Move Fastly in front of more of Haskell.org
Closed, ResolvedPublic

Description

While we had T38 to deal with CloudFlare and T48 for cache policies, I think we should drop both of these in favor of moving Fastly in front of our systems at large. In general it just seems to perform a lot better; for example, using the Fastly CDN URL for Phabricator itself (logged into my account, viewing the homepage, which has a lot of stuff for me, both static and dynamic):

CloudFlare on the left, Fastly on the right. In general I've never noticed it as slower, and in scenarios where there was some lag, I noticed Fastly being up to 50% faster in overall load time. So I think this is a win to deploy at large, although we can of course migrate off CloudFlare incrementally as we need to.

austin created this task.May 29 2015, 2:05 AM
austin updated the task description. (Show Details)
austin raised the priority of this task from to High.
austin claimed this task.
austin changed the edit policy from "All Users" to "Haskell.org Infrastructure (Project)".
austin added subscribers: austin, davean.
austin reassigned this task from austin to davean.Jun 22 2015, 4:25 PM

Okay, so I fixed a stupid infinite redirect issue in the Fastly configurations. Nginx was redirecting port 80 requests to port 443 by default for Phab (using the same hostname in the 302 HTTP response), and Fastly was configured to use port 80 as the backend, instead of port 443. So it would request, get a 302 redirect back to the same hostname on port 443 and hit *itself* through DNS and get another loop. Whoops!

Okay, but now the SSL certificates aren't working. @davean, you *said* we had a wildcard - but we don't. I think we're on their shared SAN certificate:

$  openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -connect hackage.haskell.org:443 </dev/null 2>/dev/null|openssl x509 -outform PEM | openssl x509 -text | grep haskell.org
                ... DNS:downloads.haskell.org, DNS:hackage.haskell.org ...

That's no wildcard. I also distinctly remember getting DigiCert emails when we got SSL requests serviced...

@davean, can you contact Fastly about this and look into it? The phabricator.h.o and phabricator-files.h.o entries in Fastly should work as expected except for this - once those domains have certs issued, we can switch. But I also created several others in preparation, so there's a list of certificates we need... Maybe we can ask them for a wildcard?

davean added a comment.Jul 9 2015, 9:37 PM

j.global-ssl.fastly.net and j.ssl.fastly.net now have a *.haskell.org cert.

We can now move arbitrary subdomains (one level deep) to fastly at will.

austin claimed this task.Jul 10 2015, 11:28 PM

You da real MVP. I'll take over the rest of this.

austin closed this task as Resolved.Jul 13 2015, 7:16 AM

Done - every Fastly domain is now moved over to j.ssl.fastly.net, and now we can create new arbitrary Fastly services and push them in front of the site as we see fit.