fedora-infrastructure

Clone
Source Code
GIT

#1783 Fedora community needs Orbited to proxy AMQP packets
Closed: Fixed None Opened 14 years ago by johnp.

Closed: Fixed
Reopen Issue

= Overview =

This is related to bug #1629. Bug #1629 set up a two tiered broker system, one main amqp broker and a fedora community amqp broker as two separate security domains. Now that we have tested that and made sure it worked we need to hook up the fcomm broker to the browser.

= Why? =

Since the browser can not connect to TCP sockets natively, it needs the help of a proxy to send packets over a persistent open HTTP connection. We do this through Orbited, an implementation of the standard Comet protocol. This is the same protocol that Gmail uses to send TCP packets to its SMTP servers.

While it is true that we can forgo the two tier system and have the proxy connect directly to the main server and still give us the ability to switch off orbited to disconnect clients in the event of a breach, I can not recommend this approach for a number of reasons.

1) The proxy just isn't fine grained enough. It is simply a pass through to enable browser TCP sockets.

2) Having the two tier system means adding another security domain (such as the desktop domain using FAS ACLs or upstream domains) is much easier to drop in.

3) Changes to the second tier won't effect the main service and disconnecting the link means each of the main apps and fedora community apps still have a messaging server to talk to even if they aren't propagating messages. With just a proxy disconnection also means interruption of services.

I plan to have pros and cons laid out in a talk for FUDCon. What we are trading off here is a little more upfront work and extra complexity for a more consistent architecture that is robust enough for expanding the notification and messaging network in the future without revisiting the design.

= What I Need =

I need Orbited running on a port (right now I have it configured to run on port 9000 in the fcomm puppet configs). The full address it is running on needs to be proxied from the same domain as fcomm. For example in puppet:

<Location "<%= path %>/tcp">
SetHandler none
</Location>

<Location "<%= path %>/orbited">
SetHandler none
</Location>

ProxyPass <%= path %>/orbited http://localhost:9000/
ProxyPass <%= path %>/tcp http://localhost:9000/tcp

the /orbited directory can be further restricted to http://localhost:9000/static/ since we just need to retrieve Orbited.js from that path. Alternatively I think we may be able to simply serve that file up statically from fcomm.

The /tcp path however is needed for setting up the persistent tcp connections.

Oh ya, I forgot to mention the fcom qpid broker can be isolated so it can only talk to the proxy and the main qpid broker. Having it open right now is fine for testing but otherwise it shouldn't be exposed outside of fedora. The proxy is the public piece in this security domain.

If this just an http proxy, why can't we just put it in it's own namespace? Like at https://admin.stg.fedoraproject.org/orbited/ ?

   -Mike

Since we are going to 0mq now, closing this.

Login to comment on this ticket.

Metadata
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.