paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

puppet: Document smokescreen installation, and move to puppet/zulip/.

Browse Source 
This is more broadly useful than for just Kandra; provide
documentation and means to install Smokescreen for stand-alone
servers, and motivate its use somewhat more.
This commit is contained in:
Alex Vandiver
2021-02-26 14:40:18 -08:00
committed by Tim Abbott
parent a58e832884
commit d938dd9d4a
4 changed files with 76 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/production/deployment.md
View File

@@ -186,28 +186,40 @@ behind reverse proxies.
## Using an outgoing HTTP proxy ## Using an outgoing HTTP proxy
Zulip supports routing all of its outgoing HTTP and HTTPS traffic Zulip supports routing all of its outgoing HTTP and HTTPS traffic
through an HTTP `CONNECT` proxy, such as [smokescreen][smokescreen]; through an HTTP `CONNECT` proxy, such as [`smokescreen`][smokescreen];
this includes outgoing webhooks, image and website previews, and this includes outgoing webhooks, image and website previews, and
mobile push notifications. You may wish to enable this feature to mobile push notifications. You may wish to enable this feature to
provide a consistent egress point, or enforce access control on URLs. provide a consistent egress point, or enforce access control on URLs
to prevent [SSRF][ssrf] against internal resources.
To enable an outgoing HTTP proxy: To use `smokescreen`:
1. Add `, zulip::profile::smokescreen` to the list of `puppet_classes`
in `/etc/zulip/zulip.conf`. A typical value after this change is:
```
puppet_classes = zulip::profile::standalone, zulip::profile::smokescreen
```
1. Add the following block to `/etc/zulip/zulip.conf`, substituting in 1. Add the following block to `/etc/zulip/zulip.conf`, substituting in
your proxy's hostname/IP and port: your proxy's hostname/IP and port:
``` ```
[http_proxy] [http_proxy]
host = 192.168.0.1 host = 127.0.0.1
port = 4750 port = 4750
``` ```
1. As root, run 1. As root, run
`/home/zulip/deployments/current/scripts/zulip-puppet-apply`. This `/home/zulip/deployments/current/scripts/zulip-puppet-apply`. This
will reconfigure services to use the outgoing proxy, and restart will compile and install `smokescreen`, reconfigure services to use
Zulip. it, and restart Zulip.
If you would like to use an already-installed HTTP proxy, omit the
first step, and adjust the IP address and port in the second step
accordingly.
[smokescreen]: https://github.com/stripe/smokescreen [smokescreen]: https://github.com/stripe/smokescreen
[ssrf]: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
## Putting the Zulip application behind a reverse proxy ## Putting the Zulip application behind a reverse proxy

57
puppet/zulip/manifests/profile/smokescreen.pp Normal file
View File

@@ -0,0 +1,57 @@
# @summary Outgoing HTTP CONNECT proxy for HTTP/HTTPS on port 4750.
#
class zulip::profile::smokescreen {
include zulip::profile::base
include zulip::supervisor
$golang_version = '1.14.10'
zulip::sha256_tarball_to { 'golang':
url => "https://golang.org/dl/go${golang_version}.linux-amd64.tar.gz",
sha256 => '66eb6858f375731ba07b0b33f5c813b141a81253e7e74071eec3ae85e9b37098',
install => {
'go/' => "/srv/golang-${golang_version}/",
},
}
file { '/srv/golang':
ensure => 'link',
target => "/srv/golang-${golang_version}/",
require => Zulip::Sha256_tarball_to['golang'],
}
$version = '0.0.2'
zulip::sha256_tarball_to { 'smokescreen':
url => "https://github.com/stripe/smokescreen/archive/v${version}.tar.gz",
sha256 => '7255744f89a62a103fde97d28e3586644d30191b4e3d1f62c9a99e13d732a012',
install => {
"smokescreen-${version}/" => "/srv/smokescreen-src-${version}/",
},
}
exec { 'compile smokescreen':
command => "/srv/golang/bin/go build -o /usr/local/bin/smokescreen-${version}",
cwd => "/srv/smokescreen-src-${version}/",
# GOCACHE is required; nothing is written to GOPATH, but it is required to be set
environment => ['GOCACHE=/tmp/gocache', 'GOPATH=/root/go'],
creates => "/usr/local/bin/smokescreen-${version}",
require => [Zulip::Sha256_tarball_to['golang'], Zulip::Sha256_tarball_to['smokescreen']],
}
file { '/usr/local/bin/smokescreen':
ensure => 'link',
target => "/usr/local/bin/smokescreen-${version}",
require => Exec['compile smokescreen'],
notify => Service[supervisor],
}
file { '/etc/supervisor/conf.d/smokescreen.conf':
ensure => file,
require => [
Package[supervisor],
File['/usr/local/bin/smokescreen'],
],
owner => 'root',
group => 'root',
mode => '0644',
content => template('zulip/supervisor/smokescreen.conf.erb'),
notify => Service[supervisor],
}
}

0
puppet/zulip_ops/templates/supervisor/conf.d/smokescreen.conf.erb → puppet/zulip/templates/supervisor/smokescreen.conf.erb
View File

55
puppet/zulip_ops/manifests/profile/smokescreen.pp
View File

@@ -1,58 +1,5 @@
# @summary Outgoing HTTP CONNECT proxy for HTTP/HTTPS on port 4750.
#
class zulip_ops::profile::smokescreen { class zulip_ops::profile::smokescreen {
include zulip_ops::profile::base include zulip_ops::profile::base
include zulip::supervisor include zulip::profile::smokescreen
include zulip_ops::camo include zulip_ops::camo
$golang_version = '1.14.10'
zulip::sha256_tarball_to { 'golang':
url => "https://golang.org/dl/go${golang_version}.linux-amd64.tar.gz",
sha256 => '66eb6858f375731ba07b0b33f5c813b141a81253e7e74071eec3ae85e9b37098',
install => {
'go/' => "/srv/golang-${golang_version}/",
},
}
file { '/srv/golang':
ensure => 'link',
target => "/srv/golang-${golang_version}/",
require => Zulip::Sha256_tarball_to['golang'],
}
$version = '0.0.2'
zulip::sha256_tarball_to { 'smokescreen':
url => "https://github.com/stripe/smokescreen/archive/v${version}.tar.gz",
sha256 => '7255744f89a62a103fde97d28e3586644d30191b4e3d1f62c9a99e13d732a012',
install => {
"smokescreen-${version}/" => "/srv/smokescreen-src-${version}/",
},
}
exec { 'compile smokescreen':
command => "/srv/golang/bin/go build -o /usr/local/bin/smokescreen-${version}",
cwd => "/srv/smokescreen-src-${version}/",
# GOCACHE is required; nothing is written to GOPATH, but it is required to be set
environment => ['GOCACHE=/tmp/gocache', 'GOPATH=/root/go'],
creates => "/usr/local/bin/smokescreen-${version}",
require => [Zulip::Sha256_tarball_to['golang'], Zulip::Sha256_tarball_to['smokescreen']],
}
file { '/usr/local/bin/smokescreen':
ensure => 'link',
target => "/usr/local/bin/smokescreen-${version}",
require => Exec['compile smokescreen'],
notify => Service[supervisor],
}
file { '/etc/supervisor/conf.d/smokescreen.conf':
ensure => file,
require => [
Package[supervisor],
File['/usr/local/bin/smokescreen'],
],
owner => 'root',
group => 'root',
mode => '0644',
content => template('zulip_ops/supervisor/conf.d/smokescreen.conf.erb'),
notify => Service[supervisor],
}
} }