Serve HTTPS and WebSocket on the same port.

Serve HTTPS and WebSocket on the same port.

The WebSocket connection must be established on
port 443, so that using Firefox securely no longer
requires the user to accept a self-signed certificate 
twice: once for the HTTPS port and once for the wss port.

HAProxy is used to do that: juju-gui/ppa contains the
development release of HAProxy, supporting SSL.
HTTPS traffic is sent to nginx (port 8000), and wss
connections are redirected to the underlaying API
backend (port 8080). The juju-api-port option has been
removed: since that port is no longer exposed, the one
being used can be considered just an internal 
implementation.

Other changes:

Updated documentation.

Moved static upstart configuration files set up to the 
install hook. This way, a config change no longer causes 
them to be rewritten as they are over and over.

Some renaming and clean up.

QA:

- deploy the charm
- open the application using Firefox
- add the security exception
- you should see the Juju GUI login screen
- now try staging: juju set juju-gui staging=true
- compulsively refresh Firefox
- admire the services

https://code.launchpad.net/~frankban/charms/precise/juju-gui/bug-1104098-same-port/+merge/145940

(do not edit description out of merge proposal)

[frankban, 2013-01-31 18:16:04]

Please take a look.

[gary.poster, 2013-02-01 02:07:44]

Wow, very nice Francesco.

Land as is.  I have some chatty comments, in which I do request a change or two,
but they are disconnected from what you did.  (When I talk about 1110816, I mean
you could tackle it in another branch, not here. :-) )

I did not QA this, because it is well past my EoD but I wanted you to have a
review when you started tomorrow, so you could ask Nicola for a review and then
land it. :-)  Nicola, or whoever looks at this next, I'm sorry, but could you do
the QA?

Thank you,

Gary

https://codereview.appspot.com/7253043/diff/1/README.md
File README.md (right):

https://codereview.appspot.com/7253043/diff/1/README.md#newcode9
README.md:9: upcoming continuous integration work.  Internet Explorer 10 will be
supported
As a flyby, could you please delete the "Internet Explorer 10 will be supported
soon," in light of our recent conversations?

https://codereview.appspot.com/7253043/diff/1/config/haproxy.cfg.template
File config/haproxy.cfg.template (right):

https://codereview.appspot.com/7253043/diff/1/config/haproxy.cfg.template#new...
config/haproxy.cfg.template:7: ca-base %(ssl_cert_path)s
You set this up nicely for changes we expect we will need for Go Juju, as you
had mentioned to me.  Maybe include a comment that ca-base is for connecting to
juju, and crt-base is for connecting to browsers?  That's eminently deducible,
but might be nice to clarify.  Do what you think.

https://codereview.appspot.com/7253043/diff/1/config/nginx-site.template
File config/nginx-site.template (right):

https://codereview.appspot.com/7253043/diff/1/config/nginx-site.template#newc...
config/nginx-site.template:17: }
Aside: This is where we would address bug 1110816, I think.  If you were to
comment on that bug (or tackle it) if you think the approach I describe is
reasonable, that would be cool.

https://codereview.appspot.com/7253043/diff/1/hooks/install
File hooks/install (right):

https://codereview.appspot.com/7253043/diff/1/hooks/install#newcode67
hooks/install:67: shutil.copy(os.path.join(source_dir, config_file),
'/etc/init/')
We logged these before.  I agree with you that I don't see the need to do it
here, now.

https://codereview.appspot.com/7253043/diff/1/hooks/utils.py
File hooks/utils.py (right):

https://codereview.appspot.com/7253043/diff/1/hooks/utils.py#newcode389
hooks/utils.py:389: shutil.copyfileobj(open(crt_path), pem_file)
I kind of wanted to see an explanation of why we needed to do this, but I'm
guessing the explanation is, "because that's what haproxy needs to be in the pem
file," in which case...nevermind. :-)

[frankban, 2013-02-01 09:43:38]

Please take a look.

https://codereview.appspot.com/7253043/diff/1/README.md
File README.md (right):

https://codereview.appspot.com/7253043/diff/1/README.md#newcode9
README.md:9: upcoming continuous integration work.  Internet Explorer 10 will be
supported
On 2013/02/01 02:07:45, gary.poster wrote:
> As a flyby, could you please delete the "Internet Explorer 10 will be
supported
> soon," in light of our recent conversations?

Done.

https://codereview.appspot.com/7253043/diff/1/config/haproxy.cfg.template
File config/haproxy.cfg.template (right):

https://codereview.appspot.com/7253043/diff/1/config/haproxy.cfg.template#new...
config/haproxy.cfg.template:7: ca-base %(ssl_cert_path)s
On 2013/02/01 02:07:45, gary.poster wrote:
> You set this up nicely for changes we expect we will need for Go Juju, as you
> had mentioned to me.  Maybe include a comment that ca-base is for connecting
to
> juju, and crt-base is for connecting to browsers?  That's eminently deducible,
> but might be nice to clarify.  Do what you think.

