CDN for the theforeman.org

Hi all,

I've signed the contact with our newest sponsor, Fastly, and we now have a CDN available for us to use on our web host. This comes with a single wildcard certificate, so we should be able to use it for all the vhosts on there (yum.tf, deb.tf, etc)

Being entirely honest, I've never set up a CDN before though, so do we have anyone in the community who has?

BTW, big thanks to Evgeni (Zhenech) for his help in getting this sorted!

Greg
Heavy fastly user here :)

Let me know what you need (or we can chat on freenode if you want)

··· On Fri, Nov 17, 2017 at 10:14 AM Greg Sutcliffe <greg@emeraldreverie.org> wrote:

Hi all,

I've signed the contact with our newest sponsor, Fastly, and we now have
a CDN available for us to use on our web host. This comes with a single
wildcard certificate, so we should be able to use it for all the vhosts
on there (yum.tf, deb.tf, etc)

Being entirely honest, I've never set up a CDN before though, so do we
have anyone in the community who has?

BTW, big thanks to Evgeni (Zhenech) for his help in getting this sorted!

Greg

--
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Great, thanks. Before moving on, I'd check if yum/deb accepts these kind of certificates. I *think* so, but I've heard from security guys they don't like these certs at all :-)

LZ


··· On Fri, Nov 17, 2017 at 4:14 PM, Greg Sutcliffe <greg@emeraldreverie.org> wrote:
Hi all,

I've signed the contact with our newest sponsor, Fastly, and we now have
a CDN available for us to use on our web host. This comes with a single
wildcard certificate, so we should be able to use it for all the vhosts
on there (yum.tf, deb.tf, etc)

Being entirely honest, I've never set up a CDN before though, so do we
have anyone in the community who has?

BTW, big thanks to Evgeni (Zhenech) for his help in getting this sorted!

Greg

--
You received this message because you are subscribed to the Google Groups "foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Later,
  Lukas @lzap Zapletal
Thanks for the heads up, good to know. I believe Fastly is used by the Debian repos themselves, so I *think* it's OK, but we can check. We can always choose not to use their certificate if we want, we have LetsEncrypt setup on that node anyway...

Evgeni and I will take a look at this today - Neil, maybe I'll ping you later in the week if we get stuck :)

Greg


··· On 20/11/17 10:08, Lukas Zapletal wrote:
Great, thanks. Before moving on, I'd check if yum/deb accepts these
kind of certificates. I *think* so, but I've heard from security guys
they don't like these certs at all :-)
FWIW, deb.d.o runs on a custom LE cert, not on a wildcard, so you can't really compare that.
And cdn-fastly.deb.debian.org (which is the "real" Fastly host apt hits) does not have SSL enabled at all.


··· On Mon, Nov 20, 2017 at 11:58 AM, Greg Sutcliffe <greg@emeraldreverie.org> wrote:
On 20/11/17 10:08, Lukas Zapletal wrote:
Great, thanks. Before moving on, I'd check if yum/deb accepts these
kind of certificates. I *think* so, but I've heard from security guys
they don't like these certs at all :-)

Thanks for the heads up, good to know. I believe Fastly is used by the
Debian repos themselves, so I *think* it's OK, but we can check. We can
always choose not to use their certificate if we want, we have
LetsEncrypt setup on that node anyway...

Evgeni and I will take a look at this today - Neil, maybe I'll ping you
later in the week if we get stuck :)

Greg

--
You received this message because you are subscribed to the Google Groups "foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer
________________________________________________________________________ Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

Just a quick heads-up for everybody.

We now have the right config and TLS certificates in place to serve
Forman content via Fastly, but we did not change any public DNS
entries yet.
We’ll probably start with stagingdeb.tfm.o and downloads.tfm.o soon,
and move to the other vhosts some time in January if no problems
occur.

Evgeni

···

On Mon, Nov 20, 2017 at 1:24 PM, Evgeni Golov evgeni@redhat.com wrote:

FWIW, deb.d.o runs on a custom LE cert, not on a wildcard, so you
can’t really compare that.
And cdn-fastly.deb.debian.org (which is the “real” Fastly host apt
hits) does not have SSL enabled at all.

