bug#32233: Cuirass: Berlin web API times out

bug#32233: Cuirass: Berlin web API times out

[Clément Lassieur]

Hi,

https://berlin.guixsd.org:8081/ times out.

I'm using the exact same config at home to try to reproduce the issue.

Clément

bug#32233: Cuirass: Berlin web API times out

[Ludovic Courtès]

Hello,

Clément Lassieur <clement@lassieur.org> skribis:

> https://berlin.guixsd.org:8081/ times out.

Note that Cuirass listens on localhost:8081, so you cannot reach it from
the outside (and it’s HTTP, too.)  There’s nginx that proxies things,
see guix-maintenance.git.

Now, with the version currently running, I can tell you that this URL is
not very interesting:

--8<---------------cut here---------------start------------->8---
$ wget -O -  http://localhost:8081
--2018-07-23 11:06:22--  http://localhost:8081/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8081... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-07-23 11:06:22 ERROR 404: Not Found.
--8<---------------cut here---------------end--------------->8---

:-)

Is the Web UI already in the current ‘cuirass’ package?  If so, what do
we need to change in the nginx config?

Thanks,
Ludo’.

bug#32233: Cuirass: Berlin web API times out

[Clément Lassieur]

Hello Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

> Hello,
>
> Clément Lassieur <clement@lassieur.org> skribis:
>
>> https://berlin.guixsd.org:8081/ times out.
>
> Note that Cuirass listens on localhost:8081, so you cannot reach it from
> the outside (and it’s HTTP, too.)  There’s nginx that proxies things,
> see guix-maintenance.git.

Ha :-)  I had forgotten about it!  So it's not a bug at all, closing it.

> Now, with the version currently running, I can tell you that this URL is
> not very interesting:
>
> --8<---------------cut here---------------start------------->8---
> $ wget -O -  http://localhost:8081
> --2018-07-23 11:06:22--  http://localhost:8081/
> Resolving localhost (localhost)... 127.0.0.1
> Connecting to localhost (localhost)|127.0.0.1|:8081... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2018-07-23 11:06:22 ERROR 404: Not Found.
> --8<---------------cut here---------------end--------------->8---
>
> :-)

Well yes, I was expecting 404, because even though it's not very
interesting, it shows that the url handler works.

> Is the Web UI already in the current ‘cuirass’ package?

Soon!  But I think we should change the NGINX config nonetheless because
the json API is useful.

> If so, what do we need to change in the nginx config?

I guess we could add:

--8<---------------cut here---------------start------------->8---
server {
    listen       8081 ssl;
    server_name  berlin.guixsd.org;

    ssl_certificate     /etc/letsencrypt/live/berlin.guixsd.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/berlin.guixsd.org/privkey.pem;

    # Make sure SSL is disabled.
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

    # Disable weak cipher suites.
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Use our own DH parameters created with:
    #    openssl dhparam -out dhparams.pem 2048
    # as suggested at <https://weakdh.org/sysadmin.html>.
    ssl_dhparam         /etc/dhparams.pem;

    access_log  /var/log/nginx/https.access.log;

    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;

    location / {
        proxy_pass http://localhost:8081;
    }
}
--8<---------------cut here---------------end--------------->8---

I can do the commit if you want (and agree with the content), as you
wish.

Clément

bug#32233: Cuirass: Berlin web API times out

[Ludovic Courtès]

Clément Lassieur <clement@lassieur.org> skribis:

>> Is the Web UI already in the current ‘cuirass’ package?
>
> Soon!  But I think we should change the NGINX config nonetheless because
> the json API is useful.

The JSON API is available; see ‘berlin-locations.conf’.

>> If so, what do we need to change in the nginx config?
>
> I guess we could add:
>
> server {

[...]

>     location / {
>         proxy_pass http://localhost:8081;
>     }
> }

I think this change should go do ‘berlin-locations.conf’.  Feel free to
commit!

Thank you,
Ludo’.

bug#32233: Cuirass: Berlin web API times out

[Clément Lassieur]

Ludovic Courtès <ludo@gnu.org> writes:

> Clément Lassieur <clement@lassieur.org> skribis:
>
>>> Is the Web UI already in the current ‘cuirass’ package?
>>
>> Soon!  But I think we should change the NGINX config nonetheless because
>> the json API is useful.
>
> The JSON API is available; see ‘berlin-locations.conf’.
>
>>> If so, what do we need to change in the nginx config?
>>
>> I guess we could add:
>>
>> server {
>
> [...]
>
>>     location / {
>>         proxy_pass http://localhost:8081;
>>     }
>> }
>
> I think this change should go do ‘berlin-locations.conf’.

