[FOLIO-1849] Proxy Okapi through standard HTTP/HTTPS ports for hosted folio-snapshot and folio-testing Created: 06/Mar/19  Updated: 03/Jun/20  Resolved: 24/Apr/19

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: John Malconian Assignee: John Malconian
Resolution: Done Votes: 0
Labels: ci, platform-backlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-1936 Q2: secure folio-snapshot and folio-t... Closed
Duplicate
duplicates FOLIO-897 Avoid external port 9130 in full-stac... Closed
Relates
relates to FOLIO-1787 secure folio-snapshot and folio-testi... Closed
Sprint: Core: Platform - Sprint 59, CP: sprint 62, Core: Platform - Sprint 61
Story Points: 5
Development Team: Core: Platform

 Description   

Accessing a hosted FOLIO instance is problematic for users on networks that block outbound connections to Okapi port 9130. The solution is to proxy Okapi through standard TCP ports like 80 and 443. All hosted folio-snapshot and folio-testing builds should be modified to include this change utilizing either an NGINX proxy or an AWS ELB.



 Comments   
Comment by Julian Ladisch [ 12/Mar/19 ]

Recipe: https://github.com/folio-org/folio-ansible/blob/master/doc/index.md#replace-port-9130

Comment by John Malconian [ 12/Mar/19 ]

Thanks, Julian Ladisch

Comment by John Malconian [ 12/Mar/19 ]

Limiting the scope of this to folio-snapshot* and folio-testing for now.

Comment by John Malconian [ 18/Apr/19 ]

A new hosted ansible role has been created in folio-infrastructure to utilizes AWS ELB to proxy frontend and backend (okapi) requests via port 443 (HTTPS). It's called 'folio-elb'. It is actively utilized for Q1 2019 release builds, folio-release(-core) and folio-testing(-core) hosted builds.

Examples to get to the UI.
https://folio-release.aws.indexdata.com
https://folio-testing.aws.indexdata.com

Examples to get to Okapi directly:
https://folio-testing-okapi.aws.indexdata.com
https://folio-release-okapi.aws.indexdata.com

The only outstanding items are folio-snapshot-latest and folio-snapshot-stable. These systems are a little more tricky based on the way they are created and tagged. Updating folio-snapshot-* to use HTTPS, therefore, may need to be carried over into the next sprint.

Comment by Ian Hardy [ 18/Apr/19 ]

I think we'll also need rules on the ELB to direct traffic to port 8000 which is where nginx is proxying the edge modules.

Comment by John Malconian [ 18/Apr/19 ]

oh heck, Ian Hardy totally forgot about that. Yes.

Comment by John Malconian [ 19/Apr/19 ]

We'll need to carry this over into the next sprint.

Comment by John Malconian [ 22/Apr/19 ]

I've modified the folio-elb role to include support for the edge modules on port 8000.

Comment by John Malconian [ 23/Apr/19 ]

folio-snapshot-core-latest/stable has been converted to HTTPS. folio-snapshot-latest/stable is next.

Generated at Thu Feb 08 23:16:21 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.