From 580bf313309359fc690d58b8555e8ea0dbdcd096 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Thu, 4 Sep 2025 11:21:44 -0400 Subject: [PATCH 01/21] create new vhost for kubernetes production vcluster --- .../www_lib/vhosts/dspace7-deepblue.pp | 162 ++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 manifests/profile/www_lib/vhosts/dspace7-deepblue.pp diff --git a/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp new file mode 100644 index 000000000..223a9860b --- /dev/null +++ b/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp @@ -0,0 +1,162 @@ +# Copyright (c) 2019 The Regents of the University of Michigan. +# All Rights Reserved. Licensed according to the terms of the Revised +# BSD License. See LICENSE.txt for details. + +# nebula::profile::www_lib::vhosts::deepblue +# +# deepblue virtual host +# +# @example +# include nebula::profile::www_lib::vhosts::deepblue +class nebula::profile::www_lib::vhosts::deepblue ( + String $prefix, + String $domain, + String $ssl_cn = 'dspace7.deepblue.lib.umich.edu', + String $docroot = '/www/deepblue/web' +) { + $servername = "${prefix}deepblue.${domain}" + + file { "${apache::params::logroot}/deepblue": + ensure => 'directory', + } + + nebula::apache::www_lib_vhost { 'deepblue-http': + servername => $servername, + docroot => $docroot, + logging_prefix => 'deepblue/', + usertrack => true, + + rewrites => [ + { + rewrite_rule => '^(.*)$ https://%{HTTP_HOST}$1 [L,R]' + }, + ], + } + + nebula::apache::www_lib_vhost { 'deepblue-https': + servername => $servername, + docroot => $docroot, + logging_prefix => 'deepblue/', + + ssl => true, + ssl_cn => $ssl_cn, + usertrack => true, + auth_openidc => true, + auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', + + rewrites => [ + { + comment => 'Deep Blue Repositories home page is on www.lib now', + rewrite_cond => '%{REQUEST_URI} ^((\/?|/index.html)$|/splash/)', + rewrite_rule => '^(.*)$ https://www.lib.umich.edu/collections/deep-blue-repositories [redirect=permanent,last]' + }, + { + # XXX: Is this really still an issue? + # Workaround critical DSpace security bug until there is a patch. + # + # 2016-03-14 skorner + comment => 'Work around critical DSpace security bug from 2016..??', + rewrite_rule => '^/+themes/.*:.*$ /error [R=permanent,L]', + }, + { + comment => 'Serve static assets through apache', + rewrite_cond => '/deepbluedata-prod/deepbluedata-production/shared/public/$1 -f', + rewrite_rule => '^/data/(.*)$ /deepbluedata-prod/deepbluedata-production/shared/public/$1 [L]', + }, + { + comment => 'Deep Blue Data', + rewrite_cond => '%{ENV:badrobot} !(^true$)', + rewrite_rule => '^(/data.*)$ http://app-deepbluedata:30060$1 [P]', + }, + { + comment => 'Deep Blue Documents; dont proxy auth_oidc', + rewrite_cond => ['%{ENV:badrobot} !(^true$)', '%{REQUEST_URI} !^(/openid-connect)'], + rewrite_rule => '^(.*)$ http://bulleit-2.umdl.umich.edu:8080$1 [P]' + }, + { + comment => 'Deep Blue Preservation redirect', + rewrite_rule => '^/static/about/deepbluepreservation.html https://www.lib.umich.edu/about-us/policies/digital-repository-services-digital-preservation-policy/registered-formats-and [R=permanent,L]' + }, + ], + + directories => [ + { + provider => 'directory', + path => $docroot, + options => 'None', + allow_override => 'None', + require => $nebula::profile::www_lib::apache::default_access, + }, + { + # Block access to the DSpace metadata and DRI services. + # Per blancoj on 2016-04-21 skorner + provider => 'locationmatch', + path => '^/(metadata|DRI|contact|feedback)(.