diff --git a/ansible/roles/ooni-backend/handlers/main.yml b/ansible/roles/ooni-backend/handlers/main.yml index 84d0f4f..f91f47b 100644 --- a/ansible/roles/ooni-backend/handlers/main.yml +++ b/ansible/roles/ooni-backend/handlers/main.yml @@ -1,6 +1,22 @@ --- - name: reload nftables + tags: api, webserv service: name=nftables state=reloaded -- name: restart clickhouse - service: name=clickhouse-server state=restarted +- name: test nginx config + command: nginx -t + listen: + - restart nginx + - reload nginx + +- name: restart nginx + tags: webserv + service: + name: nginx + state: restarted + +- name: reload nginx + tags: api, deb_ooni, webserv + service: + name: nginx + state: reloaded diff --git a/ansible/roles/ooni-backend/tasks/main.yml b/ansible/roles/ooni-backend/tasks/main.yml index 987eecf..63ee471 100644 --- a/ansible/roles/ooni-backend/tasks/main.yml +++ b/ansible/roles/ooni-backend/tasks/main.yml @@ -59,7 +59,7 @@ bucket_name: {{ bucket_name }} collector_id: {{ collector_id }} -## nginx ## +## Nginx ## - name: Overwrite API nginx conf tags: api, webserv @@ -72,28 +72,24 @@ # Uses dehydrated certpath: /var/lib/dehydrated/certs/ -- name: Delete old files - when: inventory_hostname in ('backend-hel.ooni.org') - tags: api, webserv - ansible.builtin.file: - path: "{{ item }}" - state: absent - loop: - - /etc/nginx/sites-enabled/00-letsencrypt-http - - /etc/nginx/sites-enabled/deb_ooni_org - - /etc/nginx/sites-enabled/deb_ooni_org_http +- name: Create symlink for API nginx conf + tags: api + file: + src=/etc/nginx/sites-available/ooni-api.conf + dest=/etc/nginx/sites-enabled/ooni-api.conf + state=link -- name: Deploy dehydrated conf - when: inventory_hostname in ('backend-hel.ooni.org') - tags: api, webserv +- name: Configure deb forwarder + tags: deb_ooni + # Uses dehydrated template: - src: templates/dehydrated.config - dest: /etc/dehydrated/config - mode: 0755 - owner: root + src: deb_ooni.nginx.conf + dest: /etc/nginx/sites-enabled/deb_ooni + notify: + - reload nginx + - restart nginx - name: Deploy dehydrated conf - when: inventory_hostname in ('backend-hel.ooni.org') tags: api, webserv template: src: templates/dehydrated.config @@ -110,34 +106,12 @@ group: ooniapi mode: 0640 -- name: Create symlink for API nginx conf - tags: api - file: - src=/etc/nginx/sites-available/ooni-api.conf - dest=/etc/nginx/sites-enabled/ooni-api.conf - state=link - -- name: Configure deb forwarder - tags: deb_ooni_org - # Uses dehydrated - template: - src: deb_ooni_org.nginx.conf - dest: /etc/nginx/sites-enabled/deb_ooni_org - - name: create badges dir tags: api file: path: /var/www/package_badges/ state: directory -- name: Safely reload Nginx - tags: api, deb_ooni_org, webserv - shell: nginx -t && systemctl reload nginx - -- name: Restart Nginx - tags: webserv - shell: nginx -t && systemctl restart nginx - - name: allow incoming TCP connections to API tags: api blockinfile: @@ -145,10 +119,8 @@ create: yes block: | add rule inet filter input tcp dport 443 counter accept comment "incoming HTTPS" - -- name: reload nftables service - tags: api, webserv - shell: systemctl reload nftables.service + notify: + - reload nftables ## Fastpath ## @@ -190,7 +162,6 @@ ## DB backup ## - name: Run DB backup - when: inventory_hostname == 'backend-hel.ooni.org' tags: dbbackup template: src: db-backup.conf diff --git a/ansible/roles/ooni-backend/templates/dehydrated_haproxy_hook.sh b/ansible/roles/ooni-backend/templates/dehydrated_haproxy_hook.sh deleted file mode 100644 index 0e5b41f..0000000 --- a/ansible/roles/ooni-backend/templates/dehydrated_haproxy_hook.