Help:Using a web proxy to reach Cloud VPS servers from the internet - Wikitech

Help:Using a web proxy to reach Cloud VPS servers from the internet - Wikitech
Jump to content
From Wikitech
(Redirected from
News/Wmcloud.org
Cloud VPS
Cloud Services overview
Cloud VPS user docs
Horizon web interface
help
Get started
About Cloud VPS projects
Cloud VPS user roles and rights
List of Cloud VPS projects
Instances and access
Set up a Cloud VPS instance
Access Cloud VPS instances
Add disk space to instances (detachable volumes)
Server groups
Sudo policies
Unmanaged instances
Networking
Security groups and firewall settings
Floating IP addresses
Web proxies for exposing Cloud VPS services to the internet
Sending outbound email
Cloud VPS IP space
Puppet
Puppet on Cloud VPS
Project puppetserver
Managed storage
Database instances
(Trove)
Object storage
(S3 / Swift)
Get help
Help and communication
Recommendations for moving to production
Programmatic usage
OpenStack APIs
OpenTofu
Documentation for admins
Cloud VPS infrastructure
Administrator documentation
Administrator runbooks
edit
For reaching the internet from production servers, see
HTTP proxy
This page describes how to create a simple
web proxy for a Cloud VPS instance
Before you begin
Requirements
Be a
Project admin
for the project that contains the instance you wish to proxy.
Set up
security groups
properly (see
§ Security groups
below, for details)
Benefits
Ensures that TLS encryption is used between the front proxy and the client.
Saves an IPv4 address and instead uses a name-based vhost. IPv4 addresses are a precious commodity in the modern internet.
Protects both the end user and your Cloud VPS project from leaking the client IP address which is considered personally identifiable information by the Wikimedia Foundation by hiding the client IP address from your service.
Creating a web proxy
Go to
Select your project.
Click "Network" in the left navigation menu.
Click "Web Proxies" inside the expanded "Network" section of the left navigation menu.
Click the "Create Proxy" button in the upper right of the page.
In the "Hostname" field, enter the hostname that you wish to have as the publicly-visible name for your instance.
Important
: Enter just the hostname (e.g. 'webtastic'), not the fully qualified name (e.g. 'webtastic.wmcloud.org').
Specify the domain for your instance using the "Domain" selector. If you want a domain that is not already present in the menu, a cloud admin (most likely a staff member) will need to create it for you.
Select the instance that you're creating a proxy for in the "Backend Instance" selector.
Enter the "Backend port" that the proxy should connect to on your instance. This will probably be either the default value of
80
if you are running a normal web server installed for the system package manager. If you're using some other web server, refer to its documentation for the port to use.
Click "Create proxy".
An entry for the new web proxy should appear in the proxy table.
Note
: Remember that if you did not do it yet, you might have to configure the security groups properly to let the external traffic reach your VM (see
§ Security groups
below).
From the terminal
Web proxies are a Cloud VPS specific construct and therefore cannot be created with an
OpenStack Command-line client
. There is however an unofficial CLI written in Go to create to create Web Proxies programmatically,
mkwebproxy
Security groups
You may need to update your security group settings before you can access the instance on an external browser.
Some projects have setup a 'web' security group to make this easier or already added the common
80
and
8080
ports to their default security group.
In the left-hand navigation, open "Network", then "Security Groups".
Select "Manage Rules" for the group you want to make available externally.
If a security group does not exist yet, select "+Create Security Group".
Provide a name and description and submit the form by clicking "Create Security Group"
Click "+Add Rule" to add a new rule to open up your proxied port for outside access.
Leave "Custom TCP Rule" as is, provide a "Description" if desired, ensure "Direction" is "Ingress", and "Open Port" should be "Port".
In "Port" provide the value you entered for “Backend port” when creating the proxy.
Ensure "Remote" is "CIDR".
For "CIDR" use "
172.16.0.0/17
".
Click "Add".
Repeat these steps to add a new rule for the
2a02:ec80:a000::/56
CIDR.
Next, add the instance to this new security group:
In the left-hand navigation, open "Compute", then "Instances".
In the drop-down for your instance, select "Edit Security Groups".
Under "All Security Groups", click the "+" sign beside the security group you just added to move it to "Instance Security Groups".
Click "Save".
Delete unused web proxies
Once your instance is no longer in use, make sure to delete the unused web proxy.
If you want to keep the domain but redirect somewhere else (for example, your tool has moved from Cloud VPS to Toolforge), you can use the
redirects
project to handle the redirect.
