Closed Bug 1410517 Opened 7 years ago Closed 7 years ago

Requests for CNAME records and Amazon Cloudfront routes for `mixedreality.mozilla.org` (Mixed Reality [VR/AR/XR] subdomain)

Categories

(Infrastructure & Operations :: SSL Certificates, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cvan, Assigned: joeyk)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6206])

Hi there, I have a few requests. We want to decomission vr.mozilla.org in favour of reality.mozilla.org. Here are the requested updates: – Remove CNAME record: vr.mozilla.org -> mozvr.github.io. – Add CNAME record: CNAME reality.mozilla.org https://reality.mozilla.org/ Add Amazon Cloudfront ROUTE: reality.mozilla.org/blog/ mozvr.ghost.io – Add Amazon Cloudfront server-side *temporary* redirects (302), and force HTTPS: 302 https?://reality.mozilla.org/* https://reality.mozilla.org/$1 302 https?://*.reality.mozilla.org/* https://$1.reality.mozilla.org/$2 302 https?://r.mozilla.org/* https://reality.mozilla.org/$1 302 https?://mixedreality.mozilla.org/* https://reality.mozilla.org/$1 302 https?://mr.mozilla.org/* https://reality.mozilla.org/$1 302 https?://xr.mozilla.org/* https://reality.mozilla.org/$1 302 https?://ar.mozilla.org/* https://reality.mozilla.org/$1 302 https?://vr.mozilla.org/* https://reality.mozilla.org/$1 – It'd also be very helpful to me if you could give me (cwiemeersch@mozilla.com) and Emily Dunham (edunham@mozilla.com) admin access to the subdomain and its Amazon Cloudfront configuration. If you have any questions, feel free to contact me directly on Slack or IRC. Thank you very much for your help. mpluta@mozilla.com
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/5716]
Assignee: server-ops-webops → jkrejci
Per my Slack convo with Maciej: I spoke with Shyam regarding this bug and we can definitely set all this infra up, however we cannot grant you access to just that specific subdomain in the CDN due to AWS restrictions. We also can't give full access to the IT CDN, so he proposed the idea that Emily Dunham take over this bug and create it in a different CDN that you and her can manage. Would that route work for you or would you rather have WebOps manage it for you? Let me know what works best for you and we can move forward. Thanks!
Flags: needinfo?(cvan)
(In reply to Joey Krejci [:joeyk] from comment #1) > Per my Slack convo with Maciej: > > I spoke with Shyam regarding this bug and we can definitely set all this > infra up, however we cannot grant you access to just that specific subdomain > in the CDN due to AWS restrictions. We also can't give full access to the IT > CDN, so he proposed the idea that Emily Dunham take over this bug and create > it in a different CDN that you and her can manage. When you say "a different CDN," do you mean keeping with Cloudflare? We want to be able to use the `reality.mozilla.org`. That still possible? > Would that route work for > you or would you rather have WebOps manage it for you? Let me know what > works best for you and we can move forward. Thanks!
Flags: needinfo?(cvan)
Different CDN meaning another account other than IT's CDN account. Yes, you can still use the reality.mozilla.org and I would set that DNS up for you guys, but you would create the AWS stuff. I assume there's an AWS account Emily is already using?
Flags: needinfo?(cvan)
I just spoke with Lars and need to clarify something. The consumer-facing domain should be https://mixedreality.mozilla.org. It should not be https://reality.mozilla.org. Chris, can you update the request?
Flags: needinfo?(cvan)
Summary: Requests for CNAME records and Amazon Cloudfront routes for `reality.mozilla.org` (Mixed Reality [VR/AR/XR] subdomain) → Requests for CNAME records and Amazon Cloudfront routes for `mixedreality.mozilla.org` (Mixed Reality [VR/AR/XR] subdomain)
Did we decide which route we wanted to take here yet? Let me know, thanks!
Flags: needinfo?(cvan)
I'm a bit confused on where things are at as well. I'm going to set up a quick meeting for us all to chat live on this, so that it can move forward. We can probably knock out next steps for 1407841 as well
Sounds good to me Dan, feel free to throw a calendar invite my way when you find a good time. Thanks!
Thanks for meeting on Vidyo earlier. I've set up an AWS account under the username `mozillareality`. I've created a Hosted Zone with AWS Route 53 under `mixedreality.mozilla.org`. Joey, could you please update the nameservers to the following? ns-1139.awsdns-14.org. ns-798.awsdns-35.net. ns-184.awsdns-23.com. ns-2044.awsdns-63.co.uk. Then, I'll switch up `mixedreality.mozilla.org` to use the GitHub Pages site (currently https://mozvr.com/). Dan, besides `https://mixedreality.mozilla.org/` and `https://mixedreality.mozilla.org/blog/`, are there other routes you're aware of that we need made now? Thanks!