On Mon, Nov 20, 2017 at 11:58 AM, Greg Sutcliffe > greg@emeraldreverie.org wrote:

On 20/11/17 10:08, Lukas Zapletal wrote:

Great, thanks. Before moving on, I’d check if yum/deb accepts these
kind of certificates. I think so, but I’ve heard from security guys
they don’t like these certs at all :slight_smile:

Thanks for the heads up, good to know. I believe Fastly is used by the
Debian repos themselves, so I think it’s OK, but we can check. We can
always choose not to use their certificate if we want, we have
LetsEncrypt setup on that node anyway…

Evgeni and I will take a look at this today - Neil, maybe I’ll ping you
later in the week if we get stuck :slight_smile:

Greg


You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O’Neill, Eric Shander


Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O’Neill, Eric Shander

downloads.theforeman.org and stagingdeb.theforeman.org is now served
via Fastly, enjoy!

···

On Tue, Dec 12, 2017 at 3:51 PM, Evgeni Golov evgeni@redhat.com wrote:

Just a quick heads-up for everybody.

We now have the right config and TLS certificates in place to serve
Forman content via Fastly, but we did not change any public DNS
entries yet.
We’ll probably start with stagingdeb.tfm.o and downloads.tfm.o soon,
and move to the other vhosts some time in January if no problems
occur.

Evgeni

On Mon, Nov 20, 2017 at 1:24 PM, Evgeni Golov evgeni@redhat.com wrote:

FWIW, deb.d.o runs on a custom LE cert, not on a wildcard, so you
can’t really compare that.
And cdn-fastly.deb.debian.org (which is the “real” Fastly host apt
hits) does not have SSL enabled at all.

On Mon, Nov 20, 2017 at 11:58 AM, Greg Sutcliffe >> greg@emeraldreverie.org wrote:

On 20/11/17 10:08, Lukas Zapletal wrote:

Great, thanks. Before moving on, I’d check if yum/deb accepts these
kind of certificates. I think so, but I’ve heard from security guys
they don’t like these certs at all :slight_smile:

Thanks for the heads up, good to know. I believe Fastly is used by the
Debian repos themselves, so I think it’s OK, but we can check. We can
always choose not to use their certificate if we want, we have
LetsEncrypt setup on that node anyway…

Evgeni and I will take a look at this today - Neil, maybe I’ll ping you
later in the week if we get stuck :slight_smile:

Greg


You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O’Neill, Eric Shander


Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O’Neill, Eric Shander


Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O’Neill, Eric Shander

Great news, thanks.

LZ

···

On Tue, Dec 12, 2017 at 4:12 PM, Evgeni Golov <evgeni@redhat.com> wrote:

downloads.theforeman.org and stagingdeb.theforeman.org is now served
via Fastly, enjoy!

On Tue, Dec 12, 2017 at 3:51 PM, Evgeni Golov <evgeni@redhat.com> wrote:

Just a quick heads-up for everybody.

We now have the right config and TLS certificates in place to serve
Forman content via Fastly, but we did not change any public DNS
entries yet.
We'll probably start with stagingdeb.tfm.o and downloads.tfm.o soon,
and move to the other vhosts some time in January if no problems
occur.

Evgeni

On Mon, Nov 20, 2017 at 1:24 PM, Evgeni Golov <evgeni@redhat.com> wrote:

FWIW, deb.d.o runs on a custom LE cert, not on a wildcard, so you
can't really compare that.
And cdn-fastly.deb.debian.org (which is the "real" Fastly host apt
hits) does not have SSL enabled at all.

On Mon, Nov 20, 2017 at 11:58 AM, Greg Sutcliffe >>> <greg@emeraldreverie.org> wrote:

On 20/11/17 10:08, Lukas Zapletal wrote:

Great, thanks. Before moving on, I'd check if yum/deb accepts these
kind of certificates. I *think* so, but I've heard from security guys
they don't like these certs at all :slight_smile:

Thanks for the heads up, good to know. I believe Fastly is used by the
Debian repos themselves, so I *think* it's OK, but we can check. We can
always choose not to use their certificate if we want, we have
LetsEncrypt setup on that node anyway...

Evgeni and I will take a look at this today - Neil, maybe I'll ping you
later in the week if we get stuck :slight_smile:

Greg

--
You received this message because you are subscribed to the Google Groups "foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer
________________________________________________________________________
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

--
Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer
________________________________________________________________________
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

--
Beste Grüße/Kind regards,

Evgeni Golov
Software Engineer
________________________________________________________________________
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

--
You received this message because you are subscribed to the Google Groups "foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Later,
  Lukas @lzap Zapletal