Closed Bug 1223768 Opened 9 years ago Closed 9 years ago

Change MLS SSL setup to also serve geo.mozilla.org

Categories

(Cloud Services :: Server: Location, defect)

Product:
Cloud Services
Component:
Server: Location
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: hschlichting, Assigned: ckolos)

References

Details

If we switch over geo.mozilla.org to point to location.services.mozilla.com, we need to make sure the stack is actually reachable under that DNS and SSL works.

Currently location.services.mozilla.com is a CNAME for locprod1-elb-eu-west-1.prod.mozaws.net. locprod1-elb-eu-west-1.prod.mozaws.net is a Route 53 alias for the actual DNS of the ELB. During each rollout that ELB gets replaced and the locprod1-elb-... alias gets repointed to the new ELB.

We could switch geo.mozilla.org to be a CNAME for locprod1-elb-eu... as well, but would need to make sure the ELB has a valid SSL cert for both DNS names. Since ELB's don't support SNI, a single SSL with a subject alternative name would be required. Or maybe I'm missing something obvious here :))

On the EC2 instance side, nginx is currently not configured with hostname restrictions, but will happily accept traffic for any host (https://github.com/mozilla-services/puppet-config/blob/master/location/modules/location/templates/webapp/nginx_location.conf.erb). We might want to change that to only allow traffic for known good hostnames, but for now we don't need to make any changes here.

This bug is only about the preparations of DNS switching. There is no schedule yet for actually doing the DNS switchover.
1) It's impractical to have geo.mo point to the elb itself given that the record changes weekly; cloudops doesn't control the DNS for geo.mo and has no desire to do so. Pointing geo.mo at a *stable*, unchanging, endpoint is the best solution. To that end, DNS would be best done via CNAME. i.e. geo.mo -> CNAME -> location.smc.

2) For SSL to work, we'll need a new cert with a SAN for geo.mo. This is not a problem; we'll just need to re-issue the existing cert with a SAN tacked on.
We discussed this in meetings and decided not do to this.

Instead we'll tell every user of geo.moz.org to switch over to the MLS DNS and API.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.