That would conflict with the '/' location of ports 80 and 443.  I was
rather thinking about using port 8081 for Cuirass.  In that case the
'server' block would be needed in berlin.conf.  We would also remove

    # Cuirass.
    location /specifications { proxy_pass http://localhost:8081; }
    location /jobsets { proxy_pass http://localhost:8081; }
    location /build { proxy_pass http://localhost:8081; }
    location /api { proxy_pass http://localhost:8081; }

from berlin-locations.conf.

Otherwise we need to think about what routes go to Cuirass and what
routes go to Guix publish.  Alternatively, we could use another domain
name with ports 80 and 443, but it's more work.

WDYT?

bug#32233: Cuirass: Berlin web API times out

[Ludovic Courtès]

Clément Lassieur <clement@lassieur.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Clément Lassieur <clement@lassieur.org> skribis:
>>
>>>> Is the Web UI already in the current ‘cuirass’ package?
>>>
>>> Soon!  But I think we should change the NGINX config nonetheless because
>>> the json API is useful.
>>
>> The JSON API is available; see ‘berlin-locations.conf’.
>>
>>>> If so, what do we need to change in the nginx config?
>>>
>>> I guess we could add:
>>>
>>> server {
>>
>> [...]
>>
>>>     location / {
>>>         proxy_pass http://localhost:8081;
>>>     }
>>> }
>>
>> I think this change should go do ‘berlin-locations.conf’.
>
> That would conflict with the '/' location of ports 80 and 443.  I was
> rather thinking about using port 8081 for Cuirass.  In that case the
> 'server' block would be needed in berlin.conf.  We would also remove
>
>     # Cuirass.
>     location /specifications { proxy_pass http://localhost:8081; }
>     location /jobsets { proxy_pass http://localhost:8081; }
>     location /build { proxy_pass http://localhost:8081; }
>     location /api { proxy_pass http://localhost:8081; }
>
> from berlin-locations.conf.

Hmm, I think nginx should still expose both the Cuirass HTTP API and UI
and ‘guix publish’ on ports 80 and 443.  So we just need to have:

  location / { proxy_pass http://localhost:8081; }

and then exceptions for ‘guix publish’:

  location \.narinfo { … }
  location /nar/ { … }
  location /log/ { … }
  location /file/ { … }

WDYT?  Or am I missing something?

Thanks,
Ludo’.

bug#32233: Cuirass: Berlin web API times out

[Clément Lassieur]

Ludovic Courtès <ludo@gnu.org> writes:

> Clément Lassieur <clement@lassieur.org> skribis:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Clément Lassieur <clement@lassieur.org> skribis:
>>>
>>>>> Is the Web UI already in the current ‘cuirass’ package?
>>>>
>>>> Soon!  But I think we should change the NGINX config nonetheless because
>>>> the json API is useful.
>>>
>>> The JSON API is available; see ‘berlin-locations.conf’.
>>>
>>>>> If so, what do we need to change in the nginx config?
>>>>
>>>> I guess we could add:
>>>>
>>>> server {
>>>
>>> [...]
>>>
>>>>     location / {
>>>>         proxy_pass http://localhost:8081;
>>>>     }
>>>> }
>>>
>>> I think this change should go do ‘berlin-locations.conf’.
>>
>> That would conflict with the '/' location of ports 80 and 443.  I was
>> rather thinking about using port 8081 for Cuirass.  In that case the
>> 'server' block would be needed in berlin.conf.  We would also remove
>>
>>     # Cuirass.
>>     location /specifications { proxy_pass http://localhost:8081; }
>>     location /jobsets { proxy_pass http://localhost:8081; }
>>     location /build { proxy_pass http://localhost:8081; }
>>     location /api { proxy_pass http://localhost:8081; }
>>
>> from berlin-locations.conf.
>
> Hmm, I think nginx should still expose both the Cuirass HTTP API and UI
> and ‘guix publish’ on ports 80 and 443.  So we just need to have:
>
>   location / { proxy_pass http://localhost:8081; }
>
> and then exceptions for ‘guix publish’:
>
>   location \.narinfo { … }
>   location /nar/ { … }
>   location /log/ { … }
>   location /file/ { … }
>
> WDYT?  Or am I missing something?

No :-)  Sounds good!

bug#32233: Cuirass: Berlin web API times out

[Clément Lassieur]

Clément Lassieur <clement@lassieur.org> writes:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>> Hmm, I think nginx should still expose both the Cuirass HTTP API and UI
>> and ‘guix publish’ on ports 80 and 443.  So we just need to have:
>>
>>   location / { proxy_pass http://localhost:8081; }
>>
>> and then exceptions for ‘guix publish’:
>>
>>   location \.narinfo { … }
>>   location /nar/ { … }
>>   location /log/ { … }
>>   location /file/ { … }
>>
>> WDYT?  Or am I missing something?
>
> No :-)  Sounds good!

Pushed!