Add haproxy and Prio

ansible/deploy-haproxy.yml

@@ -0,0 +1,6 @@
+---
+# See roles/haproxy/README.adoc
+- hosts: have_haproxy
+  roles:
+    - role: haproxy
+      tags: haproxy

ansible/deploy-prio.yml

@@ -0,0 +1,18 @@
+---
+# See roles/haproxy/README.adoc
+- hosts: have_prio
+  tasks:
+    - name: Add bintray pull-request repository
+      apt_repository:
+        repo: deb [trusted=yes] https://dl.bintray.com/ooni/internal-pull-requests unstable main
+        state: present
+        update_cache: yes
+
+    - name: install prio
+      tags: prio
+      apt:
+        pkg:
+          - prio
+        install_recommends: yes
+        state: latest
+        update_cache: yes

ansible/inventory

@@ -187,6 +187,19 @@ hkg-ps.ooni.nu
 ams-ps.ooni.nu
 ams-ps2.ooni.nu
 
+[have_haproxy]
+mia-ps2.ooni.nu
+#hkg-ps.ooni.nu    # unused
+ams-ps.ooni.nu
+ams-ps2.ooni.nu
+
+[have_prio]
+mia-ps2.ooni.nu
+#hkg-ps.ooni.nu    # unused
+ams-ps.ooni.nu
+ams-ps2.ooni.nu
+
+
 ########################################################################
 # TO DELETE.
 # Stopped VMs that should be deleted from GH and DNS after some grace period:

ansible/roles/haproxy/README.adoc

@@ -0,0 +1,12 @@
+
+HAproxy used for Orchestra / Prio
+
+The [] box is the PS host
+probe --> [ nginx:443 --test-list--> haproxy:9972 --> orchestra ]
+          [                                ⤷      --> prio      ]
+
+Currently used only for /api/v1/test-list/urls
+Monitor with:
+ssh <probe service> -L 9972:127.0.0.1:9972
+browse http://localhost:9972/haproxy?stats
+

ansible/roles/haproxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload haproxy
+  systemd:
+    name: haproxy
+    state: reloaded

ansible/roles/haproxy/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: install haproxy
+  tags: haproxy
+  apt:
+    pkg:
+      - haproxy
+      - hatop
+      - prometheus-haproxy-exporter
+    install_recommends: no
+    state: latest
+    update_cache: yes
+
+- name: Install haproxy dhparam file
+  # curl https://ssl-config.mozilla.org/ffdhe2048.txt > dhparam
+  template:
+    src: dhparam
+    dest: /etc/haproxy/dhparam
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Install haproxy config file
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload haproxy

ansible/roles/haproxy/templates/dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

ansible/roles/haproxy/templates/haproxy.cfg.j2

@@ -0,0 +1,67 @@
+#
+# Deployed on {{ ansible_hostname }} by ansible
+# See roles/haproxy/templates/haproxy.conf
+#
+
+global
+  log /dev/log  local0
+  log /dev/log  local1 notice
+  chroot /var/lib/haproxy
+  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
+
+  # Default SSL material locations
+  ca-base /etc/ssl/certs
+  crt-base /etc/ssl/private
+
+  # intermediate configuration
+  # generated 2020-06-05, Mozilla Guideline v5.4, HAProxy 2.1, OpenSSL 1.1.1d, intermediate configuration
+  # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.4
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+  ssl-dh-param-file /etc/haproxy/dhparam
+
+
+defaults
+  log  global
+  mode  http
+  option  httplog
+  option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+  errorfile 400 /etc/haproxy/errors/400.http
+  errorfile 403 /etc/haproxy/errors/403.http
+  errorfile 408 /etc/haproxy/errors/408.http
+  errorfile 500 /etc/haproxy/errors/500.http
+  errorfile 502 /etc/haproxy/errors/502.http
+  errorfile 503 /etc/haproxy/errors/503.http
+  errorfile 504 /etc/haproxy/errors/504.http
+
+
+# See roles/haproxy/README.adoc
+
+frontend frontend_test_list_urls_forwarding
+  mode    http
+  bind    127.0.0.1:9972
+  #http-response set-header Strict-Transport-Security max-age=63072000
+  stats refresh 5s
+  stats uri /haproxy_stats
+  default_backend test_list_urls
+
+backend test_list_urls
+  balance roundrobin
+  # Check only on TCP level until /check or /health is implemented
+  #   option httpchk GET /check
+  #   http-check expect status 200
+  server orchestra::{{ ansible_hostname }} 127.0.0.1:{{ orchestrate_port }} check  weight 99
+  server prio::{{ ansible_hostname }} 127.0.0.1:8788 check  weight 1

ansible/roles/probe-services/tasks/main.yml

@@ -8,6 +8,7 @@
   - "blackhole_gateway is defined"
 
 - name: probe-services nginx config
+  tags: probe-service-nginx-conf
   template: src=probe-services-nginx dest=/etc/nginx/sites-enabled/probe-services
   notify: reload nginx
 

ansible/roles/probe-services/templates/probe-services-nginx

@@ -91,6 +91,21 @@ server {
         proxy_pass http://{{ registry_ipv4 }}:{{ registry_port }};
     }
 
+    # Prio / Orchestrate URL test list
+    # Forwarded to Haproxy on localhost - see roles/haproxy/README.adoc
+    # Should match:
+    # - /api/v1/test-list/urls
+    location /api/v1/test-list/urls {
+        proxy_http_version 1.1;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+
+        proxy_pass http://127.0.0.1:9972;
+    }
+
     # Orchestrate
     # Should match:
     # - /api/v1/test-list
@@ -104,6 +119,7 @@ server {
 
         proxy_pass http://{{ orchestrate_ipv4 }}:{{ orchestrate_port }};
     }
+
     # - /api/v1/admin/jobs
     location ~^/api/v1/admin/(jobs|job) {
         proxy_http_version 1.1;
@@ -141,5 +157,19 @@ server {
         return 200 "{{ probe_services_domain }}";
     }
 
+    # Haproxy on localhost dashboard - see roles/haproxy/README.adoc
+    # - /haproxy_stats
+    location /haproxy_stats {
+        proxy_http_version 1.1;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+
+        proxy_pass http://127.0.0.1:9972;
+    }
+
+
     {{ c.location_letsencrypt() }}
 }

ansible/templates/iptables.filter.part/amsmetadb.ooni.nu

@@ -4,6 +4,11 @@
 -A INPUT -s {{ lookup('dig', 'ams-api.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
 -A INPUT -s {{ lookup('dig', 'fastpath.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
 -A INPUT -s {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
+# Incoming Prio traffic from probe services
+-A INPUT -s {{ lookup('dig', 'mia-ps2.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
+-A INPUT -s {{ lookup('dig', 'hkg-ps.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
+-A INPUT -s {{ lookup('dig', 'ams-ps.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
+-A INPUT -s {{ lookup('dig', 'ams-ps2.ooni.nu') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT
 
 # allow openvpn connections
 -A INPUT -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }}/32 -p udp --dport 1194 -j ACCEPT