From 137ede2864f756d3d70079a7f5d570d46ea70477 Mon Sep 17 00:00:00 2001 From: decfox Date: Sat, 7 Dec 2024 14:30:14 -0500 Subject: [PATCH] cleanup: unrequired backend configs --- ansible/roles/ooni-backend/tasks/main.yml | 368 +----------------- .../templates/clickhouse_config.xml | 41 -- .../templates/clickhouse_readonly.xml | 9 - .../templates/clickhouse_users.xml | 31 -- .../templates/nginx-api-ams-pg.conf | 297 -------------- .../ooni-backend/templates/nginx-api-fsn.conf | 8 +- .../templates/nginx-api-test.conf | 8 - .../templates/rotation_nginx_conf | 70 ---- .../ooni-backend/templates/rotation_setup.sh | 114 ------ .../ooni-backend/templates/tor_targets.json | 46 +-- 10 files changed, 26 insertions(+), 966 deletions(-) delete mode 100644 ansible/roles/ooni-backend/templates/clickhouse_config.xml delete mode 100644 ansible/roles/ooni-backend/templates/clickhouse_readonly.xml delete mode 100644 ansible/roles/ooni-backend/templates/clickhouse_users.xml delete mode 100644 ansible/roles/ooni-backend/templates/nginx-api-ams-pg.conf delete mode 100644 ansible/roles/ooni-backend/templates/rotation_nginx_conf delete mode 100644 ansible/roles/ooni-backend/templates/rotation_setup.sh diff --git a/ansible/roles/ooni-backend/tasks/main.yml b/ansible/roles/ooni-backend/tasks/main.yml index a6ee12d..42da375 100644 --- a/ansible/roles/ooni-backend/tasks/main.yml +++ b/ansible/roles/ooni-backend/tasks/main.yml @@ -26,7 +26,7 @@ group: ooniapi mode: 0640 vars: - collectors: [] + collectors: ['backend-hel.ooni.org'] # bucket_name and collector_id must match the uploader collector_id: 2 bucket_name: ooni-data-eu-fra-test @@ -252,17 +252,10 @@ src: 444.nft dest: /etc/ooni/nftables/tcp/444.nft -#- name: reload nftables service -# tags: api -# systemd: -# name: nftables.service -# state: reloaded - - name: reload nftables service tags: api, webserv shell: systemctl reload nftables.service - ## Fastpath ## - name: install fastpath if not present @@ -298,25 +291,6 @@ vars: clickhouse_url: clickhouse://fastpath:fastpath@localhost/default - - -## Event detector ## - -#- name: install detector -# tags: detector -# apt: -# cache_valid_time: 86400 -# name: detector -# -#- name: configure detector -# tags: detector -# blockinfile: -# path: /etc/ooni/detector.conf -# create: yes -# block: | -# # Managed by ansible, see roles/ooni-backend/tasks/main.yml - - ## Analysis daemon ## - name: install analysis @@ -336,346 +310,6 @@ dest: /etc/ooni/analysis.conf # Managed by ansible, see roles/ooni-backend/tasks/main.yml - -## Test helper rotation ## - -- name: configure test helper rotation - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - blockinfile: - path: /etc/ooni/rotation.conf - create: yes - mode: 0400 - block: | - # Managed by ansible, see roles/ooni-backend/tasks/main.yml - [DEFAULT] - # Digital Ocean token - token = {{ digital_ocean_token }} - active_droplets_count = 4 - size_slug = s-1vcpu-1gb - image_name = debian-11-x64 - draining_time_minutes = 1440 - dns_zone = th.ooni.org - -- name: configure test helper rotation certbot - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - blockinfile: - path: /etc/ooni/certbot-digitalocean - create: yes - mode: 0400 - block: | - # Managed by ansible, see roles/ooni-backend/tasks/main.yml - dns_digitalocean_token = {{ digital_ocean_token }} - -- name: configure test helper rotation setup script - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - template: - src: rotation_setup.sh - dest: /etc/ooni/rotation_setup.sh - -- name: create test helper rotation nginx template - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - template: - src: rotation_nginx_conf - dest: /etc/ooni/rotation_nginx_conf - -- name: generate test helper rotation SSH keypair - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - openssh_keypair: - path: /etc/ooni/testhelper_ssh_key - owner: root - group: root - mode: 0400 - type: ed25519 - register: pubkey - -- name: print SSH pubkey - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - debug: msg={{ pubkey.public_key }} - -- name: Enable and start rotation service - tags: rotation - when: inventory_hostname == 'backend-fsn.ooni.org' - systemd: - daemon_reload: yes - enabled: yes - name: ooni-rotation.timer - state: started - - -## Tor daemon and onion service ## - -## TODO(decfox): get rid of this? -- name: configure tor onion service hostname - when: inventory_hostname == 'ams-pg.ooni.org' - tags: tor - blockinfile: - path: /var/lib/tor/ooni_onion_service/hostname - create: yes - owner: debian-tor - group: debian-tor - mode: 0644 - block: guegdifjy7bjpequ.onion - -- name: configure tor onion service private_key - when: inventory_hostname == 'ams-pg.ooni.org' - tags: tor - blockinfile: - path: /var/lib/tor/ooni_onion_service/private_key - create: yes - owner: debian-tor - group: debian-tor - mode: 0600 - block: "{{ amspg_ooni_org_onion_key }}" - -- name: set tor onion service directory - when: inventory_hostname == 'ams-pg.ooni.org' - tags: tor - shell: | - chown debian-tor:debian-tor /var/lib/tor/ooni_onion_service - chmod 0700 /var/lib/tor/ooni_onion_service - - -# # Clickhouse # # - -- name: install APT HTTPS support - # do not update package if present - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - apt: - cache_valid_time: 86400 - state: present - name: - - apt-transport-https - - ca-certificates - - dirmngr - -- name: install clickhouse keys - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - command: apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8919F6BD2B48D754 - -- name: set clickhouse repos - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - blockinfile: - path: /etc/apt/sources.list.d/clickhouse.list - create: yes - block: | - deb https://packages.clickhouse.com/deb lts main - -- name: pin clickhouse release train - when: inventory_hostname in ('backend-fsn.ooni.org', ) - tags: clickhouse - blockinfile: - path: /etc/apt/preferences.d/clickhouse-server - create: yes - block: | - Package: clickhouse-server - Pin: version 21.8.12.* - Pin-Priority: 999 - -- name: pin clickhouse release train - when: inventory_hostname in ('backend-hel.ooni.org') - tags: clickhouse - blockinfile: - path: /etc/apt/preferences.d/clickhouse-server - create: yes - block: | - Package: clickhouse-server - Pin: version 23.8.2.* - Pin-Priority: 999 - -- name: install clickhouse on backend-fsn - when: inventory_hostname == 'backend-fsn.ooni.org' - tags: clickhouse - apt: - # refresh cache - cache_valid_time: 0 - name: - - clickhouse-server={{ clickhouse_pkg_ver }} - - clickhouse-client={{ clickhouse_pkg_ver }} - - clickhouse-common-static={{ clickhouse_pkg_ver }} - vars: - clickhouse_pkg_ver: 21.8.12.* - -- name: install clickhouse on backend-hel.ooni.org - when: inventory_hostname == 'backend-hel.ooni.org' - tags: clickhouse - apt: - # refresh cache - cache_valid_time: 0 - name: - - clickhouse-server={{ clickhouse_pkg_ver }} - - clickhouse-client={{ clickhouse_pkg_ver }} - - clickhouse-common-static={{ clickhouse_pkg_ver }} - vars: - clickhouse_pkg_ver: 23.8.2.