Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create ssl cert per vhost, not one monster #2129

Merged
merged 1 commit into from
Oct 29, 2024
Merged

create ssl cert per vhost, not one monster #2129

merged 1 commit into from
Oct 29, 2024

Conversation

evgeni
Copy link
Member

@evgeni evgeni commented Sep 18, 2024

No description provided.

@evgeni evgeni mentioned this pull request Sep 18, 2024
Closed
@evgeni evgeni force-pushed the split-https branch 2 times, most recently from 2f6f03b to e86d51f Compare September 18, 2024 09:36
@evgeni evgeni marked this pull request as ready for review September 18, 2024 09:40
ekohl
ekohl requested changes Sep 18, 2024
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tl;dr: 👍 on the concept, some implementation notes inline.

I recently read there's some benefit in having all names on a certificate so browsers can reuse connections, but given we're mostly behind a CDN I think the benefit of that is really limited and the operational simplicity of one cert per vhost is way more important.

In the installer we use datacat to gather all values so you could do it that way per host, but it's complex. Also, the module is unmaintained and collections is a maintained alternative.

puppet/modules/web/manifests/init.pp Outdated Show resolved Hide resolved
puppet/modules/web/manifests/vhost.pp Show resolved Hide resolved
@ehelms
Copy link
Member

ehelms commented Sep 18, 2024

This solution works for me as an approach. Thanks for taking a look.

@evgeni evgeni mentioned this pull request Oct 24, 2024
Open
@evgeni
Copy link
Member Author

evgeni commented Oct 28, 2024

finally updated!

ehelms
ehelms approved these changes Oct 28, 2024
View reviewed changes
Copy link
Member

@ehelms ehelms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but @ekohl should give the final stamp of approval

ekohl
ekohl approved these changes Oct 28, 2024
View reviewed changes
puppet/modules/web/manifests/jenkins.pp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we could migrate this to using web::vhost as well after this change.

https://webmasters.stackexchange.com/questions/97005/setting-x-forwarded-proto-under-apache-2-4 suggests you can also use RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} to make it dynamic, meaning it's going to be the same directive for HTTP and HTTPS.

I can submit a follow up PR to do so.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2144

@evgeni evgeni merged commit 9682658 into master Oct 29, 2024
2 checks passed
@evgeni evgeni deleted the split-https branch October 29, 2024 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

@ehelms ehelms ehelms approved these changes

Assignees
No one assigned
Labels
Waiting on contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evgeni @ehelms @ekohl