Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2017-04-05

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:48 ilbot3 joined #confidant
01:48 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
18:51 Masterphi joined #confidant
19:35 MaXx joined #confidant
19:36 MaXx Hi! I'm probably missing something, but is there a way to run Confidant with SSL before my ELB?
19:38 MaXx basically url_for and request.base_url are http:// only, getting Google oauth working was a pain
19:39 MaXx I had to extend the werkzeug adapter to fix base_url and add _scheme and _external to url_for()
19:40 MaXx So now it works fine... but still
20:32 Ryan_Lane @MaXx you mean the ELB doing SSL gtermination?
20:33 Ryan_Lane *termination
20:33 Ryan_Lane MaXx: https://github.com/lyft/confidant/issues/50
20:33 Ryan_Lane let me actually close this ticket out :)
20:33 Ryan_Lane I'll document it now
20:48 MaXx yes
20:49 MaXx is it going to be the IP or the host?
20:51 MaXx nvm, I guess it's just X-Forwarded-Host
20:52 MaXx and Proto, the host is fine actually
20:53 MaXx also, REDIRECT_URI didn't work for google, I set it up to https or even a different host, no luck here, not being used.
22:13 Ryan_Lane MaXx: it'll trust both
22:15 Ryan_Lane X-Forwarded-For and X-Forwarded-Proto will be sent by the ELB, and gunicorn will use the proto to know it got an https request. you trust the IPs of the ELBs, so we just trust *, since you can't know the ELB IPs
22:18 Ryan_Lane hm. redirect_uri may have been a leftover setting from an old google auth library we used
22:18 Ryan_Lane let me see if authomatic uses it
22:19 Ryan_Lane MaXx: yep, that's an unused setting. going to make a PR to remove that. you set that up through google
22:20 Ryan_Lane we used to support an oauth bouncer for older google auth
22:21 MaXx In my case it would work just fine if redirect_uri was used instead of url_for() and the adapter.url, but yeah, it isn't required, everything is going back to v1/login
22:38 wm-bot GitHub [lyft/confidant] ryan-lane closed issue Document forwarded_allow_ips for gunicorn: https://github.com/lyft/confidant/issues/50
22:56 MaXx Ryan, that's just FORWARDED_ALLOW_IPS to setup? that's it?
22:56 Ryan_Lane yeah
22:57 Ryan_Lane I did get reports that people had issues with the env var
22:57 MaXx yeah it doesn't work
22:57 Ryan_Lane and that they needed to use the gunicorn cli flag
22:58 Ryan_Lane https://lyft.github.io/confidant/basics/configuration/#gunicorn-configuration-for-ssl-termination-support
22:58 Ryan_Lane --forwarded-allow-ips=*
22:59 MaXx GUNICORN_CMD_ARGS="--forwarded-allow-ips=*"
22:59 MaXx going to try
23:01 MaXx didn't work, trying again without the =
23:04 MaXx 19.7
23:04 MaXx damn
23:04 MaXx gunicorn==19.3.0
23:04 MaXx too bad
23:04 MaXx http://docs.gunicorn.org/en/stable/settings.html
23:05 MaXx look at the first note
23:05 Ryan_Lane ah. so you need to use the CLI arg because our version of gunicorn is old
23:05 MaXx so I can use GUNICORN_CMD_ARGS straight from ECS
23:06 MaXx yeah but GUNICORN_CMD_ARGS is cool... and I don't have to maintain my own repo
23:06 Ryan_Lane ahhh. that specific var is usable in that version
23:06 MaXx pleeeeease :)
23:08 MaXx yeah but it doesn't work, I tried FORWARDED_ALLOW_IPS *, no luck
23:08 Ryan_Lane are you not able to modify the docker command via ecs?
23:08 Ryan_Lane default command is: `CMD ["gunicorn","confidant.wsgi:app","--workers=2","-k","gevent","--access-logfile=-","--error-logfile=-"]`
23:09 Ryan_Lane so an extra arg would work
23:09 MaXx ah got it!
23:09 MaXx yeah I guess I can just override it
23:12 Ryan_Lane -_- https://github.com/lyft/gunicorn/blob/a669867099ff76888141cee9332c1e5bc8171377/gunicorn/__init__.py
23:13 Ryan_Lane https://github.com/lyft/gunicorn/commit/a669867099ff76888141cee9332c1e5bc8171377#diff-8db01cdc6a238a077f5e5765c07aa5f5
23:13 Ryan_Lane FORWARDED_ALLOW_IPS env var was added in 19.4.5
23:19 Ryan_Lane ok. I'm going to open an issue to upgrade gunicorn
23:19 Ryan_Lane I should write some out-of-process integration tests for situations like this
23:21 MaXx it doesn't start, the container dies every time :(
23:21 Ryan_Lane damn
23:21 MaXx trying to get some logs
23:21 Ryan_Lane I haven't used much ECS, so hard for me to help
23:22 wm-bot GitHub [lyft/confidant] new issue by ryan-lane: Upgrade gunicorn to newest version https://github.com/lyft/confidant/issues/137
23:23 MaXx CannotStartContainerError: API error (404): invalid header field value
23:23 MaXx weird
23:23 MaXx gunicorn confidant.wsgi:app --forwarded-allow-ips=* --workers=4 -k gevent --access-logfile=- --error-logfile=-
23:23 MaXx did I forget something?
23:25 MaXx oci runtime error: container_linux.go:247
23:25 Ryan_Lane hm. maybe try  --forwarded-allow-ips='*'
23:25 Ryan_Lane just in case the * is being evaluated by the shell
23:25 MaXx yeah was about to espace everything
23:25 MaXx escape
23:31 MaXx nope, trying without the logfiles
23:33 Ryan_Lane doing some quick testing with an upgraded gunicorn
23:35 MaXx well, that's a bug in ECS and docker apparently :(
23:36 Ryan_Lane doh
23:36 Ryan_Lane ok, well, give me a bit. I may be able to cut a release with an updated gunicorn
23:36 Ryan_Lane let me also look at its changelog, since it doesn't seem like it uses semver completely
23:42 Ryan_Lane I don't think any of the removals affect confidant
23:47 MaXx I think it wants the cmd line like this: "gunicorn","confidant.wsgi:app",.... without [ ]
23:48 Ryan_Lane huh. weird
23:52 MaXx nop, trying gunicorn,confidant.wsgi:app,--forwarded-allow-ips='*',--workers=4,-k,gevent,--access-logfile=-,--error-logfile=-
23:52 MaXx no [ ] "
23:52 MaXx RUNNING
23:52 MaXx yeah
23:53 MaXx ok still redirecting to http
23:53 MaXx trying to unescape *
23:53 MaXx last try... I'm done
23:55 MaXx YEAAHHH
23:55 MaXx gunicorn,confidant.wsgi:app,--forwarded-allow-ips=*,--workers=4,-k,gevent,--access-logfile=-,--error-logfile=-
23:55 MaXx ecs -> command field

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary