Attendance: Issac Morland; Lori D. Paniak; Nathan Fish

Agenda:

Discussion of haproxy/backend service layer 4+ configuration.

• overview of haproxy solution with three nextcloud backends
• question of supporting multiple TLS sites on a single server: SAN (current CS configuration) vs SNI (preferred/only haproxy configuration)
• of SAN with single cert to update per year vs SNI with cert and update per service per year
• request access to API for cert renewal from IST. Automation should remove load of moving to SNI from SAN.
• need to lock down haproxy console better
• question of frontend doing authentication with stateless backend configuration - scale-out advantages
• move towards OpenID for authentication leveraging remote_user framework
• cs.uwaterloo.ca uses dir per day for apache logs. Aim to replicate as standard configuration for nextcloud and other new CS(CF) web services.
• end goal for logs is to rotate them into database for analysis

To do:

• request API for GlobalSign cert updates
• initial work on salt-ifying www152.cs apache configuration. Goal is to have a modular, per virtual host configuration in salt that can be easily updated and deployed to arbitrary hardware/containers with minimal effort.

Next meeting: Nov 4 or 7/8.

-- LoriPaniak - 2016-11-01