Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove explicit IP bind in Apache Config #56

Open
benibr opened this issue Apr 18, 2024 · 2 comments
Open

Remove explicit IP bind in Apache Config #56

benibr opened this issue Apr 18, 2024 · 2 comments
Labels
enhancement New feature or request help wanted Extra attention is needed
Milestone
Completely distri...

Comments

@benibr
Copy link
Contributor

benibr commented Apr 18, 2024

To make the whole setup ready for deployment on multiple hosts, I guess it's a good idea to remove the Apache Listens on the different domains and let them listen on 0.0.0.0 & ::/0 per default and only selecting vhosts by hostname.
That way container could be started easily on any host enabling the option for having multiple IPs per Domain in DNS, using a Loadbalancer which forwards traffic to application servers running Migrid or even using Anycast Routing.
Also this would make the Apache config way simple :-)
@jonasbardino jonasbardino added enhancement New feature or request help wanted Extra attention is needed labels Apr 19, 2024
@jonasbardino
Copy link
Contributor

Thanks for the suggestion - the use cases you mention seem quite reasonable especially in a future fully distributed container setup.
I think this would mainly have to be implemented as a generateconf option in the core migrid codebase, and I can see at least one immediate issue with using it on existing sites where the webdavs service happens to run on the same host/vm as apache. In that situation apache will hijack port 443 on all IPs including the IO host, which is normally used for webdavs, even if only firewall forwarded to an actual high port where the non-privileged mig user can listen. The openid service also preferably should be exposed on port 443 for firewall-friendliness, but I think that part is already solved with the transparent apache proxy to the high port.
A similar solution could perhaps be developed for webdavs, and in that case would probably gain performance from moving the whole TLS-handling into apache and only proxy internally to the raw openid service.

@benibr
Copy link
Contributor Author

benibr commented Apr 30, 2024

Ah okay, since I only remember WebDAVs using port 4443 I thought that would already be the same as with OpenID.
Anyway I think the MiGrid project should be guided into a direction without those IP bindings to become more flexible and easy to configure.
I strongly advise against making this an option in generateconfs.py as the apache config generation is already extremely complicated and would suffer even more.
I also agree that TLS offloading in Apache is a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
Completely distributed container depl...
Development

No branches or pull requests
2 participants
@benibr @jonasbardino