-
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: setup to test folksonomy on Open Products Facts (#405)
Co-authored-by: Charles Nepote <[email protected]>
- Loading branch information
1 parent
fce1109
commit fed78e4
Showing
1 changed file
with
54 additions
and
0 deletions.
There are no files selected for viewing
54 changes: 54 additions & 0 deletions
54
docs/reports/2024-09-06-test-folksonomy-openproductsfacts.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # 2024-09-06 test folksonomy Open Products Facts | ||
|
|
||
| As we have a test to deploy of Open Products Facts, we wanted to test the folksonomy functionality. | ||
|
|
||
| But it can't work as it is today because of authentication problems. | ||
|
|
||
| ## How it works | ||
|
|
||
| We use the session cookie to authenticate, and if we are using openproductsfacts.org, | ||
| the cookie is not the same as openfoodfacts.org (because cookies can't be shared between domains). | ||
|
|
||
| The best way to do it is to have folksonomy engine available on each domain: | ||
| * api.folksonomy.openfoodfacts.org | ||
| * api.folksonomy.openproductsfacts.org | ||
|
|
||
| Each of those authenticate to the corresponding world.<domain-name> domain, | ||
| so that each product opener site can call the corresponding folksonomy api, | ||
| which will in turn authenticate on the right website. | ||
|
|
||
|
|
||
| ## Amend Folksonomy API | ||
|
|
||
| I changed folksonomy API so that it deduces the server to which to authenticate | ||
| from the url it is called. | ||
|
|
||
| [See commit b6729d398](https://github.com/openfoodfacts/folksonomy_api/commit/b6729d3984e82005f6d3a04d96466c8a1f1959e3) | ||
|
|
||
| ## Make Folksonomy API available on each domain | ||
|
|
||
| I changed DNS Zones at OVH to have: | ||
| * new.openproductsfacts.org CNAME openproductsfacts.org | ||
| * *.new.openproductsfacts.org CNAME openproductsfacts.org | ||
| * api.folksonomy.new.openproductsfacts.org CNAME proxy1.openfoodfacts.org | ||
| * api.folksonomy.openproductsfacts.org CNAME proxy1.openfoodfacts.org | ||
|
|
||
| I modified ovh reverse proxy file for folksonomy api, to add | ||
| api.folksonomy.openproductsfacts.org and api.folksonomy.new.openproductsfacts.org | ||
| to server_name in both http and https sections. | ||
|
|
||
| I then `nginx -t` and `systemctl reload nginx`. | ||
|
|
||
| I then extend the certificate by running: | ||
| ```bash | ||
| certbot -d 'api.folksonomy.openfoodfacts.org' -d 'api.folksonomy.openproductsfacts.org' -d 'api.folksonomy.new.openproductsfacts.org' | ||
| ``` | ||
| This ask me if I want to extend the existing certificate, I say yes. | ||
|
|
||
| See [commit fce11096a](https://github.com/openfoodfacts/openfoodfacts-infrastructure/commit/fce11096a902314bd4696741a7fcdc5a858838fb) | ||
|
|
||
| ## Avoid basic auth | ||
|
|
||
| I still had a problem, because we put basic auth in front of `https://new.openproductsfacts.org` to avoid accidentally indexing it. | ||
| But this was preventing folksonomy service to use this auth api, as there was no way to add basic auth. | ||
| So I modified the new.openproductsfacts.org configuration on ovh reverse proxy to remove the basic auth for /cgi path… and it worked. |