Webserver

website01.osuosl.theforeman.org
type OpenStack VM
OS CentOS Stream 9
CPUs 2
RAM 4GB
Storage /dev/sda (30GB): root, /dev/sdb (30GB): data (LVM)
Managed by website.pp

Domains

These domains are all hosted on the webserver.

  • theforeman.org, www.theforeman.org
  • downloads.theforeman.org

Fastly CDN

A Fastly CDN exists that sits in front of:

  • theforeman.org, www.theforeman.org
  • downloads.theforeman.org

For these, the webserver acts as a backend while the content is served from the Fastly CDN to users.

Configuration

The Fastly configuration happens through the ansible/fastly.yml Ansible playbook in this repository.

The major points of the configuration are:

  • Set the backend to <vhost>-backend.website01.osuosl.theforeman.org
  • Enable shielding: a central system fetches the assets and then distributes them across the CDN instead of each CDN node fetches them itself, this costs more CDN traffic, but is usually faster
  • Configure a health-check and serve stale content when it fails

TLS

Fastly provides a shared certificate which has theforeman.org and *.theforeman.org as DNSAltName.

This certificate is signed by GlobalSign and we have a _globalsign-domain-verification TXT record in the theforeman.org DNS zone for verification of ownership.

DNS

Each vhost has a CNAME pointing at dualstack.p2.shared.global.fastly.net which is the Fastly global, dualstack loadbalancer.

Alternatively one can use p2.shared.global.fastly.net for an IPv4-only setup.

Volumes

/var/www is mounted on a separate block device. /var/www/vhosts contains the web roots themselves.

Firewall

There is no firewall on the machine itself. OpenStack has the following ports open:

  • 22/tcp (SSH)
  • 80/tcp (HTTP)
  • 443/tcp (HTTPS)