Flags: needinfo?(cvan) → needinfo?(jkrejci)
No other routes that I am aware of.
Hey All, So it appears we are on different pages again, I can't change the NS's of *.mozilla.org as that would break the world. Im gonna schedule another quick Vidyo with a few members of my team as well so we can hopefully resolve this issue once and for all. Sorry about all the confusion. - Joey K
Flags: needinfo?(jkrejci)
Scheduled a Vidyo Chat for Mon Nov 13th at 1pm PST>
(In reply to Joey Krejci [:joeyk] from comment #10) > Hey All, > > So it appears we are on different pages again, I can't change the NS's of > *.mozilla.org as that would break the world. What's the alternative strategy? games.mozilla.org points to games.mozilla.org.herokudns.com. Forgive my ignorance, but how is this different? > Im gonna schedule another quick Vidyo with a few members of my team as well > so we can hopefully resolve this issue once and for all. > > Sorry about all the confusion. Can we keep the conversation going here on Bugzilla though? I think it'd be easier to work through this (and have things documented here for posterity's sake) instead of coordinating a synchronous meeting. We can still meet over Vidyo as well, but I'd like to do whatever we can to get us closer to resolving this in the meantime. Thanks for your help!
Flags: needinfo?(jkrejci)
Hi Christopher, our team has discussed this bug and think there is a lot of confusion and would prefer the face to face meeting to clear things up if you don't mind.
Flags: needinfo?(jkrejci)
Just commenting here so there's no confusion. To repeat what Dan said in comment 9, This is for `mixedreality.mozilla.org` (not `reality.mozilla.org`, as accidentally requested in comment 0). See you at our 1 PM meeting today. Thanks!
Recap of meeting: Confusion occurred in the bug. To get the functionality where a bunch of MR stuff is hosted on MR's AWS and requests to *.mozilla.org subdomains serve that content while appearing to come from the requested *.mozilla.org URL, we do not need nameserver changes. We do need CNAMEs which are totally a thing that moz IT can do for us. In order to resolve this confusion we worked backward from a site that is hosted on AWS and working "correctly" with Mozilla DNS. For our example we examined games.mozilla.org. The plan to make mixedreality.mozilla.org work "correctly" is as follows: I will set up Cloudfront on the mixed-reality account that has the correct billing settings. Cloudfront should give us a URL to point the CNAME traffic toward, like how games.m.o has `games.mozilla.org. 56 IN CNAME d97p76dh7dhxn.cloudfront.net.`. I will update this bug with requests for the appropriate CNAMEs to fulfill the requirements Chris outlined in the first comment. We'll need one CNAME for each of the *.mozilla.org addresses that we want to redirect. I will provide Chris with permissions to upload content to AWS where it will be served by cloudfront. Chris can then put whatever needs to be served from mixedreality.mozilla.org there, and requests to the domain will return it. If anything goes wrong, we'll circle back to Mozilla IT for help. This may be later this week, as I am PTO on Wednesday. (Also please note that if the string "cloudflare" ever occurs in my correspondence about mixedreality issues, it is extremely likely that it's a typo of "cloudfront" because why would anyone need unique names for things.)
I see the confusion now: I said "nameservers" in comment 8, but I meant "CNAME records." I referred to "CNAME" in the bug title and comment 0, but apologies for that mix-up in comment 8. Emily, thanks for the recap. That all makes perfect sense to me. And, yeah, just make sure that xr-ops@mozilla.com has access. I can either log in using that email address, or if you'd like to add me as cwiemeersch@mozilla.com (not cvan@mozilla.com), that'd be great. Thank you! P.S. You're not alone in mistyping CloudFront as Cloudflare. The way I remembe: Cloudflare has a lowercased "f" - probably because CloudFront has an uppercased "f" (and Amazon's service launched years prior). Heh. Not confusing at all!
Hey Emily just wondering if you got the AWS stuff set up? Let me know, thanks!
Flags: needinfo?(edunham)
Sorry about the delay here -- I thought I had it set up, but when double checking, I've noticed that I made a couple mistakes and need a bit more information to correct them: cvan -- You say you want a route "Add Amazon Cloudfront ROUTE: reality.mozilla.org/blog/ mozvr.ghost.io". Neither of those URLs resolves to any content. Just to make sure I'm setting it up right, you want the user to enter "reality.mozilla.org/blog" and be served content from "mozvr.ghost.io" while seeing the URL "reality.mozilla.org/blog" in their URL bar, right? joeyk -- Additionally, it looks like to make HTTPS work correctly, I'll need to get an SSL cert for some subdomains of mozilla.org. I've requested that cert with email validation for: reality.mozilla.org r.mozilla.org *.reality.mozilla.org mixedreality.mozilla.org mr.mozilla.org xr.mozilla.org vr.mozilla.org ar.mozilla.org Could you please needinfo whoever will be getting that email so I can get the cert so clients don't get cert mismatch errors by using a cloudfront cert when we're serving under a *.m.o domain name?
