Per-Entity Metadata Working Group

[Rhys Smith <>]

This is a temporary work around until Azure adds native v6 support. When it 
does, we can get rid of it.

The v6 proxies are a redundant pair of VMs, so yes, they are introducing an 
extra point of failure, but it’s been designed so it’s a fairly low risk of 
failing. The two VMs are geographically resilient, and all they are is apache 
servers proxying requests to the v4 servers, so there’s not much to go wrong 
at the application level.

For us, not supporting v6 was not an option - we’ve had v6 support on our MD 
dist servers for many years now, and didn’t want to make refreshing the 
infrastructure introduce retrograde steps.

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. 
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, 
Bristol, BS2 0JA. T 0203 697 5800.

> On 27 Oct 2016, at 22:37, Nicholas Roy 
> <>
>  wrote:
> 
> Is the addition of in-house infrastructure that proxies v6 introducing an 
> additional point of failure?  Do you think the risk is worth supporting v6 
> right now?
> 
> Thanks,
> 
> Nick
> 
> On 10/27/16 12:55 PM, Tom Scavo wrote:
>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith 
>> <>
>>  wrote:
>>> What’s weird is that the first two worked at all… Unless your client 
>>> decided to do v4 for those queries for some reason. If it did work over 
>>> v6, I have *no* idea how!
>> After you made the patch, I can confirm that all three use IPv6.
>> However, I don't have verbose output that pre-dates your patch, sorry.
>> 
>> Tom
>> 
>>>> On 27 Oct 2016, at 13:37, Tom Scavo 
>>>> <>
>>>>  wrote:
>>>> 
>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith 
>>>> <>
>>>>  wrote:
>>>>> Should be fixed…
>>>> Yup, works great.
>>>> 
>>>> Thanks,
>>>> 
>>>> Tom
>>>> 
>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith 
>>>>>> <>
>>>>>>  wrote:
>>>>>> 
>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure is 
>>>>>> v4 only hosted in azure, with a set of v6 proxies hosted on our own 
>>>>>> infrastructure that proxies to the v4 for the MD dist and CDS. I set 
>>>>>> up the MDQ stuff on the servers themselves, and forgot to update the 
>>>>>> v6 proxy config accordingly.
>>>>>> 
>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works as 
>>>>>> well.
>>>>>> 
>>>>>> Rhys.
>>>>>> --
>>>>>> Dr Rhys Smith
>>>>>> Chief Technical Architect, Trust & Identity
>>>>>> Jisc
>>>>>> 
>>>>>> T: +44 (0) 1235 822145
>>>>>> M: +44 (0) 7968 087821
>>>>>> Skype: rhys-smith
>>>>>> GPG: 0x4638C985
>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>> 
>>>>>> jisc.ac.uk
>>>>>> 
>>>>>> Jisc is a registered charity (number 1149740) and a company limited by 
>>>>>> guarantee which is registered in England under Company No. 5747339, 
>>>>>> VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, 
>>>>>> Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>> 
>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo 
>>>>>>> <>
>>>>>>>  wrote:
>>>>>>> 
>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith 
>>>>>>> <>
>>>>>>>  wrote:
>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo 
>>>>>>>>> <>
>>>>>>>>>  wrote:
>>>>>>>>> 
>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith 
>>>>>>>>> <>
>>>>>>>>>  wrote:
>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith 
>>>>>>>>>>> <>
>>>>>>>>>>>  wrote:
>>>>>>>>>>> 
>>>>>>>>>>> UKf Test IdP: curl --compress 
>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress 
>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>> Sorry, that second one should be:  curl --compress 
>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>> That's weird, I get 404 not found:
>>>>>>> 
>>>>>>> $ curl --version
>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport 
>>>>>>> zlib/1.2.5
>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>> 
>>>>>>> $ curl --verbose --compress
>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>> *   Trying 2001:630:1:174::83...
>>>>>>> *   Trying 52.169.160.61...
>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port 80 
>>>>>>> (#0)
>>>>>>>> GET 
>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>  HTTP/1.1
>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>> Accept: */*
>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>> 
>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>> < Content-Length: 258
>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>> <
>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>> <html><head>
>>>>>>> <title>404 Not Found</title>
>>>>>>> </head><body>
>>>>>>> <h1>Not Found</h1>
>>>>>>> <p>The requested URL
>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was not
>>>>>>> found on this server.</p>
>>>>>>> </body></html>
>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>