From 8f55d5d825d94f8bb23c8268bbd37985a22bb921 Mon Sep 17 00:00:00 2001 From: decfox Date: Sat, 7 Dec 2024 17:18:45 -0500 Subject: [PATCH] refactor: remove hostname based if blocks --- ansible/deploy-ooni-backend.yml | 39 ++++ ansible/roles/ooni-backend/defaults/main.yml | 11 ++ ansible/roles/ooni-backend/tasks/main.yml | 167 ++---------------- ansible/roles/ooni-backend/templates/444.nft | 2 - .../templates/deb_ooni_org.nginx.conf | 14 +- .../templates/nginx-api-test.conf | 149 ---------------- .../{nginx-api-fsn.conf => nginx-api.conf} | 36 ++-- 7 files changed, 95 insertions(+), 323 deletions(-) create mode 100644 ansible/roles/ooni-backend/defaults/main.yml delete mode 100644 ansible/roles/ooni-backend/templates/444.nft delete mode 100644 ansible/roles/ooni-backend/templates/nginx-api-test.conf rename ansible/roles/ooni-backend/templates/{nginx-api-fsn.conf => nginx-api.conf} (91%) diff --git a/ansible/deploy-ooni-backend.yml b/ansible/deploy-ooni-backend.yml index 24c70aa..0529e8d 100644 --- a/ansible/deploy-ooni-backend.yml +++ b/ansible/deploy-ooni-backend.yml @@ -19,3 +19,42 @@ - role: ooni-backend vars: ssl_domain: backend-hel.ooni.org + collector_id: 2 + clickhouse_url: "" # fetch from aws secrets + bucket_name: ooni-data-eu-fra-test + collectors: + - "backend-hel.ooni.org" + fastpath_version: 0.86~pr831-395 + analysis_version: 1.12~pr836-413 + deb_bucket_name: ooni-internal-deb + deb_server_name: deb-cli.ooni.org + +# - hosts: backend-fsn.ooni.org + # roles: + # - role: bootstrap + # - role: base-backend + # - role: nftables + # - role: nginx + # tags: nginx + # vars: + # nginx_user: "www-data" + # - role: dehydrated + # tags: dehydrated + # expand: yes + # vars: + # ssl_domains: + # # with dehydrated the first entry is the cert FQDN + # # and the other ones are alternative names + # - "backend-hel.ooni.org" + # - role: ooni-backend + # vars: + # ssl_domain: backend-fsn.ooni.org + # collector_id: 1 + # clickhouse_url: "" # fetch from aws secrets + # bucket_name: ooni-data-eu-fra + # collectors: + # - "backend-fsn.ooni.org" + # fastpath_version: 0.86~pr831-395 + # analysis_version: 1.12~pr836-413 + # deb_bucket_name: ooni.deb + # deb_server_name: deb.ooni.org diff --git a/ansible/roles/ooni-backend/defaults/main.yml b/ansible/roles/ooni-backend/defaults/main.yml new file mode 100644 index 0000000..8413d7e --- /dev/null +++ b/ansible/roles/ooni-backend/defaults/main.yml @@ -0,0 +1,11 @@ +--- +ssl_domain: backend-hel.ooni.org +collector_id: 2 +clickhouse_url: "" # fetch from aws secrets +bucket_name: ooni-data-eu-fra-test +collectors: + - "backend-hel.ooni.org" +fastpath_version: 0.86~pr831-395 +analysis_version: 1.12~pr836-413 +deb_bucket_name: ooni-internal-deb +deb_server_name: deb-ci.ooni.org \ No newline at end of file diff --git a/ansible/roles/ooni-backend/tasks/main.yml b/ansible/roles/ooni-backend/tasks/main.yml index 42da375..987eecf 100644 --- a/ansible/roles/ooni-backend/tasks/main.yml +++ b/ansible/roles/ooni-backend/tasks/main.yml @@ -16,8 +16,7 @@ path: /var/cache/nginx/ooni-api state: directory -- name: configure test api - when: inventory_hostname == 'backend-hel.ooni.org' +- name: configure api tags: api template: src: api.conf @@ -26,10 +25,10 @@ group: ooniapi mode: 0640 vars: - collectors: ['backend-hel.ooni.org'] + collectors: {{ collectors }} # bucket_name and collector_id must match the uploader - collector_id: 2 - bucket_name: ooni-data-eu-fra-test + collector_id: {{ collector_id }} + bucket_name: {{ bucket_name }} github_push_repo: "ooni-bot/test-lists" github_origin_repo: "ooni/test-lists" login_base_url: "https://test-lists.test.ooni.org/login" @@ -38,27 +37,6 @@ # mail_smtp_password: "DISABLED" # jwt_encryption_key and account_id_hashing_key are taken from the vault -- name: configure backend-fsn api - when: inventory_hostname == 'backend-fsn.ooni.org' - tags: api - template: - src: api.conf - dest: /etc/ooni/api.conf - owner: ooniapi - group: ooniapi - mode: 0640 - vars: - collectors: ['backend-fsn.ooni.org'] - # bucket_name and collector_id must match the uploader - collector_id: 1 - bucket_name: ooni-data-eu-fra - github_push_repo: "ooni/test-lists" - github_origin_repo: "citizenlab/test-lists" - login_base_url: "https://test-lists.ooni.org/login" - pg_uri: "" - clickhouse_url: clickhouse://api:api@localhost/default - base_url: "https://api.ooni.io" - - name: create Psiphon conffile tags: api copy: @@ -71,35 +49,22 @@ src: tor_targets.json dest: /etc/ooni/tor_targets.json -- name: configure api uploader using test bucket - when: inventory_hostname == 'backend-hel.ooni.org' - tags: api - template: - src: templates/api-uploader.conf - dest: /etc/ooni/api-uploader.conf - vars: - # bucket_name and collector_id must match the API - bucket_name: ooni-data-eu-fra-test - collector_id: 2 - -- name: configure FSN api uploader using PROD bucket - when: inventory_hostname == 'backend-fsn.ooni.org' +- name: configure api uploader using s3 bucket tags: api template: src: templates/api-uploader.conf dest: /etc/ooni/api-uploader.conf vars: # bucket_name and collector_id must match the API - bucket_name: ooni-data-eu-fra - collector_id: 1 + bucket_name: {{ bucket_name }} + collector_id: {{ collector_id }} -## Haproxy and nginx ## +## nginx ## -- name: Overwrite API nginx test conf - when: inventory_hostname == 'backend-hel.ooni.org' +- name: Overwrite API nginx conf tags: api, webserv template: - src: templates/nginx-api-test.conf + src: templates/nginx-api.conf dest: /etc/nginx/sites-available/ooni-api.conf mode: 0755 owner: root @@ -107,26 +72,6 @@ # Uses dehydrated certpath: /var/lib/dehydrated/certs/ -- name: install haproxy if not present - when: inventory_hostname in ('backend-hel.ooni.org') - tags: webserv - apt: - cache_valid_time: 86400 - name: haproxy - state: present - -- name: Deploy haproxy conf - when: inventory_hostname in ('backend-hel.ooni.org') - tags: api, webserv - template: - src: templates/haproxy.cfg - dest: /etc/haproxy/haproxy.cfg - mode: 0755 - owner: root - vars: - # Uses dehydrated - certpath: /var/lib/dehydrated/certs/ - - name: Delete old files when: inventory_hostname in ('backend-hel.ooni.org') tags: api, webserv @@ -156,27 +101,6 @@ mode: 0755 owner: root -- name: Deploy dehydrated haproxy hook - when: inventory_hostname in ('backend-hel.ooni.org') - tags: api, webserv - template: - src: templates/dehydrated_haproxy_hook.sh - dest: /etc/dehydrated/haproxy_hook.sh - mode: 0755 - owner: root - -- name: Overwrite API nginx FSN conf - when: inventory_hostname == 'backend-fsn.ooni.org' - tags: api, webserv - template: - src: templates/nginx-api-fsn.conf - dest: /etc/nginx/sites-available/ooni-api.conf - mode: 0755 - owner: root - vars: - # Uses dehydrated - certpath: /var/lib/dehydrated/certs/ - - name: Deploy API gunicorn conf tags: api template: @@ -193,30 +117,13 @@ dest=/etc/nginx/sites-enabled/ooni-api.conf state=link -- name: Configure deb.ooni.org forwarder on FSN host - when: inventory_hostname in ('backend-fsn.ooni.org', ) +- name: Configure deb forwarder tags: deb_ooni_org # Uses dehydrated template: src: deb_ooni_org.nginx.conf dest: /etc/nginx/sites-enabled/deb_ooni_org -- name: Configure deb-ci.ooni.org forwarder on test host - when: inventory_hostname == 'backend-hel.ooni.org' - tags: deb_ooni_org - blockinfile: - path: /etc/nginx/sites-enabled/deb_ooni_org_http - create: yes - block: | - # Managed by ansible, see roles/ooni-backend/tasks/main.yml - server { - listen 80; - server_name deb-ci.ooni.org; - location / { - proxy_pass https://ooni-internal-deb.s3.eu-central-1.amazonaws.com/; - } - } - - name: create badges dir tags: api file: @@ -224,7 +131,6 @@ state: directory - name: Safely reload Nginx - # TODO remove restart after transition to haproxy tags: api, deb_ooni_org, webserv shell: nginx -t && systemctl reload nginx @@ -232,12 +138,6 @@ tags: webserv shell: nginx -t && systemctl restart nginx -- name: Restart haproxy - # reload is not enough - when: inventory_hostname in ('backend-hel.ooni.org') - tags: api, deb_ooni_org, webserv - shell: systemctl restart haproxy - - name: allow incoming TCP connections to API tags: api blockinfile: @@ -246,12 +146,6 @@ block: | add rule inet filter input tcp dport 443 counter accept comment "incoming HTTPS" -- name: allow incoming TCP connections to haproxy metrics - tags: webserv - template: - src: 444.nft - dest: /etc/ooni/nftables/tcp/444.nft - - name: reload nftables service tags: api, webserv shell: systemctl reload nftables.service @@ -259,28 +153,13 @@ ## Fastpath ## - name: install fastpath if not present - # do not update package if present - when: inventory_hostname != 'backend-fsn.ooni.org' tags: fastpath apt: cache_valid_time: 86400 - name: fastpath + name: "fastpath={{ fastpath_version }}" state: present - name: configure fastpath on test - when: inventory_hostname == 'backend-hel.ooni.org' - tags: fastpath - template: - src: fastpath.conf - dest: /etc/ooni/fastpath.conf - owner: fastpath - group: fastpath - mode: 0640 - vars: - clickhouse_url: clickhouse://fastpath:fastpath@localhost/default - -- name: configure fastpath on FSN - when: inventory_hostname == 'backend-fsn.ooni.org' tags: fastpath template: src: fastpath.conf @@ -289,17 +168,16 @@ group: fastpath mode: 0640 vars: - clickhouse_url: clickhouse://fastpath:fastpath@localhost/default + clickhouse_url: {{ clickhouse_url }} ## Analysis daemon ## - name: install analysis # do not update package if present - when: inventory_hostname != 'backend-fsn.ooni.org' tags: analysis apt: cache_valid_time: 86400 - name: analysis=1.4~pr408-209 + name: "analysis={{ analysis_version }}" force: True state: present @@ -308,24 +186,15 @@ template: src: analysis.conf dest: /etc/ooni/analysis.conf - # Managed by ansible, see roles/ooni-backend/tasks/main.yml -- name: Run DB backup on backend-hel - when: inventory_hostname == 'backend-hel.ooni.org' - tags: dbbackup - template: - src: db-backup.conf - dest: /etc/ooni/db-backup.conf - mode: 0600 - vars: - public_bucket_name: ooni-data-eu-fra-test +## DB backup ## -- name: Run DB backup on FSN - when: inventory_hostname == 'backend-fsn.ooni.org' +- name: Run DB backup + when: inventory_hostname == 'backend-hel.ooni.org' tags: dbbackup template: src: db-backup.conf dest: /etc/ooni/db-backup.conf mode: 0600 vars: - public_bucket_name: ooni-data-eu-fra + public_bucket_name: {{ bucket_name }} diff --git a/ansible/roles/ooni-backend/templates/444.nft b/ansible/roles/ooni-backend/templates/444.nft deleted file mode 100644 index 03f5106..0000000 --- a/ansible/roles/ooni-backend/templates/444.nft +++ /dev/null @@ -1,2 +0,0 @@ -# roles/ooni-backend/templates/444.nft -add rule inet filter input tcp dport 444 counter accept comment "incoming haproxy metrics" diff --git a/ansible/roles/ooni-backend/templates/deb_ooni_org.nginx.conf b/ansible/roles/ooni-backend/templates/deb_ooni_org.nginx.conf index c069fd5..d3da8db 100644 --- a/ansible/roles/ooni-backend/templates/deb_ooni_org.nginx.conf +++ b/ansible/roles/ooni-backend/templates/deb_ooni_org.nginx.conf @@ -8,13 +8,13 @@ map $remote_addr $remote_addr_anon { } # log anonymized ipaddr -log_format deb_ooni_org_logfmt '$remote_addr_anon [$time_local] ' +log_format deb_logfmt '$remote_addr_anon [$time_local] ' '"$request" $status snt:$body_bytes_sent rt:$request_time uprt:$upstream_response_time "$http_referer" "$http_user_agent"'; server { listen 80; - server_name deb.ooni.org; - access_log syslog:server=unix:/dev/log,severity=info deb_ooni_org_logfmt; + server_name {{ deb_server_name }}; + access_log syslog:server=unix:/dev/log,severity=info deb_logfmt; error_log syslog:server=unix:/dev/log,severity=info; gzip on; resolver 127.0.0.1; @@ -23,15 +23,15 @@ server { alias /var/lib/dehydrated/acme-challenges; } location / { - proxy_pass https://ooni-deb.s3.eu-central-1.amazonaws.com/; + proxy_pass https://{{ deb_bucket_name }}.s3.eu-central-1.amazonaws.com/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name deb.ooni.org; - access_log syslog:server=unix:/dev/log,severity=info deb_ooni_org_logfmt; + server_name {{ deb_server_name }}; + access_log syslog:server=unix:/dev/log,severity=info deb_logfmt; error_log syslog:server=unix:/dev/log,severity=info; gzip on; ssl_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem; @@ -59,6 +59,6 @@ server { resolver 127.0.0.1; location / { - proxy_pass https://ooni-deb.s3.eu-central-1.amazonaws.com/; + proxy_pass https://{{ deb_bucket_name }}.s3.eu-central-1.amazonaws.com/; } } diff --git a/ansible/roles/ooni-backend/templates/nginx-api-test.conf b/ansible/roles/ooni-backend/templates/nginx-api-test.conf deleted file mode 100644 index a022f7c..0000000 --- a/ansible/roles/ooni-backend/templates/nginx-api-test.conf +++ /dev/null @@ -1,149 +0,0 @@ -# Managed by ansible -# roles/ooni-backend/templates/nginx-api-test.conf - -# Use 2-level cache, 20MB of RAM + 5GB on disk, -proxy_cache_path /var/cache/nginx/ooni-api levels=1:2 keys_zone=apicache:100M - max_size=5g inactive=24h use_temp_path=off; - -# anonymize ipaddr -map $remote_addr $remote_addr_anon { - ~(?P\d+\.\d+\.\d+)\. $ip.0; - ~(?P[^:]+:[^:]+): $ip::; - default 0.0.0.0; -} - -# anonymize forwarded ipaddr -map $http_x_forwarded_for $remote_fwd_anon { - ~(?P\d+\.\d+\.\d+)\. $ip.0; - ~(?P[^:]+:[^:]+): $ip::; - default 0.0.0.0; -} - - -# log anonymized ipaddr and caching status -log_format ooni_api_fmt '$remote_addr_anon $remote_fwd_anon $upstream_cache_status [$time_local] ' - '"$request" $status snt:$body_bytes_sent rt:$request_time uprt:$upstream_response_time "$http_referer" "$http_user_agent"'; - -server { - # TODO(bassosimone): we need support for cleartext HTTP to make sure that requests - # over Tor correctly land to the proper backend. We are listening on this custom port - # and we are configuring Tor such that it routes traffic to this port. - listen 127.0.0.1:17744; - server_name _; - access_log syslog:server=unix:/dev/log,tag=ooniapi,severity=info ooni_api_fmt; - error_log syslog:server=unix:/dev/log,tag=ooniapi,severity=info; - gzip on; - gzip_types text/plain application/xml application/json; - - # TODO: we could use different client_max_body_size and SSL configurations for probe service paths - # and everyhing else - client_max_body_size 200M; # for measurement POST - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY always; - add_header X-Content-Type-Options nosniff always; - - # use systemd-resolved - resolver 127.0.0.53; - - # Selectively route test-list/urls to the API - location ~^/api/v1/test-list/urls { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_cache apicache; - proxy_cache_min_uses 1; - proxy_cache_lock on; - proxy_cache_lock_timeout 30; - proxy_cache_lock_age 30; - proxy_cache_use_stale error timeout invalid_header updating; - proxy_cache_methods HEAD GET; - # Cache only 200, 301, and 302 by default and for very short. - # Overridden by the API using the Expires header - proxy_cache_valid 200 301 302 10s; - proxy_cache_valid any 0; - add_header x-cache-status $upstream_cache_status; - add_header X-Cache-Status $upstream_cache_status; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY always; - add_header X-Content-Type-Options nosniff always; - } - - location /whoami { - return 200 "{{ inventory_hostname }}"; - } - - # Serve ACME challenge from disk - location ^~ /.well-known/acme-challenge { - alias /var/lib/dehydrated/acme-challenges; - } - - # 2022-09-01 20:08 CEST temporarily block a bot scraping /files/download/* - location ~^/files/download/ { - return 301 https://explorer.ooni.org/; - } - - # new API - location / { - - # Protect /apidocs invoked