Flags: needinfo?(edunham)
Lars answered my question for Chris in the prior comment -- we want reality.mozilla.org/blog to ultimately yield content from mozillareality.ghost.io. not mozvr.ghost.io. Amazon is now giving me "Additional Verification Required" on the cert request process, so it'd be easier to just get someone with the authority to create a cert for the appropritate subdomains to do it and provide it to me. The subdomains are: reality.mozilla.org r.mozilla.org *.reality.mozilla.org mixedreality.mozilla.org mr.mozilla.org xr.mozilla.org vr.mozilla.org ar.mozilla.org A GPG key of mine is at https://gpg.mozilla.org/pks/lookup?search=0xFC3BB5C6E975F82445FCECE472F93E29E56C5745&op=vindex and also linked from my Phonebook page. Needinfo-ing the wonderfully helpful joeyk so he can needinfo whoever has the power to make that cert -- thank you!
Flags: needinfo?(jkrejci)
Cert created via Autocert, GPG'd and emailed over to Emily. Closing this bug as the WebOps side is complete for now. Please re-open if there are any issues with the cert, thanks! - Joey K
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jkrejci)
Resolution: --- → FIXED
Thanks for the cert! The final step we need from your end to complete this is to redirect some *.mozilla.org subdomains to point at the CloudFront distribution. The subdomains we'd like you to redirect are: reality.mozilla.org r.mozilla.org mixedreality.mozilla.org mr.mozilla.org xr.mozilla.org ar.mozilla.org The address we'd like you to redirect them to is: d282x97lfr0v7m.cloudfront.net Also, who should we ask to track down what Cloudfront distribution vr.mozilla.org is pointing at, and which AWS account owns that distribution? As far as I can tell, it's already on Cloudfront, but it's not in ours and I'm not sure how to troubleshoot who has access to it. Thanks!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/5716] → [kanban:https://webops.kanbanize.com/ctrl_board/2/6206]
Flags: needinfo?(jkrejci)
CNAMEs added to Inventory: FQDN Target mr.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net reality.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net r.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net mixedreality.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net xr.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net ar.mozilla.org CNAME d282x97lfr0v7m.cloudfront.net As far as the Cloudfront Distro that vr.mozilla.org points at, it appears that its on our IT-CDN account. Do you want me to get rid of it so your team can successfully own it? Web EL2FE40LZLSL4 d2x8l6w5zbpr4p.cloudfront.net Bug 1317546 mozillareality.github.io Distribution ID EL2FE40LZLSL4 ARN arn:aws:cloudfront::369987351092:distribution/EL2FE40LZLSL4 Log Prefix - Delivery Method Web Cookie Logging Off Distribution Status Deployed Comment Bug 1317546 Price Class Use All Edge Locations (Best Performance) AWS WAF Web ACL - State Enabled Alternate Domain Names (CNAMEs) vr.mozilla.org SSL Certificate vr.mozilla.org (e0216d65-1df5-48e9-92f9-8389babc2192) Domain Name d2x8l6w5zbpr4p.cloudfront.net Custom SSL Client Support Only Clients that Support Server Name Indication (SNI) Security Policy TLSv1 Supported HTTP Versions HTTP/2, HTTP/1.1, HTTP/1.0 IPv6 Enabled Default Root Object - Last Modified 2018-02-15 16:06 UTC-8 Log Bucket -
Flags: needinfo?(jkrejci) → needinfo?(edunham)
Hello everyone, Just a few clarifications. vr/mr consumer website should be mixedreality.mozilla.org vr.mozilla.org, mr.mozilla.org, ar.mozilla.org, xr.mozilla.org and mozvr.com should redirect to mixedreality.mozilla.org Blog would ideally live at mixedreality.mozilla.org/blog but I'm open to other suggestions. Thanks, Dan
We had some setbacks today with unexpected CloudFront behavior. Joey, sorry to bother you again but could you change the CNAMEs to point at d3nhe9gi20ax35.cloudfront.net? We have replaced the old distribution. Thanks!
Flags: needinfo?(edunham) → needinfo?(jkrejci)
I think this can be closed - https://mixedreality.mozilla.org/ appears to be working correctly now!
Closing!
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Flags: needinfo?(jkrejci)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.