diff --git a/ansible/deploy-haproxy.yml b/ansible/deploy-haproxy.yml new file mode 100644 index 00000000..909a6290 --- /dev/null +++ b/ansible/deploy-haproxy.yml @@ -0,0 +1,6 @@ +--- +# See roles/haproxy/README.adoc +- hosts: have_haproxy + roles: + - role: haproxy + tags: haproxy diff --git a/ansible/deploy-prio.yml b/ansible/deploy-prio.yml new file mode 100644 index 00000000..fc3796c4 --- /dev/null +++ b/ansible/deploy-prio.yml @@ -0,0 +1,18 @@ +--- +# See roles/haproxy/README.adoc +- hosts: have_prio + tasks: + - name: Add bintray pull-request repository + apt_repository: + repo: deb [trusted=yes] https://dl.bintray.com/ooni/internal-pull-requests unstable main + state: present + update_cache: yes + + - name: install prio + tags: prio + apt: + pkg: + - prio + install_recommends: yes + state: latest + update_cache: yes diff --git a/ansible/inventory b/ansible/inventory index 7aa0e067..06415f01 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -187,6 +187,19 @@ hkg-ps.ooni.nu ams-ps.ooni.nu ams-ps2.ooni.nu +[have_haproxy] +mia-ps2.ooni.nu +#hkg-ps.ooni.nu # unused +ams-ps.ooni.nu +ams-ps2.ooni.nu + +[have_prio] +mia-ps2.ooni.nu +#hkg-ps.ooni.nu # unused +ams-ps.ooni.nu +ams-ps2.ooni.nu + + ######################################################################## # TO DELETE. # Stopped VMs that should be deleted from GH and DNS after some grace period: diff --git a/ansible/roles/haproxy/README.adoc b/ansible/roles/haproxy/README.adoc new file mode 100644 index 00000000..ef1d93f1 --- /dev/null +++ b/ansible/roles/haproxy/README.adoc @@ -0,0 +1,12 @@ + +HAproxy used for Orchestra / Prio + +The [] box is the PS host +probe --> [ nginx:443 --test-list--> haproxy:9972 --> orchestra ] + [ ⤷ --> prio ] + +Currently used only for /api/v1/test-list/urls +Monitor with: +ssh -L 9972:127.0.0.1:9972 +browse http://localhost:9972/haproxy?stats + diff --git a/ansible/roles/haproxy/handlers/main.yml b/ansible/roles/haproxy/handlers/main.yml new file mode 100644 index 00000000..5bddcdaf --- /dev/null +++ b/ansible/roles/haproxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload haproxy + systemd: + name: haproxy + state: reloaded diff --git a/ansible/roles/haproxy/tasks/main.yml b/ansible/roles/haproxy/tasks/main.yml new file mode 100644 index 00000000..a8efe6b6 --- /dev/null +++ b/ansible/roles/haproxy/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- name: install haproxy + tags: haproxy + apt: + pkg: + - haproxy + - hatop + - prometheus-haproxy-exporter + install_recommends: no + state: latest + update_cache: yes + +- name: Install haproxy dhparam file + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > dhparam + template: + src: dhparam + dest: /etc/haproxy/dhparam + owner: root + group: root + mode: 0644 + +- name: Install haproxy config file + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0644 + notify: reload haproxy diff --git a/ansible/roles/haproxy/templates/dhparam b/ansible/roles/haproxy/templates/dhparam new file mode 100644 index 00000000..088f9673 --- /dev/null +++ b/ansible/roles/haproxy/templates/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/ansible/roles/haproxy/templates/haproxy.cfg.j2 b/ansible/roles/haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 00000000..c57817cb --- /dev/null +++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,67 @@ +# +# Deployed on {{ ansible_hostname }} by ansible +# See roles/haproxy/templates/haproxy.conf +# + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # intermediate configuration + # generated 2020-06-05, Mozilla Guideline v5.4, HAProxy 2.1, OpenSSL 1.1.1d, intermediate configuration + # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.4 + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-dh-param-file /etc/haproxy/dhparam + + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +# See roles/haproxy/README.adoc + +frontend frontend_test_list_urls_forwarding + mode http + bind 127.0.0.1:9972 + #http-response set-header Strict-Transport-Security max-age=63072000 + stats refresh 5s + stats uri /haproxy_stats + default_backend test_list_urls + +backend test_list_urls + balance roundrobin + # Check only on TCP level until /check or /health is implemented + # option httpchk GET /check + # http-check expect status 200 + server orchestra::{{ ansible_hostname }} 127.0.0.1:{{ orchestrate_port }} check weight 99 + server prio::{{ ansible_hostname }} 127.0.0.1:8788 check weight 1 diff --git a/ansible/roles/probe-services/tasks/main.yml b/ansible/roles/probe-services/tasks/main.yml index a7c0845e..bc3f6106 100644 --- a/ansible/roles/probe-services/tasks/main.yml +++ b/ansible/roles/probe-services/tasks/main.yml @@ -8,6 +8,7 @@ - "blackhole_gateway is defined" - name: probe-services nginx config + tags: probe-service-nginx-conf template: src=probe-services-nginx dest=/etc/nginx/sites-enabled/probe-services notify: reload nginx diff --git a/ansible/roles/probe-services/templates/probe-services-nginx b/ansible/roles/probe-services/templates/probe-services-nginx index 52fcaf6d..5e9b7114 100644 --- a/ansible/roles/probe-services/templates/probe-services-nginx +++ b/ansible/roles/probe-services/templates/probe-services-nginx @@ -91,6 +91,21 @@ server { proxy_pass http://{{ registry_ipv4 }}:{{ registry_port }}; } + # Prio / Orchestrate URL test list + # Forwarded to Haproxy on localhost - see roles/haproxy/README.adoc + # Should match: + # - /api/v1/test-list/urls + location /api/v1/test-list/urls { + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + + proxy_pass http://127.0.0.1:9972; + } + # Orchestrate # Should match: # - /api/v1/test-list @@ -104,6 +119,7 @@ server { proxy_pass http://{{ orchestrate_ipv4 }}:{{ orchestrate_port }}; } + # - /api/v1/admin/jobs location ~^/api/v1/admin/(jobs|job) { proxy_http_version 1.1; @@ -141,5 +157,19 @@ server { return 200 "{{ probe_services_domain }}"; } + # Haproxy on localhost dashboard - see roles/haproxy/README.adoc + # - /haproxy_stats + location /haproxy_stats { + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + + proxy_pass http://127.0.0.1:9972; + } + + {{ c.location_letsencrypt() }} } diff --git a/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu b/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu index 52e23f0f..bc43971c 100644 --- a/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu +++ b/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu @@ -4,6 +4,11 @@ -A INPUT -s {{ lookup('dig', 'ams-api.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT -A INPUT -s {{ lookup('dig', 'fastpath.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT -A INPUT -s {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT +# Incoming Prio traffic from probe services +-A INPUT -s {{ lookup('dig', 'mia-ps2.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT +-A INPUT -s {{ lookup('dig', 'hkg-ps.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT +-A INPUT -s {{ lookup('dig', 'ams-ps.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT +-A INPUT -s {{ lookup('dig', 'ams-ps2.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT # allow openvpn connections -A INPUT -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }}/32 -p udp --dport 1194 -j ACCEPT