with url= and/or urls= args - if ($uri ~ "^/apidocs") { set $block_apidocs X; } - if ($args ~ "url=" ) { set $block_apidocs "${block_apidocs}Y"; } - if ($args ~ "urls=" ) { set $block_apidocs "${block_apidocs}Y"; } - if ($block_apidocs ~ "XY") { return 403; } # nested "if" are not supported - - deny 216.244.66.0/24; # DotBot/1.2 - deny 114.119.128.0/19; # PetalBot - allow all; - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - - set $external_remote_addr $remote_addr; - proxy_set_header X-Real-IP $external_remote_addr; - - proxy_cache apicache; - proxy_cache_min_uses 1; - proxy_cache_lock on; - proxy_cache_lock_timeout 30; - proxy_cache_lock_age 30; - proxy_cache_use_stale error timeout invalid_header updating; - proxy_cache_methods HEAD GET; - # Cache only 200, 301, and 302 by default and for very short. - # Overridden by the API using the Expires header - proxy_cache_valid 200 301 302 10s; - proxy_cache_valid any 0; - add_header x-cache-status $upstream_cache_status; - add_header X-Cache-Status $upstream_cache_status; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY always; - add_header X-Content-Type-Options nosniff always; - } - - # Expose the measurement spool directory - location /measurement_spool/ { - alias /var/lib/ooniapi/measurements/incoming/; - autoindex off; - sendfile on; - tcp_nopush on; - if_modified_since off; - expires off; - etag off; - } -} - -server { - # Forward deb.ooni.org to S3 - listen 17744; - server_name deb.ooni.org; - access_log syslog:server=unix:/dev/log,severity=info ooni_api_fmt; - error_log syslog:server=unix:/dev/log,severity=info; - gzip on; - resolver 127.0.0.53; - # Serve ACME challenge from disk - location ^~ /.well-known/acme-challenge { - alias /var/lib/dehydrated/acme-challenges; - } - location / { - proxy_pass https://ooni-deb.s3.eu-central-1.amazonaws.com/; - } -} diff --git a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf b/ansible/roles/ooni-backend/templates/nginx-api.conf similarity index 91% rename from ansible/roles/ooni-backend/templates/nginx-api-fsn.conf rename to ansible/roles/ooni-backend/templates/nginx-api.conf index 1b8d300..6e43374 100644 --- a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf +++ b/ansible/roles/ooni-backend/templates/nginx-api.conf @@ -1,5 +1,5 @@ # Managed by ansible -# roles/ooni-backend/templates/nginx-api-fsn.conf +# roles/ooni-backend/templates/nginx-api.conf # Use 2-level cache, 20MB of RAM + 5GB on disk, proxy_cache_path /var/cache/nginx/ooni-api levels=1:2 keys_zone=apicache:100M @@ -67,8 +67,6 @@ server { # verify chain of trust of OCSP response using Root CA and Intermediate certs #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - resolver 127.0.0.1; - # Registry # Should match: # - /api/v1/login @@ -136,24 +134,30 @@ server { # TODO We should check if clients will respect a suffix added to by the # bouncer in the returned field, otherwise new clients should use another # form - location ~^/web-connectivity/(status) { - proxy_http_version 1.1; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900; - - proxy_pass https://wcth.ooni.io; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options DENY always; - add_header X-Content-Type-Options nosniff always; - } + # NOTE: we killed wcth.ooni.io so this return nothing essentially + # location ~^/web-connectivity/(status) { + # proxy_http_version 1.1; + # proxy_set_header Host $http_host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_read_timeout 900; + + # proxy_pass https://wcth.ooni.io; + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # add_header X-Frame-Options DENY always; + # add_header X-Content-Type-Options nosniff always; + # } location /whoami { return 200 "{{ inventory_hostname }}"; } + # Serve ACME challenge from disk + location ^~ /.well-known/acme-challenge { + alias /var/lib/dehydrated/acme-challenges; + } + location /metrics { return 200 ''; }