Closed Bug 1154326 Opened 9 years ago Closed 9 years ago

[shapeoftheweb] Make domain live by Apr 16th

Categories

(Websites :: Shape of the Web, defect, P1)

Product:
Websites
Component:
Shape of the Web
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ckprice, Assigned: ckprice)

References

(
URL
)

Details

I think we're ready to go ahead and make shapeoftheweb.mozilla.org live. We are doing a launch on Friday the 17th, but it can go live anytime before then.

The domain set up is:

shapeoftheweb.org/com --> shapeoftheweb.mozilla.org (http://lorax.s3-website-us-west-2.amazonaws.com/)

shapeoftheweb.org/com is currently pointing to the subdomain which is pointing to a Wiki.

We have to do a few things

1. Point the subdomain to the S3 instance
2. Enable SSL on the subdomain
3. Ensure we are okay on traffic. The launch will be soft so not a HUGE amount of traffic

References
- Claiming shapeoftheweb.org/com (bug 1096391)
- Confirming domain with Dia/Greg (bug 1113243)
- Setting up S3 (bug 1113371)
I'm trying to get permission to edit the settings on the bucket in bug 1151942. We still need to tweak some things so that the virtual URLs will work and not just 404.

Apart from the above what we'll need to do is actually create a CloudFront distribution to point at the bucket, add the submodomain to cloudfront, and add the mozilla.org wildcard SSL cert to cloudfront.
(In reply to Paul McLanahan [:pmac] from comment #1)
> Apart from the above what we'll need to do is actually create a CloudFront
> distribution to point at the bucket, add the submodomain to cloudfront, and
> add the mozilla.org wildcard SSL cert to cloudfront.
Hey Brian - can you help with any of the above? Specifically setting up the CloudFront? Looks like fox2mike is helping us with the bucket.
Flags: needinfo?(bhourigan)
:ckprice/:pmac, do you truly require an SSL certificate for *all* mozilla.org subdomains? Or do you only need one that has shapeoftheweb.mozilla.org and www.shapeoftheweb.org/com (and, for an additional cost, the non-www 'shapeoftheweb.org/com' domain)?
Flags: sec-review?(jvehent)
Flags: needinfo?(pmac)
Flags: needinfo?(cprice)
Flags: needinfo?(bhourigan)
Depends on: 1154361
> the mozilla.org wildcard SSL cert to cloudfront

There is no such thing as a wildcard SSL cert for mozilla.org. The risk of impersonating sites is too great. But we can certainly give you a cert for shapeoftheweb.mozilla.org that you can give cloudfront.

:atoll - this needs to be a separate cert entirely since the private key will be given to a third party.
Separate key/cert generated and provided to :digi for installation. Back to :digi to proceed, cheers.
Flags: needinfo?(pmac)
Flags: needinfo?(cprice)
(In reply to Richard Soderberg [:atoll] from comment #5)
> Separate key/cert generated and provided to :digi for installation. Back to
> :digi to proceed, cheers.

Thank you!

(In reply to Cory Price [:ckprice] from comment #2)
> (In reply to Paul McLanahan [:pmac] from comment #1)
> > Apart from the above what we'll need to do is actually create a CloudFront
> > distribution to point at the bucket, add the submodomain to cloudfront, and
> > add the mozilla.org wildcard SSL cert to cloudfront.
> Hey Brian - can you help with any of the above? Specifically setting up the
> CloudFront? Looks like fox2mike is helping us with the bucket.

In progress now
I spoke with :pmac on IRC and clarified some CloudFront distribution settings, and completed the initial setup. It's building now and should be globally available in the next half hour.

The CloudFront domain name is: dx4nfnkkqskbg.cloudfront.net

I took a look at DNS for the domains listed in https://bugzilla.mozilla.org/show_bug.cgi?id=1154361#c0, and it looks to be incomplete. If you're planning to use Mozilla public DNS we'll need some time to create zones, get them setup at Akamai, and change nameservers at MarkMonitor.

Another complication is root domain CNAME delegation - that will violate RFC1033. We can setup A records instead. Although we'll responsible for monitoring and updating the zone to reflect changes made by Amazon in dx4nfnkkqskbg.cloudfront.net.
If you don't want to hard-code the A records, Amazon recommends using a route 53 thing for the root domain delegation:

> If you're using Amazon Route 53 as your DNS service, you can create an alias resource record set instead of a CNAME. With an alias resource record set, you don't pay for Amazon Route 53 queries. In addition, you can create an alias resource record set for a domain name at the zone apex (example.com). For more information, go to Routing Queries to an Amazon CloudFront Distribution in the Amazon Route 53 Developer Guide.
Assignee: nobody → cprice
Hi Brian - does Richard's response take care of your DNS/CNAME concerns in comment 7?
Flags: needinfo?(bhourigan)
(Note that I'm also fine with A records, whatever works for Brian is fine with me here.)
(In reply to Cory Price [:ckprice] from comment #9)
> Hi Brian - does Richard's response take care of your DNS/CNAME concerns in
> comment 7?

Hi Cory,

Indeed it does, Richard has proposed an excellent alternative. I will still need your approval to make any changes, in both MarkMonitor+Route53 and mozilla.org zone files. I would want to get those changes in place ASAP to avoid DNS propagation delays in anticipation of your impending launch date.
Flags: needinfo?(bhourigan)
Depends on: 1154785
This is now live.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Flags: sec-review?(jvehent)
You need to log in before you can comment on or make changes to this bug.