Puppet configuration and associated nginx files for lb0.zulip.net.

lb0.zulip.net will proxy connections to the relevant backend servers. Depressingly, SSL certificate verification of the backend servers is not performed at this time, see: <http://trac.nginx.org/nginx/ticket/13> The above-mentioned bug has existed since 2011, but a CVE was not allocated until January. The nginx developers don't seem to care. Sigh. In any case, this is of somewhat limited impact at Humbug, since we can have reasonable confidence that communications within AWS are not subject to active MITMs. Passive MITM is not a concern, because the traffic *is* in fact encrypted. (imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2)
2013-07-13 23:58:46 -04:00 · 2013-07-13 23:58:46 -04:00 · 44b49b3bf8
parent ebde5ab341
commit 44b49b3bf8
5 changed files with 124 additions and 21 deletions
--- a/servers/puppet/modules/humbug/files/nginx/humbug-include/loadbalancer
+++ b/servers/puppet/modules/humbug/files/nginx/humbug-include/loadbalancer
@ -0,0 +1,2 @@
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $remote_addr;
--- a/servers/puppet/modules/humbug/files/nginx/sites-available/loadbalancer
+++ b/servers/puppet/modules/humbug/files/nginx/sites-available/loadbalancer
@ -0,0 +1,93 @@
+upstream staging {
+    server staging.zulip.net:443;
+}
+
+upstream prod {
+    server prod0.zulip.net:443;
+}
+
+server {
+    listen 80;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen staging.humbughq.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/wildcard-humbughq.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;
+
+    location / {
+        proxy_pass https://staging/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
+
+server {
+    # This stanza covers api, www, zephyr, and bare humbughq.com
+    listen www.humbughq.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/wildcard-humbughq.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;
+
+    location / {
+        proxy_pass https://prod/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
+
+server {
+    listen staging.zulip.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/staging.zulip.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/staging-zulip.key;
+
+    location / {
+        proxy_pass https://staging/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
+
+server {
+    # This stanza also covers bare zulip.com
+    listen www.zulip.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/www.zulip.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/production-zulip.key;
+
+    location / {
+        proxy_pass https://prod/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
+
+server {
+    listen api.zulip.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/api.zulip.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/production-zulip.key;
+
+    location / {
+        proxy_pass https://prod/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
+
+
+server {
+    listen zephyr.zulip.com:443;
+
+    ssl on;
+    ssl_certificate /etc/ssl/certs/zephyr.zulip.com.combined-chain.crt;
+    ssl_certificate_key /etc/ssl/private/production-zulip.key;
+
+    location / {
+        proxy_pass https://prod/;
+        include /etc/nginx/humbug-include/loadbalancer;
+    }
+}
--- a/servers/puppet/modules/humbug/files/nginx/sites-available/zulip-staging
+++ b/servers/puppet/modules/humbug/files/nginx/sites-available/zulip-staging
@ -1,20 +0,0 @@
-server {
-    listen 80;
-    server_name staging.zulip.com;
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    listen 443;
-
-    ssl on;
-    ssl_certificate /etc/ssl/certs/staging.zulip.com.combined-chain.crt;
-    ssl_certificate_key /etc/ssl/private/staging_and_dev.humbughq.com.key;
-
-    server_name staging.zulip.com;
-
-    # Avoid clickjacking attacks
-    add_header X-Frame-Options DENY;
-
-    include /etc/nginx/humbug-include/app;
-}
--- a/servers/puppet/modules/humbug/manifests/loadbalancer.pp
+++ b/servers/puppet/modules/humbug/manifests/loadbalancer.pp
@ -0,0 +1,28 @@
+class humbug::loadbalancer {
+  class { 'humbug::base': }
+  class { 'humbug::nginx': }
+
+  file { "/etc/nginx/humbug-include/":
+    require => Package[nginx],
+    recurse => true,
+    owner  => "root",
+    group  => "root",
+    mode => 644,
+    source => "puppet:///modules/humbug/nginx/humbug-include/",
+    notify => Service["nginx"],
+  }
+
+  file { "/etc/nginx/sites-available/loadbalancer":
+    require => Package[nginx],
+    ensure => file,
+    owner  => "root",
+    group  => "root",
+    mode => 644,
+    source => "puppet:///modules/humbug/nginx/sites-available/loadbalancer",
+  }
+  file { '/etc/nginx/sites-enabled/loadbalancer':
+    ensure => 'link',
+    target => '/etc/nginx/sites-available/loadbalancer',
+  }
+
+}
--- a/servers/puppet/modules/humbug/manifests/nginx.pp
+++ b/servers/puppet/modules/humbug/manifests/nginx.pp
@ -1,4 +1,4 @@
-# For any system using nginx (currently just app frontends)
+# For any system using nginx (currently just app frontends and load balancers)
 class humbug::nginx {
  $web_packages = [ "nginx", ]
  package { $web_packages: ensure => "installed" }