Skip to content
This repository was archived by the owner on Aug 21, 2025. It is now read-only.

Enable enforcing tls traffic over worker proxy #155

Merged
rahearn merged 3 commits into from
Aug 4, 2025
Merged

Enable enforcing tls traffic over worker proxy #155

rahearn merged 3 commits into from
Aug 4, 2025

Conversation

@rahearn
Copy link
Contributor

@rahearn rahearn commented Aug 4, 2025

🎫 Addresses issue: #154

closes #154

🛠 Summary of changes

  • enable switching egress modes from the workers to only http, only https, or both http or https
  • enable setting the specific ports the worker proxy will forward to, separate of whether the proxy traffic uses https or http
  • clean up how we set the cloud.gov foundation the service is running in

@rahearn rahearn requested a review from a team August 4, 2025 20:54
zjrgov
zjrgov approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@zjrgov zjrgov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All looks good to me! But I can't remember what the problem with HTTPS was before?

sandbox-deploy/main.tf
Comment on lines 14 to +15

cg_api_wildcard = "*.fr-stage.cloud.gov"
cg_ssh_host = "ssh.fr-stage.cloud.gov"
cf_org_name = "cloud-gov-devtools-development"
cf_org_managers = [var.cf_org_manager]
cf_space_prefix = var.cf_space_prefix
ci_server_token = var.ci_server_token
docker_hub_user = var.docker_hub_user
docker_hub_token = var.docker_hub_token
manager_instances = 1
runner_concurrency = 10
developer_emails = var.developer_emails
worker_disk_size = var.worker_disk_size
program_technologies = var.program_technologies
worker_egress_allowlist = setunion(["*.fr-stage.cloud.gov"], var.worker_egress_allowlist)
allow_ssh = var.allow_ssh
cf_api_base = "fr-stage.cloud.gov"
Copy link
Contributor

@zjrgov zjrgov Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

praise: that makes for a nice simplification

@rahearn
Copy link
Contributor Author

rahearn commented Aug 4, 2025

But I can't remember what the problem with HTTPS was before?

My gitlab-ci project pipeline is about 50% broken when using https or both mode right now, so my goal in the near term is to get the workshop-operations onto https mode, but leave customers defaulted at http mode. Then we can work at a sustainable pace trying to clean things up and lock them down better.

@rahearn rahearn merged commit 1921b1a into main Aug 4, 2025
6 checks passed
@rahearn rahearn deleted the enforce-https-proxy branch August 4, 2025 21:13
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@zjrgov zjrgov zjrgov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable locking down proxy to https only

3 participants

@rahearn @zjrgov