Add tarballs.<openstack|opendev>.org to static.opendev.org

Add these hosts to static.opendev.org, serving from AFS.  Note that
tarballs.openstack.org just redirects to static.opendev.org/openstack.

This should have no effect currently, it will only become live when we
switch DNS.

For more details see the thread at:

 http://lists.openstack.org/pipermail/openstack-infra/2020-January/006584.html

Change-Id: Ie56fac17ffaa91ee55be986de636485a58125a02
This commit is contained in:
Ian Wienand 2020-01-30 11:40:17 +11:00
parent 7227bcf879
commit 3fd6e16077
6 changed files with 134 additions and 1 deletions

View File

@ -7,4 +7,7 @@ letsencrypt_certs:
- governance.openstack.org
static01-security-openstack-org:
- security.openstack.org
static01-tarballs-opendev-org:
- tarballs.opendev.org
static01-tarballs-openstack-org:
- tarballs.openstack.org

View File

@ -44,6 +44,12 @@
- name: letsencrypt updated static01-security-openstack-org
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
- name: letsencrypt updated static01-tarballs-opendev-org
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
- name: letsencrypt updated static01-tarballs-openstack-org
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
# review-dev
- name: letsencrypt updated review-dev01-opendev-org-main

View File

@ -0,0 +1,41 @@
Define AFS_ROOT /afs/openstack.org/project/tarballs.opendev.org
<VirtualHost *:80>
ServerName tarballs.opendev.org
RewriteEngine On
RewriteRule ^/(.*) https://tarballs.opendev.org/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/tarballs.opendev.org_error.log
CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName tarballs.opendev.org
DocumentRoot ${AFS_ROOT}
SSLCertificateFile /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/tarballs.opendev.org/tarballs.opendev.org.key
SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.opendev.org/ca.cer
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
<Directory ${AFS_ROOT}>
Options Indexes FollowSymLinks MultiViews
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/tarballs.opendev.org_error.log
CustomLog /var/log/apache2/tarballs.opendev.org_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

View File

@ -0,0 +1,35 @@
<VirtualHost *:80>
ServerName tarballs.openstack.org
RewriteEngine On
RewriteRule ^/(.*) https://tarballs.openstack.org/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/tarballs.openstack.org_error.log
CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName tarballs.openstack.org
DocumentRoot ${AFS_ROOT}
SSLCertificateFile /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/tarballs.openstack.org/tarballs.openstack.org.key
SSLCertificateChainFile /etc/letsencrypt-certs/tarballs.openstack.org/ca.cer
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
RewriteEngine On
RewriteRule ^/?(.*)$ https://tarballs.opendev.org/openstack/$1 [L]
LogLevel warn
ErrorLog /var/log/apache2/tarballs.openstack.org_error.log
CustomLog /var/log/apache2/tarballs.openstack.org_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

View File

@ -86,3 +86,35 @@
creates: /etc/apache2/sites-enabled/50-security.openstack.org
notify:
- Reload apache2
# tarballs.opendev.org
- name: Install tarballs.opendev.org
copy:
src: 50-tarballs.opendev.org.conf
dest: /etc/apache2/sites-available/
owner: root
group: root
mode: 0644
- name: Enable tarballs.opendev.org
command: a2ensite 50-tarballs.opendev.org
args:
creates: /etc/apache2/sites-enabled/50-tarballs.opendev.org
notify:
- Reload apache2
# tarballs.openstack.org
- name: Install tarballs.openstack.org
copy:
src: 50-tarballs.openstack.org.conf
dest: /etc/apache2/sites-available/
owner: root
group: root
mode: 0644
- name: Enable tarballs.openstack.org
command: a2ensite 50-tarballs.openstack.org
args:
creates: /etc/apache2/sites-enabled/50-tarballs.openstack.org
notify:
- Reload apache2

View File

@ -31,3 +31,19 @@ def test_security_openstack_org(host):
'--resolve security.openstack.org:443:127.0.0.1 '
'https://security.openstack.org/')
assert 'OpenStack Security Project' in cmd.stdout
def test_tarballs_openstack_org(host):
cmd = host.run('curl --insecure '
'--resolve tarballs.openstack.org:443:127.0.0.1 '
'--resolve tarballs.opendev.org:443:127.0.0.1 '
'https://tarballs.openstack.org/nova/')
# The redirect page should send us to tarballs.opendev.org
assert '302 Found' in cmd.stdout
assert 'https://tarballs.opendev.org/openstack/nova/' in cmd.stdout
def test_tarballs_opendev_org(host):
cmd = host.run('curl --insecure '
'--resolve tarballs.opendev.org:443:127.0.0.1 '
'https://tarballs.opendev.org/openstack/nova/')
# An old file that should be present
assert 'nova-12.0.0.tar.gz' in cmd.stdout