* - -- name: install clickhouse conf override - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - template: - src: clickhouse_config.xml - dest: /etc/clickhouse-server/config.d/ooni_conf.xml - owner: clickhouse - group: clickhouse - mode: 0400 - notify: restart clickhouse - -- name: allow incoming TCP connections from monitoring to Clickhouse prometheus interface - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - blockinfile: - path: /etc/ooni/nftables/tcp/9363.nft - create: yes - block: | - add rule inet filter input ip saddr 5.9.112.244 tcp dport 9363 counter accept comment "clickhouse prometheus from monitoring.ooni.org" - notify: reload nftables - -- name: allow incoming TCP connections from jupiter on monitoring.ooni.org to Clickhouse - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - blockinfile: - path: /etc/ooni/nftables/tcp/9000.nft - create: yes - block: | - add rule inet filter input ip saddr 5.9.112.244 tcp dport 9000 counter accept comment "clickhouse from monitoring.ooni.org" - notify: reload nftables - -- name: Run clickhouse - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - systemd: - name: clickhouse-server.service - state: started - enabled: yes - -## Clickhouse access control ## -# https://clickhouse.com/docs/en/operations/access-rights/#enabling-access-control - -- name: Clickhouse - test admin user - failure is ok to ignore - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse-users - command: clickhouse-client -u admin --password admin -q 'select 1' - ignore_errors: true - register: admin_check - -- name: install tor python3-lxml - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - apt: - cache_valid_time: 86400 - name: python3-lxml - -- name: Clickhouse - set flag - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - # The users.xml file itself needs to be edited for this to work - xml: - path: /etc/clickhouse-server/users.xml - backup: yes - xpath: /clickhouse/users/default/{{ item }} - value: "1" - loop: - - access_management - - named_collection_control - - show_named_collections - - show_named_collections_secrets - register: users_xml - -- name: Clickhouse - restart immediately if needed - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - systemd: - name: clickhouse-server - state: restarted - -- name: Clickhouse - create admin - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - command: clickhouse-client -q "CREATE USER OR REPLACE admin IDENTIFIED WITH sha256_password BY 'admin' HOST LOCAL GRANTEES ANY" - # The server might be still starting: retry as needed - retries: 10 - delay: 5 - register: result - until: result.rc == 0 - -- name: Clickhouse - grant admin rights - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - command: clickhouse-client -q 'GRANT ALL ON *.* TO admin WITH GRANT OPTION' - -- name: Clickhouse - create readonly profile - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - template: - src: clickhouse_readonly.xml - dest: /etc/clickhouse-server/users.d/make_default_readonly.xml - owner: clickhouse - group: clickhouse - mode: 0640 - - #- name: Clickhouse - restore users.xml - # when: admin_check is defined and admin_check is failed - # tags: clickhouse-users - # command: mv {{ users_xml.backup_file }} /etc/clickhouse-server/users.xml - -- name: Clickhouse - restart immediately if needed - when: admin_check is defined and admin_check is failed - tags: clickhouse-users - systemd: - name: clickhouse-server - state: restarted - -- name: Clickhouse - setup users and permissions - tags: clickhouse-users - command: clickhouse-client -u admin --password admin -q "{{ item }}" - loop: - - "CREATE USER OR REPLACE api IDENTIFIED WITH sha256_password BY 'api' HOST LOCAL" - - "GRANT ALL ON *.* TO api" - - "CREATE USER OR REPLACE fastpath IDENTIFIED WITH sha256_password BY 'fastpath' HOST LOCAL" - - "GRANT ALL ON *.