-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add backend serveraliases to debian vhosts #2124
base: master
Are you sure you want to change the base?
Conversation
@@ -70,6 +70,7 @@ | |||
include apache::mod::mime | |||
|
|||
web::vhost { $vhost: | |||
serveraliases => [ "${vhost}-backend.theforeman.org", "${vhost}.${facts['networking']['fqdn']}" ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gotta add the right DNS entries before deploying this, or LE will freak out
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make the servername deb-backend
? I don't mind adding the $vhost.$fqdn
as an alias.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, because then stagingdeb and archivedeb will also have this alias, which is not what I wanted :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we can't make $vhost
deb-backend
instead?
My reasoning is that I'd like to use mod_md
to get the certificate (based on the servername
) instead of the current letsencrypt module we use, but we don't have to pull that in scope here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have 3 instances of freight::user
: main
, archive
and staging
which create deb
, archivedeb
and stagingdeb
vhosts.
We should switch those to produce deb-backend
, archivedeb-backend
and stagingdeb-backend
at some point, yes.
But I first wanted to introduce the alias, have time to play with the CDN and then drop the non-backend
vhosts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I think I miss-read your first comment "can we make the servername deb-backend" as "can we always use "deb-backend" -- which we can't because we need three separate "backends" (served by the same httpd).
What we can do is use ${vhost}-backend
as the servername in the future.
I am guessing the same will need to happen for the rpm serving and thus I should copy this model? |
Need? No. |
deb.tfm.o (and friends) do not point to our host these days, but to a CDN, thus, using deb.tfm.o as the vhost name is a tad wrong. this change introduces two aliases for the vhost: deb-backend.tfm.o and deb.${fqdn}, which in my test environment results in: ServerName deb.theforeman.org ServerAlias deb-backend.theforeman.org ServerAlias deb.repo-deb.tanso.example.com This has the benefit that the right vhost is reachable without any tricks, and will allow us to switch the CDN config to a "more correct" naming scheme, later dropping deb.tfm.o from the vhost here totally. (This has the side-benefit that deb.tfm LE requests go via the CDN and only then hit our box, which is confusing to say the least and that would stop)
deb.tfm.o (and friends) do not point to our host these days, but to a
CDN, thus, using deb.tfm.o as the vhost name is a tad wrong.
this change introduces two aliases for the vhost: deb-backend.tfm.o and
deb.${fqdn}, which in my test environment results in:
This has the benefit that the right vhost is reachable without any
tricks, and will allow us to switch the CDN config to a "more correct"
naming scheme, later dropping deb.tfm.o from the vhost here totally.
(This has the side-benefit that deb.tfm LE requests go via the CDN and
only then hit our box, which is confusing to say the least and that
would stop)