*)', + # XXX: Before this allowed a single particular IP address that no + # longer appears to be in use + require => 'all denied' + }, + { + provider => 'location', + path => '/', + auth_type => 'openid-connect', + auth_require => 'valid-user', + custom_fragment => @(EOT) + OIDCUnAuthAction pass + | EOT + }, + { + provider => 'location', + path => '/webiso-login', + auth_type => 'openid-connect', + auth_require => 'valid-user', + custom_fragment => @(EOT) + OIDCUnAuthAction auth true + | EOT + }, + { + provider => 'locationmatch', + path => '^/data/login', + auth_type => 'openid-connect', + auth_require => 'valid-user', + custom_fragment => @(EOT) + OIDCUnAuthAction auth true + | EOT + }, + { + provider => 'directory', + path => '/deepbluedata-prod/deepbluedata-production/shared/public', + options => 'FollowSymlinks', + allow_override => 'None', + access => $nebula::profile::www_lib::apache::default_access + }, + ], + + request_headers => [ + # Setting remote user for 2.4 + 'set X-Remote-User "expr=%{REMOTE_USER}"', + # Fix redirects being sent to non ssl url (https -> http) + 'set X-Forwarded-Proto "https"', + # Remove existing X-Forwarded-For headers; mod_proxy will automatically add the correct one. + 'unset X-Forwarded-For', + ], + + headers => [ + 'set "Strict-Transport-Security" "max-age=3600"', + 'set "X-Frame-Options" "SAMEORIGIN"', + ], + + ssl_proxyengine => true, + ssl_proxy_check_peer_name => 'on', + ssl_proxy_check_peer_expire => 'on', + + ## Redirect Deep Blue Data to an outage + ## RewriteEngine On + ## RewriteRule ^/data(.*)$ http://www.lib.umich.edu/outages/deep-blue-data-0 [redirect,noescape,last] + + custom_fragment => @(EOT) + ProxyPassReverse /data https://app-deepbluedata.deepblue.lib.umich.edu:30060/ + ProxyPassReverse / http://bulleit-2.umdl.umich.edu:8080/ + | EOT + } +} From 496311166af1cb3b6dc0bacf75ed3276068bb346 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 8 Sep 2025 16:46:40 -0400 Subject: [PATCH 02/21] update changes in new vhost for dspace7-deepblue --- .../www_lib/vhosts/dspace7-deepblue.pp | 38 ++++++++----------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp index 223a9860b..7ee86e18f 100644 --- a/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp @@ -8,13 +8,13 @@ # # @example # include nebula::profile::www_lib::vhosts::deepblue -class nebula::profile::www_lib::vhosts::deepblue ( - String $prefix, +class nebula::profile::www_lib::vhosts::dspace7-deepblue ( + String $prefix = 'dspace7', String $domain, - String $ssl_cn = 'dspace7.deepblue.lib.umich.edu', + String $ssl_cn = 'deepblue.lib.umich.edu', String $docroot = '/www/deepblue/web' ) { - $servername = "${prefix}deepblue.${domain}" + $servername = "${prefix}.deepblue.${domain}" file { "${apache::params::logroot}/deepblue": ensure => 'directory', @@ -23,7 +23,7 @@ nebula::apache::www_lib_vhost { 'deepblue-http': servername => $servername, docroot => $docroot, - logging_prefix => 'deepblue/', + logging_prefix => 'dspace7-deepblue/', usertrack => true, rewrites => [ @@ -36,13 +36,14 @@ nebula::apache::www_lib_vhost { 'deepblue-https': servername => $servername, docroot => $docroot, - logging_prefix => 'deepblue/', + logging_prefix => 'dspace7-deepblue/', - ssl => true, - ssl_cn => $ssl_cn, - usertrack => true, - auth_openidc => true, - auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', + ssl => true, + ssl_cn => $ssl_cn, + usertrack => true, + auth_openidc => true, + auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', + ssl_proxy_machine_certificate_file => '/etc/ssl/private/machine-cert-deepblue.lib.pem', rewrites => [ { @@ -71,7 +72,7 @@ { comment => 'Deep Blue Documents; dont proxy auth_oidc', rewrite_cond => ['%{ENV:badrobot} !(^true$)', '%{REQUEST_URI} !^(/openid-connect)'], - rewrite_rule => '^(.*)$ http://bulleit-2.umdl.umich.edu:8080$1 [P]' + rewrite_rule => '^(.*)$ https://production.deepblue.lib.umich.edu:8443$1 [P]' }, { comment => 'Deep Blue Preservation redirect', @@ -105,15 +106,6 @@ OIDCUnAuthAction pass | EOT }, - { - provider => 'location', - path => '/webiso-login', - auth_type => 'openid-connect', - auth_require => 'valid-user', - custom_fragment => @(EOT) - OIDCUnAuthAction auth true - | EOT - }, { provider => 'locationmatch', path => '^/data/login', @@ -137,6 +129,8 @@ 'set X-Remote-User "expr=%{REMOTE_USER}"', # Fix redirects being sent to non ssl url (https -> http) 'set X-Forwarded-Proto "https"', + #Set original host name of the request. + 'set X-Forwarded-Host "dspace7.deepblue.lib.umich.edu"', # Remove existing X-Forwarded-For headers; mod_proxy will automatically add the correct one. 'unset X-Forwarded-For', ], @@ -156,7 +150,7 @@ custom_fragment => @(EOT) ProxyPassReverse /data https://app-deepbluedata.deepblue.lib.umich.edu:30060/ - ProxyPassReverse / http://bulleit-2.umdl.umich.edu:8080/ + ProxyPassReverse / https://production.deepblue.lib.umich.edu:8443/ | EOT } } From a3a7fd1f085c3beee16882f8aede0bf783d617cb Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 8 Sep 2025 17:01:02 -0400 Subject: [PATCH 03/21] update vhost file to please puppet --- .../www_lib/vhosts/{dspace7-deepblue.pp => dspace7_deepblue.pp} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename manifests/profile/www_lib/vhosts/{dspace7-deepblue.pp => dspace7_deepblue.pp} (98%) diff --git a/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp similarity index 98% rename from manifests/profile/www_lib/vhosts/dspace7-deepblue.pp rename to manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 7ee86e18f..ec9bbd930 100644 --- a/manifests/profile/www_lib/vhosts/dspace7-deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -8,7 +8,7 @@ # # @example # include nebula::profile::www_lib::vhosts::deepblue -class nebula::profile::www_lib::vhosts::dspace7-deepblue ( +class nebula::profile::www_lib::vhosts::dspace7_deepblue ( String $prefix = 'dspace7', String $domain, String $ssl_cn = 'deepblue.lib.umich.edu', From 0a6f2018269c585284492f5d956564e76194ecfc Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 8 Sep 2025 17:12:07 -0400 Subject: [PATCH 04/21] fix linting --- .../www_lib/vhosts/dspace7_deepblue.pp | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index ec9bbd930..f01bfdd50 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -34,9 +34,9 @@ } nebula::apache::www_lib_vhost { 'deepblue-https': - servername => $servername, - docroot => $docroot, - logging_prefix => 'dspace7-deepblue/', + servername => $servername, + docroot => $docroot, + logging_prefix => 'dspace7-deepblue/', ssl => true, ssl_cn => $ssl_cn, @@ -45,7 +45,7 @@ auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', ssl_proxy_machine_certificate_file => '/etc/ssl/private/machine-cert-deepblue.lib.pem', - rewrites => [ + rewrites => [ { comment => 'Deep Blue Repositories home page is on www.lib now', rewrite_cond => '%{REQUEST_URI} ^((\/?|/index.html)$|/splash/)', @@ -80,7 +80,7 @@ }, ], - directories => [ + directories => [ { provider => 'directory', path => $docroot, @@ -124,7 +124,7 @@ }, ], - request_headers => [ + request_headers => [ # Setting remote user for 2.4 'set X-Remote-User "expr=%{REMOTE_USER}"', # Fix redirects being sent to non ssl url (https -> http) @@ -135,20 +135,20 @@ 'unset X-Forwarded-For', ], - headers => [ + headers => [ 'set "Strict-Transport-Security" "max-age=3600"', 'set "X-Frame-Options" "SAMEORIGIN"', ], - ssl_proxyengine => true, - ssl_proxy_check_peer_name => 'on', - ssl_proxy_check_peer_expire => 'on', + ssl_proxyengine => true, + ssl_proxy_check_peer_name => 'on', + ssl_proxy_check_peer_expire => 'on', ## Redirect Deep Blue Data to an outage ## RewriteEngine On ## RewriteRule ^/data(.*)$ http://www.lib.umich.edu/outages/deep-blue-data-0 [redirect,noescape,last] - custom_fragment => @(EOT) + custom_fragment => @(EOT) ProxyPassReverse /data https://app-deepbluedata.deepblue.lib.umich.edu:30060/ ProxyPassReverse / https://production.deepblue.lib.umich.edu:8443/ | EOT From 3fd4b476e5e1aafd9fede87aa1826152939c53df Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 8 Sep 2025 23:29:38 -0400 Subject: [PATCH 05/21] reorder parameter --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index f01bfdd50..866d20f58 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -9,8 +9,8 @@ # @example # include nebula::profile::www_lib::vhosts::deepblue class nebula::profile::www_lib::vhosts::dspace7_deepblue ( - String $prefix = 'dspace7', String $domain, + String $prefix = 'dspace7', String $ssl_cn = 'deepblue.lib.umich.edu', String $docroot = '/www/deepblue/web' ) { From 16277b7bc6881d13545cd1fc1a4992acf9ac114c Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 12:06:32 -0400 Subject: [PATCH 06/21] add dspace7 vhost prefix --- manifests/profile/www_lib/apache/misc.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/profile/www_lib/apache/misc.pp b/manifests/profile/www_lib/apache/misc.pp index 54f7f664e..976a8eafb 100644 --- a/manifests/profile/www_lib/apache/misc.pp +++ b/manifests/profile/www_lib/apache/misc.pp @@ -49,7 +49,7 @@ # depends on ssl_keypairs above (or delcared in includes like apache::fulcrum) include nebula::profile::www_lib::vhosts::redirects - $vhost_prefix = 'nebula::profile::www_lib::vhosts' ['default','www_lib','apps_lib','staff_lib','datamart','deepblue', 'openmich', 'mgetit', 'search'].each |$vhost| { + $vhost_prefix = 'nebula::profile::www_lib::vhosts' ['default','www_lib','apps_lib','staff_lib','datamart','dspace7_deepblue','deepblue', 'openmich', 'mgetit', 'search'].each |$vhost| { class { "nebula::profile::www_lib::vhosts::${vhost}": prefix => $prefix, domain => $domain, From d9b3e0ad16ffef994af66f3311cf3730475839b4 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 12:40:12 -0400 Subject: [PATCH 07/21] update log naming --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 866d20f58..6b29a2f4f 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -16,7 +16,7 @@ ) { $servername = "${prefix}.deepblue.${domain}" - file { "${apache::params::logroot}/deepblue": + file { "${apache::params::logroot}/dspace7_deepblue": ensure => 'directory', } From 2be2ff02ed7771d765eda2f364bfbee7220552b2 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 13:03:42 -0400 Subject: [PATCH 08/21] update duplicates --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 6b29a2f4f..8ea02b53c 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -20,7 +20,7 @@ ensure => 'directory', } - nebula::apache::www_lib_vhost { 'deepblue-http': + nebula::apache::www_lib_vhost { 'dspace7_deepblue-http': servername => $servername, docroot => $docroot, logging_prefix => 'dspace7-deepblue/', @@ -33,7 +33,7 @@ ], } - nebula::apache::www_lib_vhost { 'deepblue-https': + nebula::apache::www_lib_vhost { 'dspace7_deepblue-https': servername => $servername, docroot => $docroot, logging_prefix => 'dspace7-deepblue/', From 0451e6a52a1bfcb95785d340ec3d20325352ab7a Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 13:24:25 -0400 Subject: [PATCH 09/21] update https vhost --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 8ea02b53c..d363218a5 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -33,7 +33,7 @@ ], } - nebula::apache::www_lib_vhost { 'dspace7_deepblue-https': + nebula::apache::www_lib_vhost { 'deepblue-https': servername => $servername, docroot => $docroot, logging_prefix => 'dspace7-deepblue/', From 4278d70f57dc58fe8ff653714429157a053ed989 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 13:39:03 -0400 Subject: [PATCH 10/21] update https --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index d363218a5..e18548dfd 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -20,7 +20,7 @@ ensure => 'directory', } - nebula::apache::www_lib_vhost { 'dspace7_deepblue-http': + nebula::apache::www_lib_vhost { 'dspace7-deepblue-http': servername => $servername, docroot => $docroot, logging_prefix => 'dspace7-deepblue/', @@ -33,7 +33,7 @@ ], } - nebula::apache::www_lib_vhost { 'deepblue-https': + nebula::apache::www_lib_vhost { 'dspace7-deepblue-https': servername => $servername, docroot => $docroot, logging_prefix => 'dspace7-deepblue/', From c88c5484d5855a3644b1838e5f839d6fe731df30 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 14:10:26 -0400 Subject: [PATCH 11/21] update test --- spec/classes/role/www_lib_vm_spec.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/spec/classes/role/www_lib_vm_spec.rb b/spec/classes/role/www_lib_vm_spec.rb index 4c527226e..667abffcd 100644 --- a/spec/classes/role/www_lib_vm_spec.rb +++ b/spec/classes/role/www_lib_vm_spec.rb @@ -142,6 +142,12 @@ .with_ssl_proxyengine(true) end + it do + expect(subject).to contain_apache__vhost("dspace7-deepblue-https") + .with_ssl_cert("/etc/ssl/certs/deepblue.lib.umich.edu.crt") + .with_servername("deepblue.lib.umich.edu") + .with_ssl_proxyengine(true) + end it do expect(subject).to contain_apache__vhost("openmich-https") .with_ssl_cert("/etc/ssl/certs/open.umich.edu.crt") From d5159eeed57354f1c54bfc261599f3b0b9be8df6 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Wed, 24 Sep 2025 14:42:09 -0400 Subject: [PATCH 12/21] add ssl_proxy_machine_certificate_file to test --- spec/classes/role/www_lib_vm_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/classes/role/www_lib_vm_spec.rb b/spec/classes/role/www_lib_vm_spec.rb index 667abffcd..5024eff7d 100644 --- a/spec/classes/role/www_lib_vm_spec.rb +++ b/spec/classes/role/www_lib_vm_spec.rb @@ -147,7 +147,9 @@ .with_ssl_cert("/etc/ssl/certs/deepblue.lib.umich.edu.crt") .with_servername("deepblue.lib.umich.edu") .with_ssl_proxyengine(true) + .with_ssl_proxy_machine_certificate_file("/etc/ssl/private/machine-cert-deepblue.lib.pem") end + it do expect(subject).to contain_apache__vhost("openmich-https") .with_ssl_cert("/etc/ssl/certs/open.umich.edu.crt") From 090060d222c014df8269cc68a8016aaf352f33a9 Mon Sep 17 00:00:00 2001 From: Sebastien Korner Date: Thu, 25 Sep 2025 08:09:56 -0400 Subject: [PATCH 13/21] Update syntax for the ssl proxy machine cert Also drop testing the temporary vhost --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 2 +- spec/classes/role/www_lib_vm_spec.rb | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index e18548dfd..a6c20ad1d 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -43,7 +43,7 @@ usertrack => true, auth_openidc => true, auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', - ssl_proxy_machine_certificate_file => '/etc/ssl/private/machine-cert-deepblue.lib.pem', + ssl_proxy_machine_cert => '/etc/ssl/private/machine-cert-deepblue.lib.pem', rewrites => [ { diff --git a/spec/classes/role/www_lib_vm_spec.rb b/spec/classes/role/www_lib_vm_spec.rb index 5024eff7d..4c527226e 100644 --- a/spec/classes/role/www_lib_vm_spec.rb +++ b/spec/classes/role/www_lib_vm_spec.rb @@ -142,14 +142,6 @@ .with_ssl_proxyengine(true) end - it do - expect(subject).to contain_apache__vhost("dspace7-deepblue-https") - .with_ssl_cert("/etc/ssl/certs/deepblue.lib.umich.edu.crt") - .with_servername("deepblue.lib.umich.edu") - .with_ssl_proxyengine(true) - .with_ssl_proxy_machine_certificate_file("/etc/ssl/private/machine-cert-deepblue.lib.pem") - end - it do expect(subject).to contain_apache__vhost("openmich-https") .with_ssl_cert("/etc/ssl/certs/open.umich.edu.crt") From a8c901d96b802241c60b168e71202f9f0d1e7341 Mon Sep 17 00:00:00 2001 From: Sebastien Korner Date: Thu, 25 Sep 2025 08:26:23 -0400 Subject: [PATCH 14/21] Make the apache log dir consistent and cleanup linting issues --- .../www_lib/vhosts/dspace7_deepblue.pp | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index a6c20ad1d..e3220aed7 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -16,7 +16,7 @@ ) { $servername = "${prefix}.deepblue.${domain}" - file { "${apache::params::logroot}/dspace7_deepblue": + file { "${apache::params::logroot}/dspace7-deepblue": ensure => 'directory', } @@ -34,18 +34,18 @@ } nebula::apache::www_lib_vhost { 'dspace7-deepblue-https': - servername => $servername, - docroot => $docroot, - logging_prefix => 'dspace7-deepblue/', + servername => $servername, + docroot => $docroot, + logging_prefix => 'dspace7-deepblue/', - ssl => true, - ssl_cn => $ssl_cn, - usertrack => true, - auth_openidc => true, - auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', - ssl_proxy_machine_cert => '/etc/ssl/private/machine-cert-deepblue.lib.pem', + ssl => true, + ssl_cn => $ssl_cn, + usertrack => true, + auth_openidc => true, + auth_openidc_redirect_uri => 'https://dspace7.deepblue.lib.umich.edu/openid-connect/callback', + ssl_proxy_machine_cert => '/etc/ssl/private/machine-cert-deepblue.lib.pem', - rewrites => [ + rewrites => [ { comment => 'Deep Blue Repositories home page is on www.lib now', rewrite_cond => '%{REQUEST_URI} ^((\/?|/index.html)$|/splash/)', @@ -80,7 +80,7 @@ }, ], - directories => [ + directories => [ { provider => 'directory', path => $docroot, @@ -124,7 +124,7 @@ }, ], - request_headers => [ + request_headers => [ # Setting remote user for 2.4 'set X-Remote-User "expr=%{REMOTE_USER}"', # Fix redirects being sent to non ssl url (https -> http) @@ -135,20 +135,20 @@ 'unset X-Forwarded-For', ], - headers => [ + headers => [ 'set "Strict-Transport-Security" "max-age=3600"', 'set "X-Frame-Options" "SAMEORIGIN"', ], - ssl_proxyengine => true, - ssl_proxy_check_peer_name => 'on', - ssl_proxy_check_peer_expire => 'on', + ssl_proxyengine => true, + ssl_proxy_check_peer_name => 'on', + ssl_proxy_check_peer_expire => 'on', ## Redirect Deep Blue Data to an outage ## RewriteEngine On ## RewriteRule ^/data(.*)$ http://www.lib.umich.edu/outages/deep-blue-data-0 [redirect,noescape,last] - custom_fragment => @(EOT) + custom_fragment => @(EOT) ProxyPassReverse /data https://app-deepbluedata.deepblue.lib.umich.edu:30060/ ProxyPassReverse / https://production.deepblue.lib.umich.edu:8443/ | EOT From 3c170fdf7ae0cc096c14fe6155458009aebd955a Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 29 Sep 2025 12:37:31 -0400 Subject: [PATCH 15/21] update redirect url to point at kubernetes ingress url --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index e3220aed7..2c437f783 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -72,7 +72,7 @@ { comment => 'Deep Blue Documents; dont proxy auth_oidc', rewrite_cond => ['%{ENV:badrobot} !(^true$)', '%{REQUEST_URI} !^(/openid-connect)'], - rewrite_rule => '^(.*)$ https://production.deepblue.lib.umich.edu:8443$1 [P]' + rewrite_rule => '^(.*)$ https://production.deepblue-documents.lib.umich.edu:8443$1 [P]' }, { comment => 'Deep Blue Preservation redirect', @@ -150,7 +150,7 @@ custom_fragment => @(EOT) ProxyPassReverse /data https://app-deepbluedata.deepblue.lib.umich.edu:30060/ - ProxyPassReverse / https://production.deepblue.lib.umich.edu:8443/ + ProxyPassReverse / https://production.deepblue-documents.lib.umich.edu:8443/ | EOT } } From 882aca946019201645a34525cbe7430312237886 Mon Sep 17 00:00:00 2001 From: Sebastien Korner Date: Thu, 2 Oct 2025 13:37:13 -0400 Subject: [PATCH 16/21] The prefix is being overriden as null when called so don't bother using it. --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 2c437f783..4bacdf350 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -10,11 +10,11 @@ # include nebula::profile::www_lib::vhosts::deepblue class nebula::profile::www_lib::vhosts::dspace7_deepblue ( String $domain, - String $prefix = 'dspace7', + String $prefix, String $ssl_cn = 'deepblue.lib.umich.edu', String $docroot = '/www/deepblue/web' ) { - $servername = "${prefix}.deepblue.${domain}" + $servername = "${prefix}dspace7.deepblue.${domain}" file { "${apache::params::logroot}/dspace7-deepblue": ensure => 'directory', From 707fab5c8f4e56f43c17c133549d0bb5dde7c8f0 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 6 Oct 2025 12:59:46 -0400 Subject: [PATCH 17/21] add redirects --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 4bacdf350..67174d709 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -78,6 +78,18 @@ comment => 'Deep Blue Preservation redirect', rewrite_rule => '^/static/about/deepbluepreservation.html https://www.lib.umich.edu/about-us/policies/digital-repository-services-digital-preservation-policy/registered-formats-and [R=permanent,L]' }, + { + comment => 'new path in DSpace 7 REST-API' + rewrite_rule => '^/RESTapi https://backend.production-deepblue-documents.lib.mich.edu/rest [R=permanent,L]' + }, + { + comment => 'new path in DSpace 7 for OAI' + rewrite_rule => '^/dspace-oai https://backend.production-deepblue-documents.lib.mich.edu/oai [R=permanent,L]' + }, + { + comment => 'new path in DSpace 7 for SWORDV2' + rewrite_rule => '^/swordv2 https://backend.production-deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]' + }, ], directories => [ From c62ed1a5178a1a3d413efb36eebf041f42e58f0d Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 6 Oct 2025 13:43:03 -0400 Subject: [PATCH 18/21] fix linting --- .../profile/www_lib/vhosts/dspace7_deepblue.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index 67174d709..db206549f 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -72,23 +72,23 @@ { comment => 'Deep Blue Documents; dont proxy auth_oidc', rewrite_cond => ['%{ENV:badrobot} !(^true$)', '%{REQUEST_URI} !^(/openid-connect)'], - rewrite_rule => '^(.*)$ https://production.deepblue-documents.lib.umich.edu:8443$1 [P]' + rewrite_rule => '^(.*)$ https://production.deepblue-documents.lib.umich.edu:8443$1 [P]', }, { comment => 'Deep Blue Preservation redirect', - rewrite_rule => '^/static/about/deepbluepreservation.html https://www.lib.umich.edu/about-us/policies/digital-repository-services-digital-preservation-policy/registered-formats-and [R=permanent,L]' + rewrite_rule => '^/static/about/deepbluepreservation.html https://www.lib.umich.edu/about-us/policies/digital-repository-services-digital-preservation-policy/registered-formats-and [R=permanent,L]', }, { - comment => 'new path in DSpace 7 