Other features
Migrate from a *.wmflabs.org proxy to a *.wmcloud.org proxy
Tracked in
Phabricator
Task T256276
Resolved
Since 2020-07-06, newly created proxies use the
wmcloud.org
domain by default instead of the legacy
wmflabs.org
domain. Projects which have been using a
*.wmflabs.org
proxy can migrate to a
*.wmcloud.org
proxy by following these steps:
Create a new
*.wmcloud.org
proxy pointing to your backend service
Test your service using the new hostname while the related
*.wmflabs.org
proxy still exists
Once you are ready to redirect all traffic to the
*.wmcloud.org
hostname, just delete the legacy
*.wmflabs.org
proxy. The Cloud VPS HTTP proxy service will automatically issue a redirect from
.wmflabs.org
to
.wmcloud.org
when there is no existing proxy for
.wmflabs.org
wmcloud.org zone delegations
If your project needs a particularly large number of domains, the Cloud VPS admins can configure an entire subdomain of
wmcloud.org
to be used by the web proxy in your project. This will allow using names such as
some-service.your-project.wmcloud.org
. To request such a configuration, please file a Phabricator task in the Cloud-VPS project.
A wildcard proxy (
) can also be configured in a delegated domain to send traffic with no specific backend to a default backend.
Administrator documentation for setting this up is at
Portal:Cloud VPS/Admin/Web proxy#Enable per-project subdomain delegation
Vanity domains
Tracked in
Phabricator
Task T342398
It is possible to use your own web domain name for a web proxy. This requires :
a justification why a
wmcloud.org
subdomain can not be used instead. Ex: your project is transferred from a well established external website, from organizations wishing to continue using it for branding reasons, etc.
file a Phabricator task in the
Cloud-VPS
project. If approved, WMCloud admins will add a manual configuration to your project.
You will need to point your domain to the Cloud VPS proxy:
Root domains
If your DNS provider supports aliasing at the root domain (this might be called "CNAME flattening", "ALIAS", "ANAME", or something similar), you can use that to point to the
proxy.project-proxy.eqiad1.wmcloud.org
service name.
Otherwise, you should add an A record pointing to the proxy's IPv4 address
185.15.56.49
, as well as an AAAA record pointing to the proxy's IPv6 address
2a02:ec80:a000:1::1d
Subdomains
Add a CNAME record pointing to
proxy.project-proxy.eqiad1.wmcloud.org
Once the domain has been pointed to the proxy, notify the Cloud VPS admin handling your request and they will complete the remaining setup on the proxy side. Each individual domain name to be used will need to be configured individually; for example
example.org
and
www.example.org
are considered different names.
When configuring the web proxy, use
in the "Hostname" field to use the domain specified in the "Domain" dropdown without an additional subdomain.
Note that each individual (sub)domain needs to be manually configured to have a valid TLS certificate issued. It is not currently possible to acquire wildcard certificates for domains with DNS hosting not handled by the Cloud VPS authoritative name servers. Those servers have not been previously been used to host custom domains, and any future such uses would require extensive discussion among Cloud VPS admins on whether that's a use case they want to support.
Please notify the Cloud VPS admins before removing any DNS mappings to the Cloud VPS proxy so that they can remove the TLS certificate configuration.
Administrator documentation for setting this up is at
Portal:Cloud VPS/Admin/Web proxy#Enable support for a custom domain
TLS for backend traffic
Tracked in
Phabricator
Task T274386
When creating a proxy, it is possible to specify the
protocol for traffic from the shared proxy to the backend service, instead of the default plaintext
protocol. The shared proxy
will not verify
the TLS certificate presented by the backend service, any self-signed certificate will work.
This option still allows testing setups where the backend service expects inbound traffic to be encrypted, as well as provides protection for passive eavesdropping attacks.
Troubleshooting
There are two reasons why web pages cannot be served by a default Cloud VPS instance:
Instances are closed off from outside networks with a firewall. You must open holes in the firewall by editing the
security groups
for your project.
Instances are assigned private IP addresses that are only visible from within Cloud VPS. This can be addressed by assigning your instance a
public IP
or by creating a web proxy.
Communication and support
Support and administration of the WMCS resources is provided by the
Wikimedia Foundation Cloud Services team
and
Wikimedia movement volunteers
. Please reach out with questions and join the conversation:
Discuss and receive general support
Chat in real time in the
IRC channel
#wikimedia-cloud
connect
or the bridged
Telegram group
Discuss via email after you have subscribed to the
cloud@
mailing list
Stay aware of critical changes and plans
Subscribe to the
cloud-announce@
mailing list
(all messages are also mirrored to the
cloud@
list)
Read the
News
wiki page
Track work tasks and
report bugs
Use a subproject of the
#Cloud-Services
Phabricator
project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself
Read stories and WMCS blog posts
Read the
Cloud Services Blog
(for the broader Wikimedia movement, see the
Wikimedia Technical Blog
Retrieved from "
Categories
Cloud VPS
How-to-guide
Help
Using a web proxy to reach Cloud VPS servers from the internet
Add topic