Add rabbitmq proxying to the proxies

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2026-05-16 13:56:03 +08:00 · 2019-03-06 21:11:12 +01:00
parent 633f9fa564
commit 0f6a6db888
3 changed files with 38 additions and 0 deletions
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -17,6 +17,11 @@ tcp_ports: [
    # This is for TCP krb5
    1088,

+    # This is for RabbitMQ public access
+    5671,
+    # This is for RabbitMQ internal-public access
+    15671,
+
    # This is for the haproxy HTML stats page
    # TODO -- there's no need for this to be wide open to the world.  With this
    # in place, you can visit https://apps.fedoraproject.org:8080 and get the
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -17,6 +17,11 @@ tcp_ports: [
    # This is for TCP krb5
    1088,

+    # This is for RabbitMQ public access
+    5671,
+    # This is for RabbitMQ internal-public access
+    15671,
+
    # This is for the haproxy HTML stats page
    # TODO -- there's no need for this to be wide open to the world.  With this
    # in place, you can visit https://apps.fedoraproject.org:8080 and get the
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -565,6 +565,34 @@ backend copr-backend
    option  httpchk GET /api_3/
 {% endif %}

+{% if datacenter == "phx2" %}
+# These ports are for proxying rabbitmq (AMQP) protocol through.
+# At this moment, internal- and public-rabbitmq both point to the exact same set of
+#  brokers on the backend, but the internal- is intended for applications we directly control.
+# This allows us to move to a separate cluster for public access if that became necessary
+#  on just the infra side, with no need to ask users to change anything.
+frontend internal-rabbitmq
+    mode tcp
+    bind 0.0.0.0:15671
+    default_backend rabbitmq
+
+frontend public-rabbitmq
+    mode tcp
+    bind 0.0.0.0:5671
+    default_backend rabbitmq
+
+backend rabbitmq
+    mode tcp
+    option tcplog
+    balance roundrobin
+    maxconn 16384
+    server rabbitmq01 rabbitmq01:5671 weight 1 maxconn 16384
+{% if env == "production %}
+    server rabbitmq02 rabbitmq02:5671 weight 1 maxconn 16384
+    server rabbitmq03 rabbitmq03:5671 weight 1 maxconn 16384
+{% endif %}
+{% endif %}
+
 # Apache doesn't handle the initial connection here like the other proxy
 # entries.  This proxy also doesn't use the http mode like the others.
 # stunnel should be sitting on port 9939 (public) and redirecting