Closed Bug 1342396 Opened 9 years ago Closed 9 years ago

Seemingly unused ssl-endpoint addon on taskcluster-cors-proxy Heroku app

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Assigned: emorley)

References

Details

Noticed whilst looking at bug 1331583. The taskcluster cors proxy (https://cors-proxy.taskcluster.net) is hosted on Heroku: $ dig +short CNAME cors-proxy.taskcluster.net toyama-73636.herokussl.com. The app has the legacy ssl-endpoint addon installed: $ heroku addons:info ssl --app taskcluster-cors-proxy === ssl-perpendicular-64535 Attachments: taskcluster-cors-proxy::SSL Installed at: Mon Feb 29 2016 16:01:43 GMT+0000 (GMT Standard Time) Owning app: taskcluster-cors-proxy Plan: ssl:endpoint Price: $20/month State: created And TLS is working fine: https://www.ssllabs.com/ssltest/analyze.html?d=cors%2dproxy.taskcluster.net&latest However Heroku shows no certs associated with the app: $ heroku certs --app taskcluster-cors-proxy taskcluster-cors-proxy has no SSL certificates. Use heroku certs:add CRT KEY to add one. And doesn't even list the toyama-73636.herokussl.com CNAME target in domains: $ heroku domains --app taskcluster-cors-proxy === taskcluster-cors-proxy Heroku Domain taskcluster-cors-proxy.herokuapp.com === taskcluster-cors-proxy Custom Domains Domain Name DNS Target ────────────────────────── ──────────────────────────────────── cors-proxy.taskcluster.net taskcluster-cors-proxy.herokuapp.com I've tested against other Heroku apps and for both SNI-using (like `treeherder-prod`) and or non-SNI (like `bugherder`) the correct certs and domains are shown, so this isn't just because it's using the legacy ssl-endpoint addon. 1) I'd imagine this is a bug on Heroku's side, where the app's cert is halfway between being set up and not. I'll open a Heroku ticket. 2) The traffic on this app is really low (like <20 requests in 1 week) https://dashboard.heroku.com/apps/taskcluster-cors-proxy/metrics/web?starting=168-hours-ago) - is it even needed any more?
It's using the (legacy) SSL add-on from the taskcluster-auth service, like most taskcluster services. If it has its own SSL add-on, that's probably a mistake and it is probably unused. I don't have access to manage the app, so I can't tell what's going on there. The service itself is lightly used -- it's what allows us to request content from docs and tools that would normally be disallowed by the endpoints' policy, such as content from github. Wander is the service owner.
Wander can chime in about this app and its configuration. In the meantime, I have added permissions for Dustin to look more into the app for the future.
(In reply to Dustin J. Mitchell [:dustin] from comment #2) > It's using the (legacy) SSL add-on from the taskcluster-auth service, like > most taskcluster services. If it has its own SSL add-on, that's probably a > mistake and it is probably unused. Ah interesting - thank you for the clarification :-) Using them like that is not documented by Heroku, though I've found: https://www.quora.com/How-does-Heroku-handle-one-SSL-Endpoint-to-multiple-apps https://stackoverflow.com/questions/17575842/multiple-applications-single-domain-how-many-ssl-endpoints-required It seems slightly risky to chain multiple apps behind one ssl-endpoint addon in case (a) Heroku stop supporting that workflow, (b) the app with the ssl-endpoint addon ends up being decommissioned in the future, by someone who doesn't realise the cross-app dependency. Switching to the free SNI based SSL in bug 1331583 seems like a better long term solution, however for now I'll update/close out the Heroku ticket (since it's not a CLI/API bug) and just remove the unused ssl-endpoint addon on taskcluster-cors-proxy.
Assignee: nobody → emorley
Blocks: 1331583
Summary: Inconsistent TLS certs/domains config for taskcluster-cors-proxy Heroku app → Seemingly unused ssl-endpoint addon on taskcluster-cors-proxy Heroku app
Wander, are you ok with me removing the unused ssl-endpoint addon on the taskcluster-cors-proxy app?
Flags: needinfo?(wcosta)
(In reply to Ed Morley [:emorley] from comment #5) > Wander, are you ok with me removing the unused ssl-endpoint addon on the > taskcluster-cors-proxy app? Yep :)
Flags: needinfo?(wcosta)
Many thanks! $ heroku addons:info ssl --app taskcluster-cors-proxy === ssl-perpendicular-64535 Attachments: taskcluster-cors-proxy::SSL Installed at: Mon Feb 29 2016 16:01:43 GMT+0000 (GMT Standard Time) Owning app: taskcluster-cors-proxy Plan: ssl:endpoint Price: $20/month State: created $ heroku addons:remove ssl-perpendicular-64535 --confirm taskcluster-cors-proxy Destroying ssl-perpendicular-64535 on taskcluster-cors-proxy... done
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Yeah, the free SNI-based SSL is a good improvement, and we should switch to that. We did have discussions with Heroku support about the configuration, and despite the lack of documentation it is a known, supported approach.
Component: Operations → Operations and Service Requests
You need to log in before you can comment on or make changes to this bug.