Done.

https://codereview.appspot.com/7253043/diff/1/config/nginx-site.template
File config/nginx-site.template (right):

https://codereview.appspot.com/7253043/diff/1/config/nginx-site.template#newc...
config/nginx-site.template:17: }
On 2013/02/01 02:07:45, gary.poster wrote:
> Aside: This is where we would address bug 1110816, I think.  If you were to
> comment on that bug (or tackle it) if you think the approach I describe is
> reasonable, that would be cool.

I agree, this is the right point where to serve unit tests. Your approach seems
very reasonable and simple.

https://codereview.appspot.com/7253043/diff/1/hooks/utils.py
File hooks/utils.py (right):

https://codereview.appspot.com/7253043/diff/1/hooks/utils.py#newcode389
hooks/utils.py:389: shutil.copyfileobj(open(crt_path), pem_file)
On 2013/02/01 02:07:45, gary.poster wrote:
> I kind of wanted to see an explanation of why we needed to do this, but I'm
> guessing the explanation is, "because that's what haproxy needs to be in the
pem
> file," in which case...nevermind. :-)

Indeed :-)

[teknico, 2013-02-01 12:06:33]

Land as is.

Very nice branch, thanks. See a few comments below.

https://codereview.appspot.com/7253043/diff/9001/README.md
File README.md (left):

https://codereview.appspot.com/7253043/diff/9001/README.md#oldcode65
README.md:65: 
I'd still mention something like: "By default, the deployment uses self-signed
certificates. The browser will ask you to accept a security exception once." or
similar, to reassure users that it's expected.

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template
File config/haproxy.cfg.template (right):

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template#...
config/haproxy.cfg.template:2: maxconn 4096
We could probably do with a much lower value. Not sure about the usefulness,
though.

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template#...
config/haproxy.cfg.template:13: maxconn 4096
Ditto.

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template#...
config/haproxy.cfg.template:20: timeout tunnel 8h
Eight hours?!? :-)

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template#...
config/haproxy.cfg.template:40: default_backend web
Nice and simple.

https://codereview.appspot.com/7253043/diff/9001/config/nginx-site.template
File config/nginx-site.template (left):

https://codereview.appspot.com/7253043/diff/9001/config/nginx-site.template#o...
config/nginx-site.template:13: ssl_certificate_key %(ssl_cert_path)s/juju.key;
So internal traffic to nginx is not encrypted anymore, ok.

[frankban, 2013-02-01 12:28:57]

Please take a look.

https://codereview.appspot.com/7253043/diff/9001/README.md
File README.md (left):

https://codereview.appspot.com/7253043/diff/9001/README.md#oldcode65
README.md:65: 
On 2013/02/01 12:06:33, teknico wrote:
> I'd still mention something like: "By default, the deployment uses self-signed
> certificates. The browser will ask you to accept a security exception once."
or
> similar, to reassure users that it's expected.

Done.

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template
File config/haproxy.cfg.template (right):

https://codereview.appspot.com/7253043/diff/9001/config/haproxy.cfg.template#...
config/haproxy.cfg.template:20: timeout tunnel 8h
On 2013/02/01 12:06:33, teknico wrote:
> Eight hours?!? :-)

To understand this option, see 
http://cbonte.github.com/haproxy-dconv/configuration-1.5.html#4-timeout%20tunnel
Discussing on IRC, we decided to leave this value as is.

[frankban, 2013-02-01 12:30:19]

Thanks for the reviews Gary and Nicola!

[frankban, 2013-02-01 13:50:31]

*** Submitted:

Serve HTTPS and WebSocket on the same port.

The WebSocket connection must be established on
port 443, so that using Firefox securely no longer
requires the user to accept a self-signed certificate 
twice: once for the HTTPS port and once for the wss port.

HAProxy is used to do that: juju-gui/ppa contains the
development release of HAProxy, supporting SSL.
HTTPS traffic is sent to nginx (port 8000), and wss
connections are redirected to the underlaying API
backend (port 8080). The juju-api-port option has been
removed: since that port is no longer exposed, the one
being used can be considered just an internal 
implementation.

Other changes:

Updated documentation.

Moved static upstart configuration files set up to the 
install hook. This way, a config change no longer causes 
them to be rewritten as they are over and over.

Some renaming and clean up.

QA:

- deploy the charm
- open the application using Firefox
- add the security exception
- you should see the Juju GUI login screen
- now try staging: juju set juju-gui staging=true
- compulsively refresh Firefox
- admire the services

R=gary.poster, teknico
CC=
https://codereview.appspot.com/7253043