Setup review hosts in private subnet
Closes #997 (closed)
Description
This merge requests does the following:
-
It uses a new version of the EC2 instance template. The new template creates instances in a private subnet. Instances do not get a public IPv4 address anymore.
-
It replaces the use of
.reviewhost
domains with*.public.review.technicie.nl
and*.private.review.technicie.nl
domains.*.public.review.technicie.nl
points torefter
(a server that acts as a NAT gateway from the public subnet to the private subnet).*.private.review.technicie.nl
points to private IPv4 addresses within the private review subnet.
refter
has the following nginx
config to route the HTTP traffic:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl on;
ssl_certificate /etc/letsencrypt/live/public.review.technicie.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/public.review.technicie.nl/privkey.pem;
return 404;
}
server {
listen 443;
listen [::]:443;
server_name "~^(?<mr_slug>[-a-z0-9]{1,63})\.public\.review\.technicie\.nl$";
ssl on;
ssl_certificate /etc/letsencrypt/live/public.review.technicie.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/public.review.technicie.nl/privkey.pem;
location / {
resolver 127.0.0.53;
proxy_pass http://$mr_slug.private.review.technicie.nl$request_uri;
}
}
- HTTPS does not seem to be working correctly in the current setup (for me atleast). This MR does work with HTTPS.
After this is merged. The following things should be cleaned up:
-
The IAM users and policies that are not used anymore. -
The .reviewhost
hosted zone in Route 53. -
The old EC2 instance and VPC setup.
Edited by Joren Vrancken