Expose triagebot publicly at triagebot.mozilla.org

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: Other
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: mhoye, Assigned: cyliang)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1407] )

(Reporter)

Description

3 years ago
Per bug 1172191 the code running on triage1.dmz.scl3.mozilla.com has passed secreview and is ready to face the nation. 

If I could have triagebot.mozilla.com (port 80 only) point to port 80 on  triage1.dmz.scl3.mozilla.com, that would be lovely.

Comment 1

3 years ago
Why is this non-SSL?

Comment 2

3 years ago
Also, why .com instead of .org ?
Summary: Make → Expose triagebot publicly at triagebot.mozilla.com
(Reporter)

Comment 3

3 years ago
If .org is the right place for this, I'd be perfectly happy for it to be .org.

I'd also be happy for it to be SSL, but I don't think that I'm empowered to set that up in our environment.

Comment 4

3 years ago
OK, so http or https?  Please let me know which port(s) I should be configured as open.

Thanks.
Assignee: network-operations → dcurado
Status: NEW → ASSIGNED

Updated

3 years ago
Flags: needinfo?(mhoye)

Comment 5

3 years ago
Moving forward on this:

I have assigned 63.245.214.182, and have added an A and PTR record for triagebot.mozilla.org

    triagebot.mozilla.org A 63.245.214.182
    63.245.214.182 PTR triagebot.mozilla.org

I'll set up the NAT on the firewall now, but will hold off on installing a security policy
allowing access to the server, until you determine which port(s) you'd like open.
e.g. 80 or 443

Thanks -- Dave
(Reporter)

Comment 6

3 years ago
I'd like https, with the caveat that I'll need guidance about what if anything I'll need to do on my end to make that work properly.
Flags: needinfo?(mhoye)

Comment 7

3 years ago
OK, I will configure a security policy on the firewall that allows packets in to port 443/tcp to your
server.

Sorry, I can not help you in setting up https on the server.  
I just don't know anything about that.
I can ask the infra team of sysadmins in order to get you pointed in the right direction, if you'd like.
(at least they would know who you can work with)
Flags: needinfo?(mhoye)

Comment 8

3 years ago
OK, I have set up the security policy allowing https inbound to your server.
(don't worry that the private IP address shows up in the policy shown below,
 the firewall takes care of the inbound NAT translation before the packet hits
 this security policy)

  From zone: untrust, To zone: dmz
  Source addresses:
    any-ipv4: 0.0.0.0/0 
    any-ipv6: ::/0
  Destination addresses:
    triagebot.dmz.scl3: 10.22.74.153/32
  Application: junos-https
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0] 
      Destination port range: [443-443]

Thanks -- Dave

Comment 9

3 years ago
OK, I think the netops part of this request is done.
I asked some folks in the systems group who you could get help from vis-a-vis
setting up https.
The suggestion I got back was "WebOps"

So, would it be OK to suggest to you to open a bug for that group, and reference this bug?

The Bugzilla category is Infrastructure and Operations, then Webops:xxxx
where xxxx is the sub category that best describes your situation.

Please let me know what you think?
Thanks -- Dave
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
This was supposed to go through webops for a Zeus setup for the site rather than NAT :/
Component: NetOps → WebOps: Other
QA Contact: jbarnell → smani

Updated

3 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1407]
<sigh>.
I'll undo the firewall configuration.

Updated

3 years ago
Assignee: dcurado → smani
I have un-configured the stuff I did on the SCL3 firewall.
(Assignee)

Updated

3 years ago
Assignee: smani → cliang
(Assignee)

Updated

3 years ago
Summary: Expose triagebot publicly at triagebot.mozilla.com → Expose triagebot publicly at triagebot.mozilla.org
(Assignee)

Updated

3 years ago
Depends on: 1183168
(Assignee)

Comment 13

3 years ago
Mike:  I believe things are working.  Can you please verify that everything looks like it is working from your perspective?

Based on feedback in IRC, triagebot.mozilla.org is set up to automatically redirect HTTP traffic to HTTPS.  For right now, there is no need to set any of the usual "forwarded for" headers.

I've also created a service entry in Inventory which lists the technical owner of the service (AKA "who should be poked if the underlying server is having issues") as Mike Hoye with a business owner (AKA "who makes money-related decisions about this") as Brian Smedberg.  



[1]

$ curl -I http://triagebot.mozilla.org
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Date: Mon, 13 Jul 2015 21:29:53 GMT
Location: https://triagebot.mozilla.org/
Connection: Keep-Alive
Content-Length: 0

$ curl -I https://triagebot.mozilla.org
HTTP/1.1 200 OK
Server: lighttpd/1.4.28
Content-type: text/html
Date: Mon, 13 Jul 2015 21:30:02 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive
(Reporter)

Comment 14

3 years ago
Looks good from here, and I'll double-check when I get home. Thanks so much for not only setting this up, but for finding Benjamin's long-lost twin brother in the process! Who would have suspected Brian was working for Mozilla all along?
Flags: needinfo?(mhoye)
(Assignee)

Comment 15

3 years ago
Ah, the joys of freely editable text fields rather than drop-downs.   Name fixed.
(Reporter)

Comment 16

3 years ago
(Thanks again, for real.)
(Assignee)

Updated

3 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.