Merge branch 'fix-proxied-url-hostnames'

srobo · Nov 11, 2023 · 82db46b · 82db46b
2 parents e23c89e + 73833a9
commit 82db46b
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 5 deletions.
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -1,4 +1,8 @@
 ---
+# Hostnames which are accepted as valid for this host (and not redirected away
+# from) even though they are not the canonical name.
+secondary_hostnames: []
+
 certbot_auto_renew: true
 certbot_auto_renew_user: root
 certbot_auto_renew_hour: "3"

diff --git a/host_vars/competitorsvcs.studentrobotics.org.yml b/host_vars/competitorsvcs.studentrobotics.org.yml
@@ -1,6 +1,10 @@
 ---
 canonical_hostname: competitorsvcs.studentrobotics.org
 secondary_hostnames:
+  # Include our primary canonical hostname so that requests via the proxy there
+  # aren't redirected. This is needed (rather than overriding the Host header
+  # with the actual domain) so that urls generated by services hosted services
+  # include the right domain.
   - studentrobotics.org
 
 add_hsts_header: true

diff --git a/host_vars/monty.studentrobotics.org.yml b/host_vars/monty.studentrobotics.org.yml
@@ -1,6 +1,5 @@
 ---
 canonical_hostname: studentrobotics.org
-secondary_hostnames:
 
 add_hsts_header: true
 certbot_create_if_missing: true

diff --git a/host_vars/sr-compsvc.yml b/host_vars/sr-compsvc.yml
@@ -3,6 +3,9 @@
 
 canonical_hostname: sr-compsvc
 secondary_hostnames:
+  # See explanation in host_vars/competitorsvcs.studentrobotics.org.yml for why
+  # we include the proxy hostname here.
+  - sr-proxy
 
 add_hsts_header: false
 certbot_create_if_missing: false
diff --git a/host_vars/sr-proxy.yml b/host_vars/sr-proxy.yml
@@ -2,7 +2,6 @@
 # This is a dev VM created by Vagrant.
 
 canonical_hostname: sr-proxy
-secondary_hostnames:
 
 add_hsts_header: false
 certbot_testmode: true

diff --git a/roles/competitor-services-nginx/templates/nginx.conf b/roles/competitor-services-nginx/templates/nginx.conf
@@ -70,7 +70,7 @@ http {
     # several server blocks can listen to the same port).
     listen         443 ssl;
     listen         [::]:443 ssl;
-    server_name    {{ canonical_hostname }} {{ secondary_hostnames }};
+    server_name    {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %};
     root           /var/www;
 
     proxy_pass_request_headers on;

diff --git a/roles/srobo-nginx/templates/nginx.conf b/roles/srobo-nginx/templates/nginx.conf
@@ -94,7 +94,7 @@ http {
     # several server blocks can listen to the same port).
     listen         443 ssl;
     listen         [::]:443 ssl;
-    server_name    {{ canonical_hostname }} {{ secondary_hostnames }};
+    server_name    {{ canonical_hostname }} {% for name in secondary_hostnames %}{{ name }} {% endfor %};
     root           /var/www;
 
     proxy_pass_request_headers on;
@@ -123,7 +123,8 @@ http {
         # starting up, even if in a degraded mode.
         set $competitorsvcs 'competitorsvcs.studentrobotics.org';
         proxy_pass https://$competitorsvcs/code-submitter/;
-        proxy_set_header Host $competitorsvcs;
+        # Note: don't set a Host header as we want the code-submitter to use our
+        # public hostname, not the hostname of the underlying machine.
       }
     {% endif %}