Page MenuHomePhabricator
Create Task
Maniphest T342398

Create mechanism to allow the use of vanity domains by projects behind the Cloud VPS shared HTTP proxy
Closed, ResolvedPublicFeature
Actions

Description

The most common reason for a Cloud VPS project to request a floating IP (sometimes called a "static IP" or a "public IP") is to support the use of a custom "vanity" domain for their webservice.

IPv4 addresses are a scarce resource. Name based virtual hosting including SNI for use with TLS have been invented in part to allow hosting services such as Cloud VPS to consolidate many webservices behind a single IP. Bypassing the Cloud VPS shared proxies also creates new PII exposure for project maintainers to deal with in the form of visitor IP addresses in their webservice logs.

A more ideal solution than handing out IP addresses would be support in the Cloud VPS proxy service for using a custom domain. I think it would be reasonable for this to require some amount of administrative review and support. There may certainly be more adopters if the process was easier than it is today, but I would honestly be surprised if it resulted in more than 1-2 new domain setup requests per month as a worst case.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow creating apex domainsopenstack/horizon/wmf-proxy-dashboardmain+19 -8
dynamicproxy: Allow zones not managed in Designateoperations/puppetproduction+20 -14
dynamicproxy: Allow creating proxy at zone apexoperations/puppetproduction+59 -43
P:wmcs::novaproxy: Fix nginx config orderoperations/puppetproduction+6 -4
P:wmcs::novaproxy: proxy http-01 challenges to acme-chiefoperations/puppetproduction+5 -0
P:acme_chief: allow enabling http-01 spportoperations/puppetproduction+6 -2
dynamicproxy: allow specifying different certs for each zoneoperations/puppetproduction+70 -53
dynamicproxy: add support for per-project zonesoperations/puppetproduction+17 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Jul 20 2023, 9:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 20 2023, 9:23 PM
taavi subscribed.Jul 20 2023, 9:25 PM
bd808 added a comment.Jul 20 2023, 9:28 PM

Our Acme-chief system for provisioning Let's Encrypt certs has support for http-01 challenges. The ::profile::acme_chief class includes comments describing how to configure an nginx service to forward /.well-known/acme-challenge/... URLs to acme-chief for validation.

bd808 added a parent task: T342389: Add mwstake.org and wikiapiary.com to the domains handled by WMCS.Jul 20 2023, 9:28 PM
bd808 mentioned this in T339877: Allocate static IPs for MWStake.org.Jul 20 2023, 9:32 PM
bd808 added a comment.Jul 20 2023, 9:47 PM

Supporting apex domains (like example.com) may be fragile because of DNS limitations on CNAME usage. For subdomains (like my-tool.example.com or www.example.com) it should be sufficient to create a CNAME record in the external DNS provider's system that points the subdomain at our wmcloud.org host.

I don't think that providing DNS services or domain parking should be considered in-scope for this feature.

taavi added a comment.Jul 20 2023, 9:55 PM

Right now the Cloud VPS system makes a fairly heavy assumption that everything it handles has its DNS hosted on our Designate servers, and changing that is a somewhat large project.

A relatively simple solution would be to set up a new VM or two with the profile::wmcs::proxy::static profile (which was originally invented for the maps proxy), point a new (single) floating IP to that server and tell everyone using this system to ask us to manually update the mappings when they need those to be changed.

Frostly subscribed.Aug 26 2023, 4:27 AM
fnegri subscribed.Jan 12 2024, 6:48 PM
taavi moved this task from Unsorted to Web proxy on the Cloud-VPS board.Mar 11 2024, 1:04 PM
gerritbot added a comment.Mar 12 2024, 11:32 AM

Change 1010505 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] dynamicproxy: add support for per-project zones

https://gerrit.wikimedia.org/r/1010505

gerritbot added a project: Patch-For-Review.Mar 12 2024, 11:32 AM

Change 1010506 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] dynamicproxy: allow specifying different certs for each zone

https://gerrit.wikimedia.org/r/1010506

taavi mentioned this in T306039: Decision request - Toolforge external infrastructure domain usage.Mar 12 2024, 4:38 PM
gerritbot added a comment.Mar 14 2024, 5:46 PM

Change 1010505 merged by Majavah:

[operations/puppet@production] dynamicproxy: add support for per-project zones

https://gerrit.wikimedia.org/r/1010505

gerritbot added a comment.Mar 14 2024, 5:57 PM

Change 1010506 merged by Majavah:

[operations/puppet@production] dynamicproxy: allow specifying different certs for each zone

https://gerrit.wikimedia.org/r/1010506

Maintenance_bot removed a project: Patch-For-Review.Mar 14 2024, 6:30 PM
taavi added a comment.Mar 14 2024, 6:34 PM

The patches merged above add support for adding zones that are not visible to all projects, and configuring an individual zone to use a specific TLS certificate. I believe the next steps are, roughly, to:

  • Add support for zones that are not managed in Designate. This includes setting up the proxy to route http01 ACME challenges to the acme-chief host.
  • Add support for configuring proxies in the zone apex.
  • Figure out and document a process for enabling this on a project.
gerritbot added a comment.Mar 14 2024, 6:56 PM

Change 1011167 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:acme_chief: allow enabling http-01 spport

https://gerrit.wikimedia.org/r/1011167

gerritbot added a project: Patch-For-Review.Mar 14 2024, 6:56 PM

Change 1011168 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::novaproxy: proxy http-01 challenges to acme-chief

https://gerrit.wikimedia.org/r/1011168

Slst2020 mentioned this in T365641: Floating IP for Wikispore.May 30 2024, 3:47 PM
JJMC89 added a parent task: T368236: Vanity domain for wikinyc.wmcloud.org (wikispore project).Jun 24 2024, 3:57 AM
Pharos subscribed.Jun 24 2024, 8:40 PM
gerritbot added a comment.Oct 28 2024, 4:10 PM

