Teselkin 18db8dc246 Fix vhost configuration sections
According to https://wiki.apache.org/httpd/CommonMisconfigurations
is is wrong to specify server name in opening tag. ServerName
should be used instead.

Indentations also fixed in some files.

Change-Id: Id9d20a672103221efa01be61a174b62706036e57
2014-12-18 19:33:01 +03:00
Timothy Chavez a053ed23ef Use the SSLProtocol blacklist approach
It turns out that specifying the ciphers we want to use leads to
breakage.  So instead we'll explicitly tell Apache which ciphers
we don't want to use.

Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
2014-10-16 11:41:04 -05:00
Clark Boylan 3dc8aad827 Use only TLSv1 and greater to depoodle
The poodle SSLv3 vulnerability is a good reason to stop using SSLv3.
Switch to TLS everywhere in our apache vhost configs.

Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
2014-10-14 17:07:06 -07:00
Clark Boylan ebb6eab5d9 Double the node stack size for etherpad lite
Node was running into stack size limit errors at the Atlanta Juno
Summit. The default value for the stack size limit is 984 kBytes double
this value to 1968 kBytes to hopefully make etherpad-lite more stable.

Change-Id: Ib644e68689e9f6b1e00cb959ff7cf4e5dc553cf6
2014-05-16 09:31:12 -07:00
Monty Taylor 012ad84af6 Allow for etherpad title to be parameterized
The general etherpad_lite module should not contain OpenStack as
a hardcoded title. Parameterize it.

Change-Id: I473720d9566233ab4c8d2081c9835b42ddfcb94e
2014-02-10 15:07:40 -08:00
Clark Boylan 88bb5cd21c Update etherpad and etherpad puppet manifests.
* manifests/site.pp: Pass new mysql DB variables to
openstack::etherpad*.

* modules/etherpad_lite/manifests/apache.pp: Fix broken /etc/ssl/certs
permissions (0700 -> 0755).

* modules/etherpad_lite/manifests/init.pp: Update default nodejs and
etherpad versions. Remove ep_headings plugin install. New plugin define
should be used for this instead. Stop making the etherpad-lite ref to
checkout optional (defaults to develop). Note these changes are probably
not going to be backward compat.

* modules/etherpad_lite/manifests/plugin.pp: Define to install etherpad
lite plugins.

* modules/etherpad_lite/manifests/site.pp: Simplify DB support and
remove support for the dirty DB type.

* modules/etherpad_lite/templates/etherpad-lite_settings.json.erb: Bring
settings erb up to par with latest template.

* modules/etherpad_lite/templates/etherpadlite.vhost.erb: Update rewrite
rules for new etherpad. Instead of allowing nice pad urls rooted at /
redirect these url to /p/padname. Etherpad does not deal well with a
change in root path as /p/ is hardcoded in many places.

* modules/openstack_project/manifests/etherpad.pp
* modules/openstack_project/manifests/etherpad_dev.pp:
Update to use new etherpad module setup. MySQL DBs are now externally
managed, pass in needed connection info.

* modules/mysql_backup/manifests/backup_remote.pp: New define to backup
remote DB servers.

* modules/mysql_backup/templates/my.cnf.erb: Template for a my.cnf to be
used by the cron in backup_remote.pp. Allows for easy connectivity from
server using MySQL DB as root.

Change-Id: I1250297674b91e81d59cd28c07c52e09967ca548
2013-10-09 16:53:06 -07:00
Clark Boylan e876eb4566 Correct etherpad lite certificates.
Etherpad lite previously attempted to manage its cert files in two
different ways. This created a conflict and puppet would not run
successfully. Remove the old way of managing the cert files.

Change-Id: I9336c6f97d455917f4680bfdfd5543283714fe34
Reviewed-on: https://review.openstack.org/14584
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
2012-10-21 16:18:35 +00:00
James E. Blair 555733c1cb Align etherpad vhost ssl section with standard.
As copied from jenkins.  Both old and new names for the
cert contents are in hiera.

Change-Id: Ic6d8258479c260ac37346c49c1ecde8339c96a37
Reviewed-on: https://review.openstack.org/14432
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
2012-10-20 15:39:25 +00:00
James E. Blair 9073cc3248 Rewrite /p/ on etherpad.
Also, actually redirect on incorrect hostnames.

Change-Id: I4e0981e45ed119eff02027e90a6a983ddeb6138b
Reviewed-on: https://review.openstack.org/14420
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
2012-10-13 15:49:24 +00:00
Monty Taylor c0ed8b10f1 Clean up post-apache move carnage.
Change-Id: Ieeb8469126d64df75e7fa0fff67618daa6990674
Reviewed-on: https://review.openstack.org/11246
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
2012-08-12 17:49:33 +00:00
Monty Taylor 3e769e56a3 Align all web server usage on apache module.
Change-Id: Idd712a8ee5ec81c6b88b7d3e2270dce4da254927
Reviewed-on: https://review.openstack.org/10838
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
2012-08-12 17:03:46 +00:00
Monty Taylor 5b2d6fdf85 Align the parameter names for etherpad.
Change-Id: I3430939968297d0d6c14f4e210bd7601fee1dc38
2012-07-22 19:27:39 -05:00
Monty Taylor 60146e4fc4 First pass at parameterizing secret infos.
Change-Id: Iee56a7e65be51ebf19a61eefd60cc93de6a764bf
2012-07-20 14:40:42 -07:00
Clark Boylan 2437144192 Go back to using self compiled node.js.
The version of node.js packaged by ubuntu does not seem to play nice
with require-kernel and etherpad-lite. Go back to compiling version
0.6.16 of node.js which is tested and appears to be working.

Change-Id: Ib9bda5d7acbda06561398a0c715b28e46edb531d
2012-06-21 17:52:43 +00:00
Clark Boylan 6511e79399 Minor tweaks to etherpad_lite module.
Set custom pad.js file to mode 0644. Add nginx config for Etherpad-Lite
to sites-available then symlink to that from sites-enabled. Use Ubuntu
packages for Node.js and NPM instead of building from source (Precise
appears to have fairly recent packages that work).

Change-Id: I752a10ea32b462ef0cc8a5a515dd44c9390a4776
2012-06-19 18:36:08 +00:00
Clark Boylan 022e155ec3 Update eplite module for new version of eplite.
Etherpad lite has changed their source tree slightly. This has
required a few updates to the etherpad lite puppet module. The
custom pad.js needs to go in a different directory and the upstart
conf file needs a couple updated paths.

In addition to the fixes a couple things have been cleaned up. Now
define an etherpadlite.openstack.org node in site.pp and copy SSL
certs from /root/secret-files.

Change-Id: I312b419aa98212b6db68232c672bc4d75f23777f
2012-05-31 23:16:57 +00:00
Clark Boylan 18175e4c18 Puppet Module to install etherpad-lite.
Part of the work necessary for bug #995248

Puppet module to do a basic install of etherpad-lite. Currently
installs etherpad-lite and node.js. Configures etherpad-lite to use
mysql for its DB backend and sets up nginx to reverse proxy
etherpad-lite.

Change-Id: I3ee1ce4594fcf2a27b520a3ad7a024318f69111a
2012-05-10 20:33:51 +00:00