Closed
Bug 1120384
Opened 9 years ago
Closed 9 years ago
Create public fqdn of webqa-ci.mozilla.com to proxy traffic to http://webqa-ci1.qa.scl3.mozilla.com:8080/
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: davehunt, Assigned: cliang)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/271] )
See bug 1112555 for details and bug 1118241 for results of security review.
Hi, MOC. I have no idea where to assign this request - they're asking for public (8080/tcp) access to a non-DMZ host that isn't managed by WebOps. Could you help us triage this service request?
Assignee: vpn-acl → nobody
Component: Mozilla VPN: ACL requests → MOC: Service Requests
QA Contact: dparsons → lypulong
Per IRC, this is a NetOps DC ACL Request, so moving it to that component. :ulfr, you did sec-review for bug 1118241, can you chime in here?
Assignee: nobody → network-operations
Component: MOC: Service Requests → NetOps: DC ACL Request
Flags: sec-review?(jvehent)
QA Contact: lypulong → jbarnell
Summary: Make http://webqa-ci1.qa.scl3.mozilla.com:8080/ publicly accessible → External NAT request: webqa-ci1.qa.scl3.mozilla.com (8080/tcp)
|
||
Comment 3•9 years ago
|
||
Dave: we typically don't open non-standard ports like this. This request would be easier to process if we went with the standard webops setup, which includes: 1. pick a public fqdn for the service, and not an internal machine hostname. For example: ci.qa.mozilla.com 2. obtain a certificate for the public fqdn 3. set a vhost on the external load balancer to terminate HTTPS with the certificate and proxy web traffic to http://webqa-ci1.qa.scl3.mozilla.com:8080/ Would this work for you? If so, let's transfer this bug over to webops.
Flags: needinfo?(dave.hunt)
|
|
||
Updated•9 years ago
|
Flags: sec-review?(jvehent) → sec-review-
|
Reporter | |
Comment 4•9 years ago
|
||
(In reply to Julien Vehent [:ulfr] (use needinfo) from comment #3) > Dave: we typically don't open non-standard ports like this. This request > would be easier to process if we went with the standard webops setup, which > includes: > > 1. pick a public fqdn for the service, and not an internal machine hostname. > For example: ci.qa.mozilla.com > > 2. obtain a certificate for the public fqdn > > 3. set a vhost on the external load balancer to terminate HTTPS with the > certificate and proxy web traffic to > http://webqa-ci1.qa.scl3.mozilla.com:8080/ > > Would this work for you? If so, let's transfer this bug over to webops. Yes, this would all work for me. I would suggest webqa-ci.mozilla.com as the FQDN, what do you think Stephen?
Flags: needinfo?(dave.hunt) → needinfo?(stephen.donner)
(In reply to Dave Hunt (:davehunt) from comment #4) > Yes, this would all work for me. I would suggest webqa-ci.mozilla.com as the > FQDN, what do you think Stephen? Ship it -- yes, please! :-)
Flags: needinfo?(stephen.donner)
|
|
Reporter | |
Comment 6•9 years ago
|
||
See comment 3 for details.
Assignee: network-operations → server-ops-webops
Component: NetOps: DC ACL Request → WebOps: SSL and Domain Names
QA Contact: jbarnell → nmaul
Summary: External NAT request: webqa-ci1.qa.scl3.mozilla.com (8080/tcp) → Create public fqdn of webqa-ci.mozilla.com to proxy traffic to http://webqa-ci1.qa.scl3.mozilla.com:8080/
I *think* this now depends on bug 1121453 -- clear the field if that's not the case, please :-)
Depends on: 1121453
|
|
Reporter | |
Comment 8•9 years ago
|
||
I'd say bug 1121453 is a nice to have (and I see no reason that we won't have it) but it doesn't block moving forward on this bug. I think we just need to find an owner for this bug now that can set up what we need.
:gozer -- is this something you could pick up for us? Thanks!
Flags: needinfo?(gozer)
|
Assignee | |
Updated•9 years ago
|
Assignee: server-ops-webops → cliang
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(gozer)
|
|
Assignee | |
Comment 10•9 years ago
|
||
webqa-ci.mozilla.com should be set up and working. HTTP traffic should be automatically re-directed to HTTPS. Requests are logged at the ZLB. Please verify that things are working as expected. =) I've also created a service entry in Inventory which lists the technical owner of the service (AKA "who should be poked if the underlying server is having issues") as Stephen Donner with a business owner (AKA "which director does this belong to") as Clint Talbert.
(In reply to C. Liang [:cyliang] from comment #10) > webqa-ci.mozilla.com should be set up and working. HTTP traffic should be > automatically re-directed to HTTPS. Requests are logged at the ZLB. Please > verify that things are working as expected. =) > > I've also created a service entry in Inventory which lists the technical > owner of the service (AKA "who should be poked if the underlying server is > having issues") as Stephen Donner with a business owner (AKA "which director > does this belong to") as Clint Talbert. Thanks so, so much - to both you and Stephanie, for prioritizing this for us and making it happen! <3 I've logged in, and will let Dave Hunt work with me, soon, on any further issues/needs; thanks!
|
|
Reporter | |
Comment 12•9 years ago
|
||
This is *awesome* thank you so much! :)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•