Change #1011167 merged by Majavah:

[operations/puppet@production] P:acme_chief: allow enabling http-01 spport

https://gerrit.wikimedia.org/r/1011167

Restricted Application added a project: cloud-services-team. · View Herald TranscriptOct 28 2024, 4:10 PM
gerritbot added a comment.Oct 28 2024, 4:16 PM

Change #1011168 merged by Majavah:

[operations/puppet@production] P:wmcs::novaproxy: proxy http-01 challenges to acme-chief

https://gerrit.wikimedia.org/r/1011168

Maintenance_bot removed a project: Patch-For-Review.Oct 28 2024, 4:31 PM
gerritbot added a comment.Oct 28 2024, 4:42 PM

Change #1083858 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:wmcs::novaproxy: Fix nginx config order

https://gerrit.wikimedia.org/r/1083858

gerritbot added a project: Patch-For-Review.Oct 28 2024, 4:42 PM
gerritbot added a comment.Oct 28 2024, 4:49 PM

Change #1083858 merged by Majavah:

[operations/puppet@production] P:wmcs::novaproxy: Fix nginx config order

https://gerrit.wikimedia.org/r/1083858

gerritbot added a comment.Oct 28 2024, 4:53 PM

Change #1083862 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] dynamicproxy: Allow creating proxy at zone apex

https://gerrit.wikimedia.org/r/1083862

gerritbot added a comment.Oct 28 2024, 5:19 PM

Change #1083868 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] dynamicproxy: Allow zones not managed in Designate

https://gerrit.wikimedia.org/r/1083868

taavi added a comment.Oct 29 2024, 4:11 PM

Note to self: we might want to add CAA records for any aliases that people will point CNAMEs to, to prevent people like me who have those configured from having cert issuance being rejected by that.

gerritbot added a comment.Oct 29 2024, 4:42 PM

Change #1084172 had a related patch set uploaded (by Majavah; author: Majavah):

[openstack/horizon/wmf-proxy-dashboard@main] Allow creating apex domains

https://gerrit.wikimedia.org/r/1084172

gerritbot added a comment.Oct 29 2024, 4:49 PM

Change #1083862 merged by Majavah:

[operations/puppet@production] dynamicproxy: Allow creating proxy at zone apex

https://gerrit.wikimedia.org/r/1083862

gerritbot added a comment.Oct 29 2024, 4:49 PM

Change #1083868 merged by Majavah:

[operations/puppet@production] dynamicproxy: Allow zones not managed in Designate

https://gerrit.wikimedia.org/r/1083868

gerritbot added a comment.Oct 29 2024, 4:52 PM

Change #1084172 merged by Majavah:

[openstack/horizon/wmf-proxy-dashboard@main] Allow creating apex domains

https://gerrit.wikimedia.org/r/1084172

Maintenance_bot removed a project: Patch-For-Review.Oct 29 2024, 5:30 PM
taavi added a comment.Oct 30 2024, 4:56 AM

https://lists.wikimedia.org/hyperkitty/list/cloud-admin@lists.wikimedia.org/thread/XHUP2ERZ2W6LHILNXZOPHC37ITDBZYW6/#XHUP2ERZ2W6LHILNXZOPHC37ITDBZYW6

joanna_borun triaged this task as Medium priority.Oct 30 2024, 3:27 PM
fnegri changed the task status from Open to In Progress.Oct 30 2024, 3:27 PM
taavi claimed this task.Nov 1 2024, 6:50 PM

Next up I think is to find a real project with real traffic that wants to give this a try.

taavi mentioned this in T378845: Migrate projects with floating IPs for web traffic via custom domains to the shared proxy.Nov 1 2024, 6:55 PM
fnegri added a comment.Nov 4 2024, 4:16 PM

I wonder if T376637: Enable use of web proxy for wikiwho.net domain could be one? Though they seem to want a redirect more than a real vanity url.

Samwalton9-WMF subscribed.Nov 5 2024, 12:33 PM
In T342398#10285184, @taavi wrote:

Next up I think is to find a real project with real traffic that wants to give this a try.

We're curious about this for The-Wikipedia-Library. One problem we have with it is that it's a hard URL to remember (https://wikipedialibrary.wmflabs.org/) - would this make it possible for us to do something like library.wikimedia.org, wikipedia.library.org, or wikipedialibrary.org? I'm not specifically attached to any of those, just trying to understand what the options are :)

taavi added a comment.Nov 5 2024, 4:56 PM
In T342398#10292421, @Samwalton9-WMF wrote:
In T342398#10285184, @taavi wrote:

Next up I think is to find a real project with real traffic that wants to give this a try.

We're curious about this for The-Wikipedia-Library. One problem we have with it is that it's a hard URL to remember (https://wikipedialibrary.wmflabs.org/) - would this make it possible for us to do something like library.wikimedia.org, wikipedia.library.org, or wikipedialibrary.org? I'm not specifically attached to any of those, just trying to understand what the options are :)

This is a 'bring your own domain' type feature - you would need to acquire and manage the (sub)domain on your own, with the Cloud VPS infrastructure only managing the parts required for the web proxy to work (unlike *.wmcloud.org where we handle everything).

taavi closed this task as Resolved.Nov 15 2024, 8:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits