Webserver
website01.osuosl.theforeman.org | |
---|---|
type | OpenStack VM |
OS | CentOS Stream 9 |
CPUs | 2 |
RAM | 4GB |
Storage | /dev/sda (30GB): root, /dev/sdb (30GB): data (LVM) |
Managed by | website.pp |
Domains
These domains are all hosted on the webserver.
- theforeman.org, www.theforeman.org
- downloads.theforeman.org
Fastly CDN
A Fastly CDN exists that sits in front of:
- theforeman.org, www.theforeman.org
- downloads.theforeman.org
For these, the webserver acts as a backend while the content is served from the Fastly CDN to users.
Configuration
The Fastly configuration happens through the ansible/fastly.yml
Ansible playbook in this repository.
The major points of the configuration are:
- Set the backend to
<vhost>-backend.website01.osuosl.theforeman.org
- Enable shielding: a central system fetches the assets and then distributes them across the CDN instead of each CDN node fetches them itself, this costs more CDN traffic, but is usually faster
- Configure a health-check and serve stale content when it fails
TLS
Fastly provides a shared certificate which has theforeman.org
and *.theforeman.org
as DNSAltName.
This certificate is signed by GlobalSign and we have a _globalsign-domain-verification
TXT record in the theforeman.org
DNS zone for verification of ownership.
DNS
Each vhost has a CNAME pointing at dualstack.p2.shared.global.fastly.net
which is the Fastly global, dualstack loadbalancer.
Alternatively one can use p2.shared.global.fastly.net
for an IPv4-only setup.
Volumes
/var/www
is mounted on a separate block device. /var/www/vhosts
contains the web roots themselves.
Firewall
There is no firewall on the machine itself. OpenStack has the following ports open:
- 22/tcp (SSH)
- 80/tcp (HTTP)
- 443/tcp (HTTPS)