mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-02-02 20:59:02 +08:00
a72e5b2fbf
Seems like the proxies don't want to handle port 80 nicely, I get errors in Zabbix for them using localhost:80/apache-status (which works elsewhere, like sundries). However using https/443 seems to work, so we'll do that instead. Signed-off-by: Greg Sutcliffe <fedora@emeraldreverie.org>
110 lines
5.9 KiB
Plaintext
110 lines
5.9 KiB
Plaintext
---
|
|
# Define resources for this group of hosts here.
|
|
collectd_apache: true
|
|
# For the MOTD
|
|
custom_rules: [
|
|
# Need for rsync from log01 for logs.
|
|
'-A INPUT -p tcp -m tcp -s 10.16.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
|
|
# allow varnish from localhost
|
|
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
|
|
# also allow varnish from internal for purge requests
|
|
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.16.163.0/24 --dport 6081 -j ACCEPT',
|
|
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.166.123 -j ACCEPT']
|
|
nft_block_rules:
|
|
- 'add rule ip filter INPUT ip saddr 2.57.121.144/32 counter reject'
|
|
nft_custom_rules:
|
|
# Need for rsync from log01 for logs.
|
|
- 'add rule ip filter INPUT ip saddr 10.16.163.39 tcp dport 873 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
|
|
# allow varnish from localhost
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
|
|
# also allow varnish from internal for purge requests
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.163.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.115 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.116 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.117 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.118 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.119 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.120 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.121 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.122 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.123 tcp dport 22623 counter accept'
|
|
# Need for rsync from log01 for logs.
|
|
- 'add rule ip filter INPUT ip saddr 10.16.163.39 tcp dport 873 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.50 tcp dport 873 counter accept'
|
|
# allow varnish from localhost
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
|
|
# also allow varnish from internal for purge requests
|
|
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.163.0/24 tcp dport 6081 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.115 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.116 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.117 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.118 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.119 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.120 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.121 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.122 tcp dport 22623 counter accept'
|
|
- 'add rule ip filter INPUT ip saddr 10.16.166.123 tcp dport 22623 counter accept'
|
|
external: true
|
|
ipa_client_shell_groups:
|
|
- fi-apprentice
|
|
- sysadmin-noc
|
|
- sysadmin-veteran
|
|
- sysadmin-web
|
|
ipa_client_sudo_groups:
|
|
- sysadmin-web
|
|
- sysadmin-noc
|
|
ipa_host_group: proxies
|
|
ipa_host_group_desc: Proxies between internal hosts and the Internet
|
|
lvm_size: 100000
|
|
# This is used in the httpd.conf to determine the value for serverlimit and
|
|
# maxrequestworkers. On proxies with 8 cpus it should be 300 * 8 = 3200
|
|
maxrequestworkers: 3200
|
|
mem_size: 49152
|
|
num_cpus: 8
|
|
ocp_masters_stg:
|
|
# - bootstrap.ocp.stg.rdu3.fedoraproject.org
|
|
- ocp01.ocp.stg.rdu3.fedoraproject.org
|
|
- ocp02.ocp.stg.rdu3.fedoraproject.org
|
|
- ocp03.ocp.stg.rdu3.fedoraproject.org
|
|
ocp_nodes_stg:
|
|
- worker01.ocp.stg.rdu3.fedoraproject.org
|
|
- worker02.ocp.stg.rdu3.fedoraproject.org
|
|
- worker03.ocp.stg.rdu3.fedoraproject.org
|
|
- worker04.ocp.stg.rdu3.fedoraproject.org
|
|
- worker05.ocp.stg.rdu3.fedoraproject.org
|
|
ocp_masters_rdu3_stg:
|
|
- bootstrap.ocp.stg.rdu3.fedoraproject.org
|
|
ocp_nodes_rdu3_stg:
|
|
- worker01.ocp.stg.rdu3.fedoraproject.org
|
|
- worker02.ocp.stg.rdu3.fedoraproject.org
|
|
- worker03.ocp.stg.rdu3.fedoraproject.org
|
|
tcp_ports: [
|
|
# For apache, generally.
|
|
80, 443,
|
|
# This is for TCP krb5
|
|
1088,
|
|
# This is for RabbitMQ public access
|
|
5671,
|
|
# openshift 4 api
|
|
6443,
|
|
# This is for RabbitMQ internal-public access
|
|
15671,
|
|
# This is for TOTP
|
|
8443,
|
|
]
|
|
varnish_group: proxies
|
|
zabbix_macros:
|
|
'APACHE.STATUS.PORT': 443 # Proxies appear to ignore port 80 for apache-status
|
|
'APACHE.STATUS.SCHEME': https # but https://localhost seems to work instead
|
|
|
|
notes: |
|
|
* Provides frontend (reverse) proxy for most web applications
|
|
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications
|
|
at sites like fedoraproject.org and admin.fedoraproject.org.
|
|
* The proxy servers are balanced via dns and geoIP and are spread all over the place.
|