Page MenuHomePhabricator
Create Task
Maniphest T10784

Deploy secure002.phacility.net
Closed, ResolvedPublic
Actions

Description

Writing things down makes me feel very important

Revisions and Commits

Restricted Differential RevisionRestricted Diffusion Commit
rP Phabricator
D15696rP66366137ffa9 Don't apply `security.require-https` to intracluster requests
D15695rP99be132ea21e Allow public users to make intracluster API requests

Related Objects
Search...

Event Timeline

epriestley created this task.Apr 12 2016, 6:06 PM
Herald added a subscriber: eadler. · View Herald TranscriptApr 12 2016, 6:06 PM
chad added a subscriber: chad.Apr 12 2016, 6:19 PM

[text intensifies]

epriestley added a comment.Apr 12 2016, 6:32 PM

I'm probably going to break all repositories momentarily. If I do, I'll try to fix them.

epriestley added a comment.Apr 12 2016, 7:06 PM

This sort of works now. The 002 node is live, just not reachable yet. Some weird stuff I hit:

  • I wasn't fiddling with security.require-https properly, so the service was redirecting and dropping headers/parameters. If the X-Phabricator-Cluster header is present, we could fail with a useful message instead of redirecting.
  • sudo permission for SSH for proxying on web/ssh nodes, kind of hard to auto-detect this.
avivey added a subscriber: avivey.Apr 12 2016, 8:05 PM

Logged-out users can't browse diffusion: ERR-INVALID-SESSION: Session key is not present.

avivey added a comment.Apr 12 2016, 8:06 PM

(I'm just guessing it has something to do with this, because ops)

epriestley added a comment.Apr 12 2016, 8:10 PM

Ah, yep, thanks.

epriestley mentioned this in T10751: Make Phabricator Highly Available.Apr 13 2016, 3:33 AM
joshuaspence added a subscriber: joshuaspence.Apr 13 2016, 7:47 AM
epriestley added a revision: D15695: Allow public users to make intracluster API requests.Apr 13 2016, 11:29 AM
epriestley added a revision: D15696: Don't apply `security.require-https` to intracluster requests.Apr 13 2016, 1:17 PM
epriestley added a revision: Restricted Differential Revision.Apr 13 2016, 1:20 PM
epriestley added a comment.Apr 13 2016, 1:22 PM
  • D15695 should fix logged-out users.
  • D15696 + D15697 should smooth out security.require-https for intracluster requests.
epriestley added a commit: rP99be132ea21e: Allow public users to make intracluster API requests.Apr 13 2016, 7:51 PM
epriestley added a commit: rP66366137ffa9: Don't apply `security.require-https` to intracluster requests.
epriestley added a commit: Restricted Diffusion Commit.Apr 14 2016, 12:06 PM
epriestley closed this task as Resolved.Apr 19 2016, 9:34 PM

Every service on secure is now supported by a redundant version in a separate AWS availability zone. Failover wouldn't be completely clean/automatic, but we could lose either node with zero data loss, and would have a very short path to promoting the remaining node as a full master.

(Technically, Drydock only has only one sbuild node and one saux node, so this isn't entirely true if you want to split hairs, but those services are nonessential in this configuration.)

chad awarded a token.Apr 19 2016, 10:29 PM
Phabricator · Built by Phacility