lb0.zulip.net will proxy connections to the relevant backend servers.
Depressingly, SSL certificate verification of the backend servers is not
performed at this time, see:
<http://trac.nginx.org/nginx/ticket/13>
The above-mentioned bug has existed since 2011, but a CVE was not
allocated until January. The nginx developers don't seem to care. Sigh.
In any case, this is of somewhat limited impact at Humbug, since we can
have reasonable confidence that communications within AWS are not
subject to active MITMs. Passive MITM is not a concern, because the
traffic *is* in fact encrypted.
(imported from commit c96e1235fc17192c7452e0417a1309cfcda62de2)
On EC2-VPC we have the ability to attach multiple addresses to one
interface, and multiple interfaces to one machine.
We should configure those interfaces whenever our system boots, and
ideally whenever networking is restarted.
This commit adds a script that is executed once eth0 is brought up that
proceeds to configure all subsequent interfaces, real and virtual.
The script is configured to be installed (along with the helper script
that calls it) on all systems via Puppet.
(imported from commit fdc153ef649edbb8fedd40ff4d77262aae593c39)
Unlike other directories, we explicitly enumerate the files we want to be
present in sites-available, so the previous commit series did not actually
instruct puppet to make the zulip-staging files accessible.
(imported from commit 22efc4d272eba8d6c869edbaa9114c50e1988288)
We create a new sites-available entry which is essentially a duplicate of
sites-available/humbug-staging with s/humbug/zulip, and add the associated
symlink directive in Puppet.
(imported from commit febcb585ce93c21c6849d96458cc2bd096b30538)
This stop words file is just the default Postgres english stop file
with all the rest of the letters of the alphabet added. Adding the
extra letters ensures that, e.g., "bed" doesn't get transformed into
"bed | b".
(imported from commit 0be3ef9a43eb524ed4f081d5081a786cf602c487)
This saves something like 15ms on our 1000 message get_old_messages
queries, and will save even more when we start sending JSON dumps into
our memcached system.
We need to install python-ujson on servers and dev instances before
pushing this to prod.
(imported from commit 373690b7c056d00d2299a7588a33f025104bfbca)
That's where it is supposed to be, and besides, that's what a Nagios
server is going to expect it to be.
(imported from commit c273f18533909fa8eac182246dbbe498a5381f6c)
It turns out that having a UID for one user that's 1000, and not
setting them for other users, is a disaster: puppet might create them
in the wrong order, using UID 1000, and thus breaking creating the
'humbug' user later on. The same issue applies to groups.
(imported from commit 02b4700278e5c495bd514802f41ae238e6b051ac)
This requires `redis-server` to be installed. Check it is installed before
deploying this commit. It also requires 'python-redis' to be installed.
(imported from commit e3434a04456e596f6c84c1a3c289a00aa7cbb2ed)
So we can use the 'sponge' command in update-prod-static.
I've already installed it on app and staging.
(imported from commit 1527b1c0108d7a95b471dea82e8dedc88f944f70)
Note to the future: run this command to validate configs before deploying:
puppet parser validate servers/puppet/modules/*/manifests/*.pp
Maybe we want to add this to check-all...
(imported from commit e0eb6502380ff361b783830d45e8422bc0f76c02)
Modified files need to be copied into the right place. The checkout
on git.humbughq.com also needs to be updated.
(imported from commit dbe9e05a0512e1f59c7819dd8d44c2c4e9c83bcf)
Luke Faraone
Leo Franchi
Zev Benjamin
Tim Abbott
Keegan McAllister
Luke Faraone