[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: cdn: Only accept requests for substitutes.
|
From: |
Chris Marusich |
|
Subject: |
02/02: cdn: Only accept requests for substitutes. |
|
Date: |
Sat, 5 Jan 2019 22:34:31 -0500 (EST) |
marusich pushed a commit to branch master
in repository maintenance.
commit 4e7e9710407bc8436d1e7b2c66453e2947de87fd
Author: Chris Marusich <address@hidden>
Date: Sat Jan 5 19:18:48 2019 -0800
cdn: Only accept requests for substitutes.
* cdn/terraform/cloudfront.tf (locals) <default_behavior>: New
variable.
(berlin-mirror) <origin>: Add empty-origin, pointing to
guix-empty-bucket.
<default_cache_behavior>: Update its target_origin_id to point to the
empty-origin.
<ordered_cache_behavior>: New field. Add one behavior for each
substitute-related path published by "guix publish".
* cdn/terraform/s3.tf (guix-empty-bucket): New bucket.
---
cdn/terraform/cloudfront.tf | 112 ++++++++++++++++++++++++++++++--------------
cdn/terraform/s3.tf | 5 ++
2 files changed, 82 insertions(+), 35 deletions(-)
diff --git a/cdn/terraform/cloudfront.tf b/cdn/terraform/cloudfront.tf
index 018b803..533b08a 100644
--- a/cdn/terraform/cloudfront.tf
+++ b/cdn/terraform/cloudfront.tf
@@ -1,35 +1,7 @@
# CloudFront
-resource "aws_cloudfront_distribution" "berlin-mirror" {
- enabled = true
- comment = "Distributed caching proxy for berlin.guixsd.org"
- origin {
- domain_name = "berlin.guixsd.org"
- origin_id = "berlin.guixsd.org"
- custom_origin_config {
- http_port = 80 # Required, but not used.
- https_port = 443
- # Always use TLS when forwarding requests to the origin.
- origin_protocol_policy = "https-only"
- origin_ssl_protocols = ["TLSv1.2"]
- origin_keepalive_timeout = 60
- origin_read_timeout = 60
- }
- }
- # The CNAME that will point to this CloudFront distribution.
- aliases = ["ci.guix.info"]
- is_ipv6_enabled = true
- # This is actually the_maximum HTTP version to support. See:
- #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#http_version
- http_version = "http2"
- # Serve requests from all edge locations.
- price_class = "PriceClass_All"
- # Do not restrict access.
- restrictions { geo_restriction { restriction_type = "none" }}
- # When deleting the distribution, actually delete it. See:
- #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#retain_on_delete
- retain_on_delete = false
- default_cache_behavior {
+locals {
+ default_behavior = {
# Only allow "read" verbs.
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
@@ -43,10 +15,10 @@ resource "aws_cloudfront_distribution" "berlin-mirror" {
# addition, this also causes CloudFront to omit these values
# when forwarding the request to the custom origin. See:
#
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ConfiguringCaching.html
- forwarded_values {
- cookies { forward = "none" }
+ forwarded_values = [{
+ cookies = [{ forward = "none" }]
query_string = false
- }
+ }]
# Generally speaking, respect any Cache-Control or Expires
# headers that the origin includes in its responses. The
# exception is that if a Cache-Control or Expires header says to
@@ -63,8 +35,78 @@ resource "aws_cloudfront_distribution" "berlin-mirror" {
# In the future, we should consider changing this to "https-only".
viewer_protocol_policy = "allow-all"
}
- # TODO: Maybe add more behaviors for specific paths/prefixes.
- # ordered_cache_behavior {}
+}
+
+resource "aws_cloudfront_distribution" "berlin-mirror" {
+ enabled = true
+ comment = "Distributed caching proxy for berlin.guixsd.org"
+ origin {
+ domain_name = "berlin.guixsd.org"
+ origin_id = "berlin.guixsd.org"
+ custom_origin_config {
+ http_port = 80 # Required, but not used.
+ https_port = 443
+ # Always use TLS when forwarding requests to the origin.
+ origin_protocol_policy = "https-only"
+ origin_ssl_protocols = ["TLSv1.2"]
+ origin_keepalive_timeout = 60
+ origin_read_timeout = 60
+ }
+ }
+ origin {
+ domain_name =
"${aws_s3_bucket.guix-empty-bucket.bucket_regional_domain_name}"
+ origin_id = "empty-origin"
+ }
+ # The CNAME that will point to this CloudFront distribution.
+ aliases = ["ci.guix.info"]
+ is_ipv6_enabled = true
+ # This is actually the_maximum HTTP version to support. See:
+ #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#http_version
+ http_version = "http2"
+ # Serve requests from all edge locations.
+ price_class = "PriceClass_All"
+ # Do not restrict access.
+ restrictions { geo_restriction { restriction_type = "none" }}
+ # When deleting the distribution, actually delete it. See:
+ #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#retain_on_delete
+ retain_on_delete = false
+ # Fail all requests by default.
+ default_cache_behavior = [
+ "${merge(
+ local.default_behavior,
+ map("target_origin_id", "empty-origin")
+ )}"
+ ]
+ # Cache all the relevant paths published by "guix publish". See
+ # guix/scripts/publish.scm in the Guix source for details.
+ ordered_cache_behavior = [
+ # /nix-cache-info
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/nix-cache-info")
+ )}",
+ # /<hash>.narinfo
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/*.narinfo")
+ )}",
+ # /file/<name>/sha256/<hash>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/file/*")
+ )}",
+ # /log/<output>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/log/*")
+ )}",
+ # /nar/gzip/<store-item>
+ # /nar/<store-item>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/nar/*")
+ )}"
+ ]
# TODO: Maybe set a caching behavior for error responses.
# custom_error_response {}
viewer_certificate {
diff --git a/cdn/terraform/s3.tf b/cdn/terraform/s3.tf
index caf6cbf..d72fcca 100644
--- a/cdn/terraform/s3.tf
+++ b/cdn/terraform/s3.tf
@@ -46,3 +46,8 @@ resource "aws_s3_bucket" "guix-terraform-state" {
prevent_destroy = true
}
}
+
+resource "aws_s3_bucket" "guix-empty-bucket" {
+ bucket = "guix-empty-bucket"
+ acl = "private"
+}