REST-API' - rewrite_rule => '^/RESTapi https://backend.production-deepblue-documents.lib.mich.edu/rest [R=permanent,L]' + comment => 'new path in DSpace 7 REST-API', + rewrite_rule => '^/RESTapi https://backend.production-deepblue-documents.lib.mich.edu/rest [R=permanent,L]', }, { - comment => 'new path in DSpace 7 for OAI' - rewrite_rule => '^/dspace-oai https://backend.production-deepblue-documents.lib.mich.edu/oai [R=permanent,L]' + comment => 'new path in DSpace 7 for OAI', + rewrite_rule => '^/dspace-oai https://backend.production-deepblue-documents.lib.mich.edu/oai [R=permanent,L]', }, { - comment => 'new path in DSpace 7 for SWORDV2' - rewrite_rule => '^/swordv2 https://backend.production-deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]' + comment => 'new path in DSpace 7 for SWORDV2', + rewrite_rule => '^/swordv2 https://backend.production-deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]', }, ], From c9f8ea584e289b14d35f52b9a43fac64bbcdaec1 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 6 Oct 2025 14:13:36 -0400 Subject: [PATCH 19/21] fix redirect url --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index db206549f..ef80e3c9b 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -80,15 +80,15 @@ }, { comment => 'new path in DSpace 7 REST-API', - rewrite_rule => '^/RESTapi https://backend.production-deepblue-documents.lib.mich.edu/rest [R=permanent,L]', + rewrite_rule => '^/RESTapi https://backend.production.deepblue-documents.lib.mich.edu/rest [R=permanent,L]', }, { comment => 'new path in DSpace 7 for OAI', - rewrite_rule => '^/dspace-oai https://backend.production-deepblue-documents.lib.mich.edu/oai [R=permanent,L]', + rewrite_rule => '^/dspace-oai https://backend.production.deepblue-documents.lib.mich.edu/oai [R=permanent,L]', }, { comment => 'new path in DSpace 7 for SWORDV2', - rewrite_rule => '^/swordv2 https://backend.production-deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]', + rewrite_rule => '^/swordv2 https://backend.production.deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]', }, ], From 1bd4f57d7e52c852f2179e159638f6e53a133bf2 Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Mon, 6 Oct 2025 14:14:22 -0400 Subject: [PATCH 20/21] fix typo --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index ef80e3c9b..a1993c8bc 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -88,7 +88,7 @@ }, { comment => 'new path in DSpace 7 for SWORDV2', - rewrite_rule => '^/swordv2 https://backend.production.deepblue-documents.lib.mich.edu/swardv2 [R=permanent,L]', + rewrite_rule => '^/swordv2 https://backend.production.deepblue-documents.lib.mich.edu/swordv2 [R=permanent,L]', }, ], From d522d98799013bfad44a7bbbd54f00d35802284d Mon Sep 17 00:00:00 2001 From: Jody Nega Date: Tue, 7 Oct 2025 10:26:35 -0400 Subject: [PATCH 21/21] add redirect to disable login temporarily --- manifests/profile/www_lib/vhosts/dspace7_deepblue.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp index a1993c8bc..5cbea9df6 100644 --- a/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp +++ b/manifests/profile/www_lib/vhosts/dspace7_deepblue.pp @@ -51,6 +51,11 @@ rewrite_cond => '%{REQUEST_URI} ^((\/?|/index.html)$|/splash/)', rewrite_rule => '^(.*)$ https://www.lib.umich.edu/collections/deep-blue-repositories [redirect=permanent,last]' }, + #{ + # comment => 'Temporarily disable login for go live', + # rewrite_cond => '%{REQUEST_URI} !^(/data|/openid-connect)', + # rewrite_rule => '^(.*)$ https://lib.umich.edu/outages [L]', + #}, { # XXX: Is this really still an issue? # Workaround critical DSpace security bug until there is a patch.