per-entity - Re: [Per-Entity] UKf MDQ server

Subject: Per-Entity Metadata Working Group

List archive

Re: [Per-Entity] UKf MDQ server

From: Nicholas Roy <>
To: Rhys Smith <>
Cc: "" <>
Subject: Re: [Per-Entity] UKf MDQ server
Date: Fri, 28 Oct 2016 08:08:57 -0600
Authentication-results: spf=none (sender IP is ) ;
Ironport-phdr: 9a23:pj1cOhd0CeXpGXgZspCVa3calGMj4u6mDksu8pMizoh2WeGdxc68Yx7h7PlgxGXEQZ/co6odzbGH6ea/Aiddv96oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3DwdpPOO9QteU1JXtkb/psMCNKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP5Xz247bXianhL7+9vitMU7q3cYk7sb+sVBSaT3ebgjBfwdVWx+cjN92Mq+jxnSVkO043oAUi1CqBpZGE7+6RDmXr/zszDx8ON2njSZa57YV7cxDBKj5KdsTBbzwB0AJnZt9nvQm+Rxir5WuhSsu0Y5zoLJNtLGfMFid7/QKItJDVFKWdxcAmkYWtux
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99

Thanks Rhys, makes sense.

Nick

On 10/28/16 6:12 AM, Rhys Smith wrote:

This is a temporary work around until Azure adds native v6 support. When it
does, we can get rid of it.

The v6 proxies are a redundant pair of VMs, so yes, they are introducing an
extra point of failure, but it’s been designed so it’s a fairly low risk of
failing. The two VMs are geographically resilient, and all they are is apache
servers proxying requests to the v4 servers, so there’s not much to go wrong
at the application level.

For us, not supporting v6 was not an option - we’ve had v6 support on our MD
dist servers for many years now, and didn’t want to make refreshing the
infrastructure introduce retrograde steps.

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

On 27 Oct 2016, at 22:37, Nicholas Roy
<>
wrote:

Is the addition of in-house infrastructure that proxies v6 introducing an
additional point of failure? Do you think the risk is worth supporting v6
right now?

Thanks,

Nick

On 10/27/16 12:55 PM, Tom Scavo wrote:

On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith
<>
wrote:

What’s weird is that the first two worked at all… Unless your client decided
to do v4 for those queries for some reason. If it did work over v6, I have
*no* idea how!

After you made the patch, I can confirm that all three use IPv6.
However, I don't have verbose output that pre-dates your patch, sorry.

Tom

On 27 Oct 2016, at 13:37, Tom Scavo
<>
wrote:

On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith
<>
wrote:

Should be fixed…

Yup, works great.

Thanks,

Tom

On 27 Oct 2016, at 13:04, Rhys Smith
<>
wrote:

Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure is v4 only
hosted in azure, with a set of v6 proxies hosted on our own infrastructure
that proxies to the v4 for the MD dist and CDS. I set up the MDQ stuff on the
servers themselves, and forgot to update the v6 proxy config accordingly.

Thanks for pointing this out :-). I’ll fix that later so v6 works as well.

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

On 27 Oct 2016, at 12:47, Tom Scavo
<>
wrote:

On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith
<>
wrote:

On 27 Oct 2016, at 01:28, Tom Scavo
<>
wrote:

On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith
<>
wrote:

On 26 Oct 2016, at 22:04, Rhys Smith
<>
wrote:

UKf Test IdP: curl --compress
http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
UKf Test IdP (SHA1 query): curl --compress
http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b

Sorry, that second one should be: curl --compress
http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9

The latter two URLs work fine, the first one does not.

Does not in what way? Seems to work for me.

That's weird, I get 404 not found:

$ curl --version
curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 SecureTransport
zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz UnixSockets

$ curl --verbose --compress
http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
* Trying 2001:630:1:174::83...
* Trying 52.169.160.61...
* Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port 80 (#0)

GET /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
HTTP/1.1
Host: mdq.ukfederation.org.uk
User-Agent: curl/7.43.0
Accept: */*
Accept-Encoding: deflate, gzip

< HTTP/1.1 404 Not Found
< Date: Thu, 27 Oct 2016 11:43:49 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
< Content-Length: 258
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL
/entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was not
found on this server.</p>
</body></html>
* Connection #0 to host mdq.ukfederation.org.uk left intact

Re: [Per-Entity] Re: UKf MDQ server, (continued)
- Re: [Per-Entity] UKf MDQ server, Tom Scavo, 10/26/2016
  - Re: [Per-Entity] UKf MDQ server, Rhys Smith, 10/27/2016

List archive

Re: [Per-Entity] UKf MDQ server