anubis-el: add missing check for port

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
anubis: fix ports for el vs non el versions
2026-02-02 20:59:02 +08:00 · 2026-01-22 10:50:15 -08:00 · 2026-01-22 10:44:20 -08:00 · 2026-01-22 10:35:44 -08:00 · 2026-01-22 10:26:24 -08:00 · 2026-01-22 10:16:22 -08:00
11 changed files with 79 additions and 10 deletions
--- a/inventory/group_vars/download
+++ b/inventory/group_vars/download
@@ -110,4 +110,6 @@ ipa_host_group: download
 ipa_host_group_desc: Download servers
 nagios_Check_Services:
  swap: false
+nft_block_rules:
+  - 'add rule ip filter INPUT ip saddr 212.143.41.0/24 counter reject'
 primary_auth_source: ipa
--- a/playbooks/groups/download.yml
+++ b/playbooks/groups/download.yml
@@ -40,6 +40,9 @@
  - collectd/base
  - apache
  - download
+  - role: anubis-el
+    tags:
+    - anubis
  - rsyncd
  - { role: nfs/client, when: "'download_rdu3' in group_names" , mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
  - { role: nfs/client, when: "'download_rdu3' in group_names" , mnt_dir: '/srv/pub/archive', nfs_src_dir: 'fedora_ftp_archive' }
--- a/playbooks/groups/pagure.yml
+++ b/playbooks/groups/pagure.yml
@@ -79,7 +79,7 @@
      ^io\.pagure\.{{ env_short }}\..*

  - pagure
-  - role: anubis-el8
+  - role: anubis-el
    tags:
    - anubis

--- a/roles/anubis-el8/files/anubis.service
+++ b/roles/anubis-el8/files/anubis.service
--- a/roles/anubis-el8/files/botPolicy.yaml
+++ b/roles/anubis-el8/files/botPolicy.yaml
--- a/roles/anubis-el/files/subgid
+++ b/roles/anubis-el/files/subgid
@@ -0,0 +1 @@
+anubis:231072:65536
--- a/roles/anubis-el/files/subuid
+++ b/roles/anubis-el/files/subuid
@@ -0,0 +1 @@
+anubis:231072:65536
--- a/roles/anubis-el8/tasks/main.yml
+++ b/roles/anubis-el8/tasks/main.yml
@@ -25,6 +25,40 @@
  - config
  - anubis

+- name: install subuid file
+  ansible.builtin.copy:
+    dest: /etc/subuid
+    src: subuid
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+  - config
+  - anubis
+
+- name: install subgid file
+  ansible.builtin.copy:
+    dest: /etc/subgid
+    src: subuid
+    owner: root
+    group: root
+    mode: '0644'
+  tags:
+  - config
+  - anubis
+
+- name: Check semanage ports
+  ansible.builtin.command: semanage port -l
+  register: semanageoutput
+  check_mode: no
+  changed_when: "1 != 1"
+  tags:
+  - anubis
+
+- name: Set ports so httpd can bind to 3923
+  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
+  when: semanageoutput.stdout.find("3923") == -1
+
 - name: Create the directory to store the anubis policy file
  ansible.builtin.file:
    dest: /srv/anubis/cfg/
--- a/roles/anubis/tasks/main.yml
+++ b/roles/anubis/tasks/main.yml
@@ -44,8 +44,6 @@
 - name: Set ports so httpd can bind to 8345
  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 8345
  when: semanageoutput.stdout.find("8345") == -1
-  tags:
-  - anubis

 - name: Allow Apache to make network connections for proxy
  ansible.posix.seboolean:
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -17,6 +17,10 @@
 - name: Set httpd_use_nfs seboolean
  seboolean: name=httpd_use_nfs state=yes persistent=yes

+- name: Set httpd_can_network_connect needed for anubis
+  seboolean: name=httpd_can_network_connect state=yes persistent=yes
+
+
 - name: Check the selinux context rsyncd log
  ansible.builtin.command: matchpathcon /var/log/rsyncd-fedora.log
  register: rsyncdlog
--- a/roles/download/templates/httpd/dl.fedoraproject.org.conf
+++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf
@@ -32,12 +32,38 @@
   SSLProtocol {{ ssl_protocols }}
   SSLCipherSuite {{ ssl_ciphers }}

-  Include "conf.d/dl.fedoraproject.org/*.conf"
+  # proxy all requests to anubis after ssl termination
+
+  RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
+  RequestHeader set X-Forwarded-Proto "https"
+  RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
+
+  ProxyPreserveHost On
+
+  ProxyRequests Off
+  ProxyVia Off
+
+  ProxyPass / http://[::1]:8923/
+  ProxyPassReverse / http://[::1]:8923/
+
 </VirtualHost>

-# Prefork tuning
-<IfModule mpm_prefork_module>
-    ServerLimit               {{ httpd_maxrequestworkers * 1.5 }}
-    MaxRequestWorkers         {{ httpd_maxrequestworkers }}
-    MaxConnectionsPerChild    {{ httpd_maxrequestworkers * 5 }}
-</IfModule>
+# Once anubis has processed the request it sends it to port 3923
+
+Listen 3923 http
+<VirtualHost *:3923>
+  ServerName dl.fedoraproject.org
+  ServerAlias archive.fedoraproject.org archives.fedoraproject.org secondary.fedoraproject.org download-ib01.fedoraproject.org download-cc-rdu01.fedoraproject.org
+  ServerAdmin webmaster@fedoraproject.org
+
+  RemoteIPHeader X-Real-Ip
+  RemoteIPInternalProxy ::1
+
+  Include "conf.d/dl.fedoraproject.org/*.conf"
+
+</VirtualHost>
+
+
+ServerLimit           3200
+MaxRequestWorkers     3200
+MaxRequestsPerChild    10000
Author	SHA1	Message	Date
Kevin Fenzi	f3406c7ee7	anubis-el: add missing check for port Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 10:50:15 -08:00
Kevin Fenzi	4e9729d938	anubis: fix ports for el vs non el versions I mistakenly changed the port in the fedora/non el one, that was correct. Need to add the port in the el one for selinux to allow httpd to work. Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 10:44:20 -08:00
Kevin Fenzi	896ab6360b	download: block subnet thats using rclone against master mirrors Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 10:35:44 -08:00
Kevin Fenzi	07940d97ac	download / anubis: fix typo of file vs copy module Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 10:26:24 -08:00
Kevin Fenzi	6ceb3ea68b	download: enable/finish anubis for other download servers Fixed up a few things missed and caught in testing on dl01: * need to setup subuid/subgid files for podman * need to allow the right port for httpd to listen in selinux * need httpd network connect to allow it to connect to anubis * adjust worker values, we were not using prefork for a long time so the values were just default up them a bunch. Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 10:16:22 -08:00
Kevin Fenzi	9717d920af	anubis: rename anubis-el8 to anubis-el and see about enabling on download Looks like the scrapers are hitting the download servers now. So, look at setting up an anubis pod there like we did for pagure. anubis package isn't available for epel9, so we just use the container. Will test this with dl01 and tweak until it's working. Signed-off-by: Kevin Fenzi <kevin@scrye.com>	2026-01-22 08:50:34 -08:00