alt.fpo/en/cloud is still the first link to pop up on search engine and
the current redirect only works with /cloud.
This commit fix the redirect, and prevent this old page to be indexed.
New ipa checks the referrer to avoid CSRF issues.
We need to have the proxy edit requests for the right internal hostname
for it to be able to work.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Turns out back in 2015 (in 623be6ff73) I added a robots.txt on the koji
hubs to disallow crawling, but since it's behind the proxies, no one
ever saw that robots.txt. Instead they got the default one that just had
a 'crawl-delay 1' in it.
So, lets tell robots to go away for real now, as they are causing load
problems on the koji database and I don't think it's particularly useful
for koji to be indexed. It's a lot of dynamic content anyhow.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
f39 adds flatpaks for ppc64le, so we need to allow ppc64le builders to
access the registry directly so they can install flatpaks in the ostree
install images. Without this they try and get them from the cdn and the
builder firewall blocks them and it times out and the image fails to
compose.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Right now we only exclude the builders on 10.3.169 from using the
registry cdn (ie, the x86_86 builders), but we also make aarch64
containers/images and we should exclude it too ( 10.3.170.x ).
This might fix a weird compose failure we have been getting on
aarch64 ostree installer images.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The proxies seem to be hitting file limits, so try increasing them.
Also, set httpd to restart on failure, this should help mask the problem
if it persists with the higher limit.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Our openshift 3.11 cluster(s) served us long and well.
Now we have everything finally moved to the openshift 4 clusters (fas2
was the last holdout). We can finally retire this. :)
🎉🥂
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
I think I handled all the special cases here already.
We want to switch non iad2 proxies to reach the oco4 cluster over it's
vpn now that it has one. This should allow us to still keep ipv6
available for applications and not have to change dns for moving from
ocp3 cluster anymore. Will roll this out slowly to one proxy then
another, then the rest if it all looks ok.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
The ocp3 cluster is reachable/available via the vpn, so any proxy can
reach it.
The ocp4 cluster is (at least for now) only reachable/available from the
iad2 proxies (proxy01/proxy10).
There's a firefox bug that causes it to reuse h2 connections, and in
some cases try and request something of a non iad2 proxy that it can't
reach. To work around this in those cases we need to send a 421 back to
the client so it doesn't do that.
This moves that logic into the template so all ocp4: true hosts do this
by default. Also, we default the balancer nodes so we only have to
change them in one place if we remove/add a compute node.
Finally, we mark all the ocp3 apps with 'ocp4: false' so we know what
they are and can move them more easily.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This is the fun firefox h2 connection reuse bug. blockerbugs is only in
iad2, so if firefox tries to reuse a connection to another proxy for it,
just send it a 421 so it knows thats bad on it.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Due to http/2 connection reuse bugs, sometimes firefox will decide to
'reuse' a connection to fedoraproject.org for openqa.fedoraproject.org
(since they both have the same tls cert), but openqa is only available
from the 2 iad2 proxies, not all of them. This results in a 503 timeout
and it just not loading. This should make those reused connections get a
421 from proxies and reconnect to the proper ips. (we hope)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This reverts commit 4430178b29.
It's time to put this back before the cert expires and before we go into
Beta freeze. Hopefully the odd issue with armv7 qemu guests having a
time behind real time is not still happening.
This reverts commit 57f0d4fdb6.
For an anoying reason, armv7 image builds come up with the time as 10
days ago, which makes this cert invalid. So, move back to the old cert
for a week or so and then switch to the new one again. ;(
See https://pagure.io/copr/copr/issue/1935
Prevent only /api_2, /api_3, etc from redirectring from
fedoraproject.org to fedorainfracloud.org
I am not entirely sure why do we need these special-cases for API but
you guys are taking care of it and keeping it updated, so it must be
important. If anyone can explain some context, it would be
appreciated. The config is older than my involvement in the Copr
project :-)
Anyway, there is only one /api/ page - https://copr.fedorainfracloud.org/api
and that is not an API endpoint that is programmatically accessed and
that preserves backwards compatibility. It is a page that one opens
in the web browser to find information about API, such as where the
documentation is, and how to obtain an API token.
We would like to apply the redirect from fedoraproject.org to
fedorainfracloud.org even for this page.
reg is putting a /static/ into asset path since it's upgrade.
Just alias it to / here to avoid the problem for now.
Hopefully we are going to be moving to quay.io and can stop caring about
it.
Fixes infra 10673
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Also add a ssl connection cache.
These changes are live on proxy01/10 and seem to have made them stable
again. Will look at pushing to the rest tomorrow.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Apache httpd by default blocks URL-encoded / (%2F) characters in the
URL path, even though these are RFC-compliant. Enable them and permit
their safe passage to the debuginfod servers.
See also https://stackoverflow.com/a/9933890/661150
Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
- Updating apache proxy config to handle ocp4 CA cert
- place ocp4 CA cert on proxies
- add ocp4 stg ca cert to haproxy/files
Signed-off-by: David Kirwan <dkirwan@redhat.com>