* TO fastpath" - -## end of Clickhouse access control ## - - - -- name: Run feeder on backend-hel - when: inventory_hostname == 'backend-hel.ooni.org' - tags: clickhouse - blockinfile: - path: /etc/ooni/clickhouse_feeder.conf - create: yes - block: | - [DEFAULT] - pg_dbuser = readonly - pg_dbhost = localhost - -- name: run feeder on backend-fsn - when: inventory_hostname == 'backend-fsn.ooni.org' - tags: clickhouse - blockinfile: - path: /etc/ooni/clickhouse_feeder.conf - create: yes - block: | - [DEFAULT] - pg_dbuser = readonly - pg_dbhost = backend-hel.ooni.org - -- name: Run feeder - when: inventory_hostname in ('backend-fsn.ooni.org', 'backend-hel.ooni.org') - tags: clickhouse - systemd: - name: ooni-clickhouse-feeder.service - state: started - enabled: yes - - name: Run DB backup on backend-hel when: inventory_hostname == 'backend-hel.ooni.org' tags: dbbackup diff --git a/ansible/roles/ooni-backend/templates/clickhouse_config.xml b/ansible/roles/ooni-backend/templates/clickhouse_config.xml deleted file mode 100644 index 548c2a8..0000000 --- a/ansible/roles/ooni-backend/templates/clickhouse_config.xml +++ /dev/null @@ -1,41 +0,0 @@ - - - - - information - - -{% if inventory_hostname == 'backend-fsn.ooni.org' %} - production - 20100100100 - -{% else %} - {{ inventory_hostname.replace(".ooni.org", "") }} -{% endif %} - -{% if inventory_hostname == 'backend-hel.ooni.org' %} - 500100100 - 3100100100 -{% endif %} - - - 0.0.0.0 - - - - - - - - - /metrics - 9363 - true - true - true - true - - diff --git a/ansible/roles/ooni-backend/templates/clickhouse_readonly.xml b/ansible/roles/ooni-backend/templates/clickhouse_readonly.xml deleted file mode 100644 index 7364561..0000000 --- a/ansible/roles/ooni-backend/templates/clickhouse_readonly.xml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - readonly - - - diff --git a/ansible/roles/ooni-backend/templates/clickhouse_users.xml b/ansible/roles/ooni-backend/templates/clickhouse_users.xml deleted file mode 100644 index 49fd011..0000000 --- a/ansible/roles/ooni-backend/templates/clickhouse_users.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - 1 - - - - - - - readonly - - 0.0.0.0 - - - - - - {{ clickhouse_writer_password|hash('sha256') }} - - 127.0.0.1 - - - - - - - diff --git a/ansible/roles/ooni-backend/templates/nginx-api-ams-pg.conf b/ansible/roles/ooni-backend/templates/nginx-api-ams-pg.conf deleted file mode 100644 index 4e3cf93..0000000 --- a/ansible/roles/ooni-backend/templates/nginx-api-ams-pg.conf +++ /dev/null @@ -1,297 +0,0 @@ -# Managed by ansible -# roles/ooni-backend/templates/nginx-api-ams-pg.conf - -# Use 2-level cache, 20MB of RAM + 5GB on disk, -proxy_cache_path /var/cache/nginx/ooni-api levels=1:2 keys_zone=apicache:100M - max_size=5g inactive=24h use_temp_path=off; - -# anonymize ipaddr -map $remote_addr $remote_addr_anon { - ~(?P\d+\.\d+\.\d+)\. $ip.0; - ~(?P[^:]+:[^:]+): $ip::; - default 0.0.0.0; -} - -# log anonymized ipaddr and caching status -log_format ooni_api_fmt '$remote_addr_anon $upstream_cache_status [$time_local] ' - '"$request" $status snt:$body_bytes_sent rt:$request_time uprt:$upstream_response_time "$http_referer" "$http_user_agent"'; - -server { - # TODO(bassosimone): we need support for cleartext HTTP to make sure that requests - # over Tor correctly land to the proper backend. We are listening on this custom port - # and we are configuring Tor such that it routes traffic to this port. - listen 127.0.0.1:17744; - - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name _; - access_log syslog:server=unix:/dev/log,tag=ooniapi,severity=info ooni_api_fmt; - error_log syslog:server=unix:/dev/log,tag=ooniapi,severity=info; - gzip on; - - # TODO: we could use different client_max_body_size and SSL configurations for probe service paths - # and everyhing else - client_max_body_size 200M; # for measurement POST - - ssl_certificate {{ certpath }}{{ inventory_hostname }}/fullchain.pem; - ssl_certificate_key {{ certpath }}{{ inventory_hostname }}/privkey.pem; - ssl_trusted_certificate {{ certpath }}{{ inventory_hostname }}/chain.pem; # for ssl_stapling_verify - - # Use the intermediate configuration to support legacy probes - # https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.6 - ssl_session_timeout 5m; - ssl_session_cache shared:MozSSL:30m; - ssl_session_tickets off; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - # OCSP stapling - ssl_stapling on; - ssl_stapling_verify on; - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - - resolver 127.0.0.1; - - # Registry - # Should match: - # - /api/v1/login - # - /api/v1/register - # - /api/v1/update - location ~^/api/v1/(login|register|update) { - proxy_http_version 1.1; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - - proxy_pass https://registry.ooni.io:443; - } - - # Selectively route test-list/urls to the API - location ~^/api/v1/test-list/urls { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_cache apicache; - proxy_cache_min_uses 1; - proxy_cache_lock on; - proxy_cache_lock_timeout 30; - proxy_cache_lock_age 30; - proxy_cache_use_stale error timeout invalid_header updating; - proxy_cache_methods HEAD GET; - # Cache only 200, 301, and 302 by default and for very short. - # Overridden by the API using the Expires header - proxy_cache_valid 200 301 302 10s; - proxy_cache_valid any 0; - add_header x-cache-status $upstream_cache_status; - add_header X-Cache-Status $upstream_cache_status; - } - - # Orchestrate - # Should match: - # - /api/v1/test-list - location ~^/api/v1/(test-list|urls) { - proxy_http_version 1.1; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - - proxy_pass https://orchestrate.ooni.io:443; - } - - # Web Connectivity Test Helper - # Should match: - # - / - # - /status - # - # The fact that it responds to / means that we may have to differentiate - # via the Host record. - # TODO We should check if clients will respect a suffix added to by the - # bouncer in the returned field, otherwise new clients should use another - # form - location ~^/web-connectivity/(status) { - proxy_http_version 1.1; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - - proxy_pass https://wcth.ooni.io; - } - - location /whoami { - return 200 "{{ inventory_hostname }}"; - } - - location /metrics { - return 200 ''; - } - - # Expose (only) Netdata badges - location ~ ^/netdata/badge { - rewrite ^/netdata/badge /api/v1/badge.svg break; - proxy_pass http://127.0.0.1:19999; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - - # Expose package version badges - location /package_badges { - root /var/www; - add_header Pragma "no-cache"; - add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; - } - - # Temporary redirection to backend-FSN - location ~ ^/api/v1/(aggregation|measurements|raw_measurement|measurement_meta) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location ~ ^/api/_/(asn_by_month|countries|countries_by_month|check_report_id|country_overview|global_overview|global_overview_by_month|im_networks|im_stats|network_stats) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location ~ ^/api/_/(test_coverage|website_networks|website_stats|website_urls|vanilla_tor_stats|test_names) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = /api/_/circumvention_stats_by_country { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = / { - # match "/" strictly, not as a prefix - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location ~ ^/static/ { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - # open and close reports, submit msmt - location ~ ^/report/ { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - - # Auth, URL sumbission, URL priorities - location ~ ^/api/v1/(url-submission|get_account_role|set_account_role|set_session_expunge|user_login|user_register|user_logout) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location ~ ^/api/_/(url-priorities|account_metadata) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - - location ~ ^/api/v1/(collectors|test-helpers|torsf_stats) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location ~ ^/(robots.txt|files) { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = /api/v1/test-list/tor-targets { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = /api/v1/test-list/urls { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = /bouncer/net-tests { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - location = /api/v1/test-list/psiphon-config { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - #location ~ ^/api/_/(test_names) { - # proxy_pass https://backend-fsn.ooni.org; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - #} - ## /files* tree - #location ~ ^/files { - # proxy_pass https://backend-fsn.ooni.org; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - #} - #location ~ ^/(health) { - # proxy_pass https://backend-fsn.ooni.org; - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - #} - - # Temporary redirect - location = /api/v1/check-in { - proxy_pass https://backend-fsn.ooni.org; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - } - - # new API - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_cache apicache; - proxy_cache_min_uses 1; - proxy_cache_lock on; - proxy_cache_lock_timeout 30; - proxy_cache_lock_age 30; - proxy_cache_use_stale error timeout invalid_header updating; - proxy_cache_methods HEAD GET; - # Cache only 200, 301, and 302 by default and for very short. - # Overridden by the API using the Expires header - proxy_cache_valid 200 301 302 10s; - proxy_cache_valid any 0; - add_header x-cache-status $upstream_cache_status; - add_header X-Cache-Status $upstream_cache_status; - } - - # Expose the measurement spool directory - location /measurement_spool/ { - alias /var/lib/ooniapi/measurements/incoming/; - autoindex off; - sendfile on; - tcp_nopush on; - if_modified_since off; - expires off; - etag off; - - gzip_comp_level 6; - gzip_min_length 1240; - gzip_proxied any; - gzip_types *; - gzip_vary on; - } -} diff --git a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf b/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf index 9d6e145..1b8d300 100644 --- a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf +++ b/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf @@ -210,12 +210,8 @@ server { } set $external_remote_addr $remote_addr; - if ($remote_addr = "188.166.93.143") { - # If remote_addr is ams-pg-test trust the X-Real-IP header - set $external_remote_addr $http_x_real_ip; - } - if ($remote_addr = "142.93.237.101") { - # If remote_addr is ams-pg trust the X-Real-IP header + if ($remote_addr ~ "^3.") { + # If remote_addr is AWS trust the X-Real-IP header set $external_remote_addr $http_x_real_ip; } proxy_set_header X-Real-IP $external_remote_addr; diff --git a/ansible/roles/ooni-backend/templates/nginx-api-test.conf b/ansible/roles/ooni-backend/templates/nginx-api-test.conf index 092d40d..a022f7c 100644 --- a/ansible/roles/ooni-backend/templates/nginx-api-test.conf +++ b/ansible/roles/ooni-backend/templates/nginx-api-test.conf @@ -99,14 +99,6 @@ server { proxy_set_header Host $host; set $external_remote_addr $remote_addr; - if ($remote_addr = "188.166.93.143") { - # If remote_addr is ams-pg-test trust the X-Real-IP header - set $external_remote_addr $http_x_real_ip; - } - if ($remote_addr = "142.93.237.101") { - # If remote_addr is ams-pg trust the X-Real-IP header - set $external_remote_addr $http_x_real_ip; - } proxy_set_header X-Real-IP $external_remote_addr; proxy_cache apicache; diff --git a/ansible/roles/ooni-backend/templates/rotation_nginx_conf b/ansible/roles/ooni-backend/templates/rotation_nginx_conf deleted file mode 100644 index 63255e5..0000000 --- a/ansible/roles/ooni-backend/templates/rotation_nginx_conf +++ /dev/null @@ -1,70 +0,0 @@ -# Managed by ansible, see roles/ooni-backend/tasks/main.yml -# and roles/ooni-backend/templates/rotation_nginx_conf -# Deployed by rotation tool to the test-helper hosts -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=thcache:100M - max_size=5g inactive=24h use_temp_path=off; - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name _; - gzip on; - ssl_certificate /etc/ssl/private/th_fullchain.pem; - ssl_certificate_key /etc/ssl/private/th_privkey.pem; - ssl_session_timeout 5m; - ssl_session_cache shared:MozSSL:30m; - ssl_session_tickets off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - add_header Strict-Transport-Security "max-age=63072000" always; - ssl_stapling on; - ssl_stapling_verify on; - resolver 127.0.0.1; - # local test helper - location / { - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - proxy_pass http://127.0.0.1:8080; - - proxy_cache thcache; - proxy_cache_min_uses 1; - proxy_cache_lock on; - proxy_cache_lock_timeout 30; - proxy_cache_lock_age 30; - proxy_cache_use_stale error timeout invalid_header updating; - # Cache POST without headers set by the test helper! - proxy_cache_methods POST; - proxy_cache_key "$request_uri|$request_body"; - proxy_cache_valid 200 10m; - proxy_cache_valid any 0; - add_header X-Cache-Status $upstream_cache_status; - - } -} - -# Used by Netdata to monitor Nginx -server { - listen 127.0.0.1:80; - server_name localhost; - - allow 5.9.112.244; # monitoring host - deny all; - - location = /stub_status { - stub_status; - } -} - -# Used by Prometheus to reach the TH -server { - listen 9001; - server_name localhost; - - allow 5.9.112.244; # monitoring host - deny all; - - location = /metrics { - proxy_pass http://127.0.0.1:9091; - } -} diff --git a/ansible/roles/ooni-backend/templates/rotation_setup.sh b/ansible/roles/ooni-backend/templates/rotation_setup.sh deleted file mode 100644 index 5706150..0000000 --- a/ansible/roles/ooni-backend/templates/rotation_setup.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash -# Managed by ansible, see roles/ooni-backend/tasks/main.yml -# -# Configure test-helper droplet -# This script is run remotely on newly spawned VM by https://github.com/ooni/backend/blob/master/analysis/rotation.py -# It runs as root and with CWD=/ -# -set -euo pipefail -exec 1>/var/log/vm_rotation_setup.log 2>&1 -echo > /etc/motd - -echo "Configuring APT" -echo "deb [trusted=yes] https://ooni-deb.s3.eu-central-1.amazonaws.com unstable main" > /etc/apt/sources.list.d/ooni.list -cat < /etc/apt/trusted.gpg.d/ooni.gpg ------BEGIN PGP PUBLIC KEY BLOCK----- - -mDMEYGISFRYJKwYBBAHaRw8BAQdA4VxoR0gSsH56BbVqYdK9HNQ0Dj2YFVbvKIIZ -JKlaW920Mk9PTkkgcGFja2FnZSBzaWduaW5nIDxjb250YWN0QG9wZW5vYnNlcnZh -dG9yeS5vcmc+iJYEExYIAD4WIQS1oI8BeW5/UhhhtEk3LR/ycfLdUAUCYGISFQIb -AwUJJZgGAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA3LR/ycfLdUFk+AQCb -gsUQsAQGxUFvxk1XQ4RgEoh7wy2yTuK8ZCkSHJ0HWwD/f2OAjDigGq07uJPYw7Uo -Ih9+mJ/ubwiPMzUWF6RSdgu4OARgYhIVEgorBgEEAZdVAQUBAQdAx4p1KerwcIhX -HfM9LbN6Gi7z9j4/12JKYOvr0d0yC30DAQgHiH4EGBYIACYWIQS1oI8BeW5/Uhhh -tEk3LR/ycfLdUAUCYGISFQIbDAUJJZgGAAAKCRA3LR/ycfLdUL4cAQCs53fLphhy -6JMwVhRs02LXi1lntUtw1c+EMn6t7XNM6gD+PXpbgSZwoV3ZViLqr58o9fZQtV3s -oN7jfdbznrWVigE= -=PtYb ------END PGP PUBLIC KEY BLOCK----- -EOF - -# Vector -cat < /etc/apt/trusted.gpg.d/vector.gpg ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 - -mQENBF9gFZ0BCADETtIHM8y5ehMoyNiZcriK+tHXyKnbZCKtMCKcC4ll94/6pekQ -jKIPWg8OXojkCtwua/TsddtQmOhUxAUtv6K0jO8r6sJ8rezMhuNH8J8rMqWgzv9d -2+U7Z7GFgcP0OeD+KigtnR8uyp50suBmEDC8YytmmbESmG261Y38vZME0VvQ+CMy -Yi/FvKXBXugaiCtaz0a5jVE86qSZbKbuaTHGiLn05xjTqc4FfyP4fi4oT2r6GGyL -Bn5ob84OjXLQwfbZIIrNFR10BvL2SRLL0kKKVlMBBADodtkdwaTt0pGuyEJ+gVBz -629PZBtSrwVRU399jGSfsxoiLca9//c7OJzHABEBAAG0OkNsb3Vkc21pdGggUGFj -a2FnZSAodGltYmVyL3ZlY3RvcikgPHN1cHBvcnRAY2xvdWRzbWl0aC5pbz6JATcE -EwEIACEFAl9gFZ0CGy8FCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQNUPbLQor -xLhf6gf8DyfIpKjvEeW/O8lRUTpkiPKezJbb+udZboCXJKDD02Q9PE3hfEfQRr5X -muytL7YMPvzqBVuP3xV5CN3zvtiQQbZiDhstImVyd+t24pQTkjzkvy+A2yvUuIkE -RWxuey41f5FNj/7wdfJnHoU9uJ/lvsb7DLXw7FBMZFNBR6LED/d+b61zMzVvmFZA -gsrCGwr/jfySwnpShmKdJaMTHQx0qt2RfXwNm2V6i900tAuMUWnmUIz5/9vENPKm -0+31I43a/QgmIrKEePhwn2jfA1oRlYzdv+PbblSTfjTStem+GqQkj9bZsAuqVH8g -3vq0NvX0k2CLi/W9mTiSdHXFChI15A== -=k36w ------END PGP PUBLIC KEY BLOCK----- -EOF - -echo "deb https://repositories.timber.io/public/vector/deb/debian bullseye main" > /etc/apt/sources.list.d/vector.list - -echo "Installing packages" -export DEBIAN_FRONTEND=noninteractive -apt-get update -q -apt-get purge -qy unattended-upgrades rsyslog -apt-get upgrade -qy -apt-get install -qy --no-install-recommends chrony netdata oohelperd netdata-plugins-python - -systemctl daemon-reload -systemctl restart systemd-journald.service -logger start -systemctl restart systemd-journald.service - -apt-get install -qy --no-install-recommends vector - -echo "Configuring Vector" -# The certs are copied over by rotation.py -cat > /etc/vector/vector.toml < /etc/netdata/netdata.conf < /var/run/rotation_setup_completed diff --git a/ansible/roles/ooni-backend/templates/tor_targets.json b/ansible/roles/ooni-backend/templates/tor_targets.json index 933c4ed..66679bf 100644 --- a/ansible/roles/ooni-backend/templates/tor_targets.json +++ b/ansible/roles/ooni-backend/templates/tor_targets.json @@ -1,13 +1,13 @@ { - "128.31.0.39:9101": { - "address": "128.31.0.39:9101", - "fingerprint": "9695DFC35FFEB861329B9F1AB04C46397020CE31", + "128.31.0.39:9201": { + "address": "128.31.0.39:9201", + "fingerprint": "1A25C6358DB91342AA51720A5038B72742732498", "name": "moria1", "protocol": "or_port_dirauth" }, - "128.31.0.39:9131": { - "address": "128.31.0.39:9131", - "fingerprint": "9695DFC35FFEB861329B9F1AB04C46397020CE31", + "128.31.0.39:9231": { + "address": "128.31.0.39:9231", + "fingerprint": "1A25C6358DB91342AA51720A5038B72742732498", "name": "moria1", "protocol": "dir_port" }, @@ -23,15 +23,15 @@ "name": "gabelmoo", "protocol": "dir_port" }, - "154.35.175.225:443": { - "address": "154.35.175.225:443", - "fingerprint": "CF6D0AAFB385BE71B8E111FC5CFF4B47923733BC", + "216.218.219.41:443": { + "address": "216.218.219.41:443", + "fingerprint": "E3E42D35F801C9D5AB23584E0025D56FE2B33396", "name": "Faravahar", "protocol": "or_port_dirauth" }, - "154.35.175.225:80": { - "address": "154.35.175.225:80", - "fingerprint": "CF6D0AAFB385BE71B8E111FC5CFF4B47923733BC", + "216.218.219.41:80": { + "address": "216.218.219.41:80", + "fingerprint": "E3E42D35F801C9D5AB23584E0025D56FE2B33396", "name": "Faravahar", "protocol": "dir_port" }, @@ -109,14 +109,14 @@ }, "protocol": "obfs4" }, - "45.66.33.45:443": { - "address": "45.66.33.45:443", + "45.66.35.11:443": { + "address": "45.66.35.11:443", "fingerprint": "7EA6EAD6FD83083C538F44038BBFA077587DD755", "name": "dizum", "protocol": "or_port_dirauth" }, - "45.66.33.45:80": { - "address": "45.66.33.45:80", + "45.66.35.11:80": { + "address": "45.66.35.11:80", "fingerprint": "7EA6EAD6FD83083C538F44038BBFA077587DD755", "name": "dizum", "protocol": "dir_port" @@ -211,15 +211,15 @@ }, "protocol": "obfs4" }, - "86.59.21.38:443": { - "address": "86.59.21.38:443", - "fingerprint": "847B1F850344D7876491A54892F904934E4EB85D", + "217.196.147.77:443": { + "address": "217.196.147.77:443", + "fingerprint": "FAA4BCA4A6AC0FB4CA2F8AD5A11D9E122BA894F6", "name": "tor26", "protocol": "or_port_dirauth" }, - "86.59.21.38:80": { - "address": "86.59.21.38:80", - "fingerprint": "847B1F850344D7876491A54892F904934E4EB85D", + "217.196.147.77:80": { + "address": "217.196.147.77:80", + "fingerprint": "FAA4BCA4A6AC0FB4CA2F8AD5A11D9E122BA894F6", "name": "tor26", "protocol": "dir_port" }, @@ -301,4 +301,4 @@ }, "protocol": "obfs4" } -} \ No newline at end of file +}