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# Deployed by ansible -# See roles/ooni-backend/templates/dehydrated_haproxy_hook.sh -# -# Deploys chained privkey and certificates for haproxy -# Reloads haproxy as needed - -deploy_cert() { - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - # Called once for each certificate - # /var/lib/dehydrated/certs/backend-hel.ooni.org/privkey.pem /var/lib/dehydrated/certs/backend-hel.ooni.org/cert.pem /var/lib/dehydrated/certs/backend-hel.ooni.org/fullchain.pem > /var/lib/dehydrated/certs/backend-hel.ooni.org/haproxy.pem - # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl - logger "deploy_cert hook reading ${KEYFILE} ${CERTFILE} ${FULLCHAINFILE}" - cat "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" > "${KEYFILE}.haproxy" - logger "deploy_cert reloading haproxy" - systemctl reload haproxy.service -} - -HANDLER="$1"; shift -if [[ "${HANDLER}" =~ ^(deploy_cert)$ ]]; then - "$HANDLER" "$@" -fi diff --git a/ansible/roles/ooni-backend/templates/haproxy.cfg b/ansible/roles/ooni-backend/templates/haproxy.cfg deleted file mode 100644 index 025a4fc..0000000 --- a/ansible/roles/ooni-backend/templates/haproxy.cfg +++ /dev/null @@ -1,122 +0,0 @@ -## Deployed by ansible, see roles/ooni-backend/templates/haproxy.cfg - -# Proxies to: -# - local nginx -# - remote test helpers -# See http://interactive.blockdiag.com/?compression=deflate&src=eJyFjjELwjAQhXd_xeFuEdpBEAURBwfBXSSk6ZkEr7mSZGgR_7tNXdoiuD2--7j3SmL1rKzU8FoAFEUOqz0Y2XhuuxSHICKLiCEKg9Sg3_bmSHHaujaxISRyuJ7hRrJEgh0slVTGOr28Txz2yvQvvYw44R617XGXMTubWU7HzXq26kfl8XISykgidBphVP-whLPuOtRRhIaZ_ogVlt8d7PVYDXkS3x_pgmPP - -global - log /dev/log local0 info alert - log /dev/log local1 notice alert - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin - stats timeout 30s - user haproxy - group haproxy - daemon - - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - - # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate - ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - - log-format "%[var(txn.src_ipaddr_masked)] %ft > %b > %s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" - -frontend haproxy_metrics - # Metrics exposed on TLS port 444 - # File generated by /etc/dehydrated/haproxy_hook.sh - bind :444 ssl crt /var/lib/dehydrated/certs/"{{ inventory_hostname }}"/privkey.pem.haproxy - - http-request set-var(txn.src_ipaddr_masked) src,ipmask(24,64) - - # /__haproxy_stats stats page - stats enable - stats uri /__haproxy_stats - stats refresh 5s - - # /__haproxy_prom_metrics prometheus metrics - http-request use-service prometheus-exporter if { path /__haproxy_prom_metrics } - - -frontend public_tls - # TLS on port 443 - # File generated by /etc/dehydrated/haproxy_hook.sh - bind :443 ssl crt /var/lib/dehydrated/certs/{{ inventory_hostname }}/privkey.pem.haproxy - - http-request set-var(txn.src_ipaddr_masked) src,ipmask(24,64) - - # test helpers - default_backend lb_test_helpers - - # deb.ooni.org - acl ACL_deb_ooni_org hdr(host) -i deb.ooni.org - use_backend deb_ooni_org if ACL_deb_ooni_org - - # Nginx - use_backend nginx if !{ path / } || !{ method POST } - - -frontend public_80 - # Forwarded to Nginx for ACME and deb.ooni.org - bind :80 - - http-request set-var(txn.src_ipaddr_masked) src,ipmask(24,64) - - # ACME - use_backend nginx if { path_beg /.well-known/acme-challenge } - - # deb.ooni.org - acl ACL_deb_ooni_org hdr(host) -i deb.ooni.org - use_backend deb_ooni_org if ACL_deb_ooni_org - - - -backend nginx - # Local Nginx is in front of the API and more. See diagram. - default-server check - option forwardfor - #option httpchk GET / - # forward to local nginx - server nginx localhost:17744 - - -backend lb_test_helpers - # Remote testn helpers - default-server check - option forwardfor - http-check send meth POST uri / hdr Content-Type application/json body "{}" - http-check send-state - http-check comment "TH POST with empty JSON" - - server th0 0.th.ooni.org:443 ssl verify none - server th1 1.th.ooni.org:443 ssl verify none - server th2 2.th.ooni.org:443 ssl verify none - server th3 3.th.ooni.org:443 ssl verify none - #option httpchk - - -backend deb_ooni_org - #default-server check - option forwardfor - server s3-ooni-deb ooni-deb.s3.eu-central-1.amazonaws.com ssl verify none -