Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moving HTTPD configuration to SSM parameters #2

Merged
merged 13 commits into from
May 30, 2024
Merged

Moving HTTPD configuration to SSM parameters #2

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
5b365f7
Tearing out EFS references, building a new write_site
jpl-btlunsfo May 23, 2024
0d277b3
troubleshooting write_site, updating dockerfile
jpl-btlunsfo May 23, 2024
7739464
Moving all of the new SSM parameters
jpl-btlunsfo May 23, 2024
32733ef
formatting
jpl-btlunsfo May 28, 2024
d85bc77
readding tags variable due to MC requirements
jpl-btlunsfo May 29, 2024
9f11726
temporarily changing default httpd_proxy because the MC's installGate…
jpl-btlunsfo May 29, 2024
287af36
Adding AmazonSSMReadOnlyAccess to ECS task
jpl-btlunsfo May 29, 2024
8cafef3
updating ssm entery per testing
jpl-btlunsfo May 29, 2024
ffb8daf
updating readme
jpl-btlunsfo May 30, 2024
6bc5759
adding mod_proxy_html to dockerfile
jpl-btlunsfo May 30, 2024
da2db13
Adding substitute module
jpl-btlunsfo May 30, 2024
4c8364c
adjusting ssm naming
jpl-btlunsfo May 30, 2024
a1770a7
updating examples
jpl-btlunsfo May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 68 additions & 30 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,61 +6,99 @@ To enable/disable modules, update and change the HTTPD installation then there i

The webservers default port is also 8080 to let it traverse the MCP NACL.

When deployed this terraform code creates an ECS cluster, with an EFS backend that then allows us to store apache configs
in a filesystem that wont vanish when it restarts. As such the EFS filesystem also needs a way to create new files, this is
done via a lambda function that writes valid apache config files to the EFS mount.
When deployed this terraform code creates an ECS cluster, with a baseline set of SSM parameters that other services can then extend with their own Apache HTTPD configurations. The configurations are pulled down and collated by the container on restart, so reloading of the configuration after changes is handled by triggering a lambda function.

A sample trigger:
A sample configuration snippet and trigger:
```
variable "template" {
default = <<EOT
RewriteEngine on
ProxyPass /sample http://test-demo-alb-616613476.us-west-2.elb.amazonaws.com:8888/sample/hello.jsp
ProxyPassReverse /sample http://test-demo-alb-616613476.us-west-2.elb.amazonaws.com:8888/sample/hello.jsp
resource "aws_ssm_parameter" "managementproxy_config" {
depends_on = [aws_ssm_parameter.managementproxy_closevirtualhost]
name = "/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/010-management"
type = "String"
value = <<-EOT

RewriteEngine on
jpl-btlunsfo marked this conversation as resolved.
Show resolved Hide resolved
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /management/(.*) ws://${var.mgmt_dns}/$1 [P,L]
<Location "/management/">
ProxyPass http://${var.mgmt_dns}/
ProxyPassReverse http://${var.mgmt_dns}/
ProxyPreserveHost On
FallbackResource /management/index.html
</Location>

EOT
}

resource "aws_lambda_invocation" "demoinvocation2" {
function_name = "ZwUycV-unity-proxy-httpdproxymanagement"

input = jsonencode({
filename = "example_filename1",
template = var.template
})

function_name = "qQGkGB-unity-proxy-httpdproxymanagement"
}
```
The config files are written as flat configs. They are then used inside a main apache2 config like this:


The configuration is collated from SSM parameters residing under `/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/`, and assembled like so:
```
<VirtualHost *:8080>
Include /etc/apache2/sites-enabled/mgmt.conf
### ADD MORE HOSTS BELOW THIS LINE

RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /management/(.*) ws://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/$1 [P,L]
<Location "/management/">
ProxyPass http://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/
ProxyPassReverse http://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/
ProxyPreserveHost On
FallbackResource /management/index.html
</Location>

</VirtualHost>
```

They will be added as additional config files below the comment line. The httpd task is then restarted to allow the
config to then take effect.
Live checking of the "current" configuration may be accomplished with `write_site.py` in a local environment:
```
% DEBUG=yes UNITY_PROJECT=btlunsfo UNITY_VENUE=dev11 python write_site.py
<VirtualHost *:8080>

There is currently no way to remove files or fix a broken config other than mounting the EFS mount into an EC2 server and making changes.
To do this you will need to edit the security group to allow access to the EC2 box and then install the EFS utils.
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /management/(.*) ws://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/$1 [P,L]
<Location "/management/">
ProxyPass http://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/
ProxyPassReverse http://internal-unity-mc-alb-hzs9j-1269535099.us-west-2.elb.amazonaws.com:8080/
ProxyPreserveHost On
FallbackResource /management/index.html
</Location>

## Manually adding a file/template
</VirtualHost>

One can execute the httpdmanager lambda function directly with the following json syntax:
```

This repository configures only one virtualhost (both open and close directives), but others may be added. This can be accomplished by simply adding more SSM parameters:
```
{
"filename": "example-extension",
"template": "SSLProxyEngine On\nProxyPreserveHost On\n\nProxyPass \/hub https:\/\/jupyter.us-west-2.elb.amazonaws.com:443\/hub\/\nProxyPassReverse \/hub https:\/\/jupyter.us-west-2.elb.amazonaws.com:443\/hub\/"
resource "aws_ssm_parameter" "managementproxy_openvirtualhost" {
name = "/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/001-openvirtualhost"
jpl-btlunsfo marked this conversation as resolved.
Show resolved Hide resolved
type = "String"
value = <<-EOT
<VirtualHost *:8080>
EOT
}

resource "aws_ssm_parameter" "managementproxy_closevirtualhost" {
depends_on = [aws_ssm_parameter.managementproxy_openvirtualhost]
name = "/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/100-closevirtualhost"
jpl-btlunsfo marked this conversation as resolved.
Show resolved Hide resolved
type = "String"
value = <<-EOT
</VirtualHost>
EOT
}
```
NOTE the names of each of these SSM parameters:
- 001-openvirtualhost
- 010-management
- 100-closevirtualhost

The template must be json encoded. I've used https://nddapp.com/json-encoder.html successfully.

For additional virtualhosts, please pick an ordinal number range that is *greater* than 100 (e.g. 101-openTestHost, 120-closeTestHost).

## How do I know what to add in the 'template' file above?
We are not perfect human beings. In order to iterate quickly on the above templat contents, we have created a development proxy environment that can be tested mostly locally. Check out the `develop` directory for instructions.
Loading