-
- Private.
- Had this wp blog go down for the first time. Error Establishing Database Connection. No prior changes, no mods to creds, etc. Just
sudo reboot from the DO console, fixed.
- Remember route53 doesn’t charge for alias records to other resources (like elb or cf).
- Added backyard ring cam.
- Updated postman version.
- Supercontest.
- Finished https://gitlab.com/bmahlstedt/supercontest/-/issues/193.
- Figured out what was broken in the network layer last night. It was WAF. Was checking
referer=southbaysupercontest.com and blocking all requests without that header. This was a remnant from when the cf dist only had one origin, s3. Now the toplevel dist is gonna get requests from all sorts of client referers. Made the WAF ACL conditional first. Then just deleted it.
- CF does the http -> https redirect, cleaner – don’t need 2 ELB listeners now. SSL termination still happens there, of course.
- You can spoof
referer in a request, of course. It’s just a header.
- Working with cloudfront is a little annoying, fb cycle time is ~15min.
- Nope, the WAF issue wasn’t it. Here’s a good summary: https://stackoverflow.com/a/75672806. Basically, 502 was because cloudfront couldn’t connect to the origin, because TLS was failing. The cert must match the host header, and cloudfront wasn’t forwarding the host header, so elb returned bad gateway. You can configure cf to forward all headers in the viewer policy.
- Added WAF back.
- Banners, team logos, brand content. This is routed at
/assets, served by S3 (via CF). That’s not ALL the static content though. CSS/JS are still served by the app (will change later). This /static path was conflicting with the S3 one, so I moved the cloud to /assets.
- Overall, got everything working. Both the app and the static content are edged by cloudfront (and static cached). And most static assets are on s3. Access-controlled by WAF.
- Also added lines+scores to allpicks view, for convenience: https://gitlab.com/bmahlstedt/supercontest/-/issues/220.
- Also note: You could cache the app (keyed by url params, any custom headers you want, etc). But do this once the dynamic app behavior is resolved. Right now, so much is fetched/queried/calculated in realtime, you’ll get stale data (saw this with old templates after the oldpicks change, and requesting a js bundle hash that didn’t exist bc it was stale, etc).
- Deployed the banner yesterday. Line autocommit worked well today. Tried to submit picks and there was a bug. The CF distribution was configured to only forward ELB request methods GET/HEAD (default). The picking interface does some POST calls.
