From 104644011578632e8373120406f9dd55fcf4d6ac Mon Sep 17 00:00:00 2001 From: bloodearnest Date: Tue, 17 Feb 2026 14:25:46 +0000 Subject: [PATCH 1/2] Remove proxy to changelogs.ubuntu.com It was only ever enabled to allow us to use `do-release-upgrade` to upgrade 20.04 to 22.04, we don't need it. It is being crawled by bots, and generating a lot logs noise and consuming diskspace (>50% of journald disk space). Have left it commented out, as we may need to reenable if we have to upgrade-in-place again. --- ...plate => changelogs.opensafely.org.conf.template.disabled | 0 ci-tests.sh | 5 +++-- 2 files changed, 3 insertions(+), 2 deletions(-) rename changelogs.opensafely.org.conf.template => changelogs.opensafely.org.conf.template.disabled (100%) diff --git a/changelogs.opensafely.org.conf.template b/changelogs.opensafely.org.conf.template.disabled similarity index 100% rename from changelogs.opensafely.org.conf.template rename to changelogs.opensafely.org.conf.template.disabled diff --git a/ci-tests.sh b/ci-tests.sh index 5bebce5..8ad6971 100755 --- a/ci-tests.sh +++ b/ci-tests.sh @@ -43,7 +43,7 @@ try() { curl_args+=(--write-out "%{http_code}") curl_args+=(--connect-to github-proxy.opensafely.org:80:127.0.0.1:8080) curl_args+=(--connect-to docker-proxy.opensafely.org:80:127.0.0.1:8080) - curl_args+=(--connect-to changelogs.opensafely.org:80:127.0.0.1:8080) + #curl_args+=(--connect-to changelogs.opensafely.org:80:127.0.0.1:8080) # Conditionally token if set. Only used for docker-proxy tests. if test -n "${token}"; then @@ -187,6 +187,7 @@ try "docker-proxy.opensafely.org/v2/opensafely-core/busybox/blobs/$digest?" 200 ### changelogs.opensafely.org ### # This allows us to use the do-release-upgrade tool to perform major backend OS upgrades. -try changelogs.opensafely.org/meta-release-lts 200 +# Disabled as we don't typically needed unless we are using do-release-upgrade +#try changelogs.opensafely.org/meta-release-lts 200 exit $return_code From af43f26c6e6cdee5d9830663ae1f7c57190bc4f0 Mon Sep 17 00:00:00 2001 From: bloodearnest Date: Tue, 17 Feb 2026 14:43:57 +0000 Subject: [PATCH 2/2] Update readme to document disabling changelogs proxy --- README.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 68a2905..621318b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ To secure and limit access to external services, the OpenSAFELY platform maintains a proxy service. OpenSAFELY backends explicitly use these proxies when they need to access external data. -This repository produces a Docker image that uses nginx to host four proxy +This repository produces a Docker image that uses nginx to host two proxy domains, each has their own nginx config file: * github-proxy.opensafely.org: this provides access to *only* opensafely @@ -16,10 +16,7 @@ domains, each has their own nginx config file: Container Registry, where the docker images for running the study code are stored. - * changelogs.opensafely.org: this allows us to use the do-release-upgrade tool - to perform major OS upgrades. - -Whilst the last two are very simple, the first two requires some shenagins in +Whilst the last one are very simple, the first two requires some shenagins in order to proxy git http protocol and docker registry API v2.0 protocol. Of particular note is that ghcr.io issues 307 redirects for blob urls to @@ -29,6 +26,18 @@ Fastly. So, we use an `internal` nginx handler to resolve and fetch the Fastly url, and return the response to the original client. Basically, we follow the redirect in nginx. +## Disabled changelogs.ubuntu.com proxy. + +We also have a disabled config to allow proxying to changelogs.ubuntu.org. This +may need to be temporarily re-enabled if we need to use do-release-upgrade tool +in backends to enable major OS upgrades. + +To re-enable: + +1. Rename `changelogs.opensafely.org.conf.template.disabled` to `changelogs.opensafely.org.conf.template` +2. Uncomment any lines with changelogs in ci-test to reenable tests + + ## Building docker image To build