carlalexander / debops-wordpress Goto Github PK

Is there any support for running multiple sites on the same Debops server? Would be a great feature for smaller sites that still want to leverage all of the niceties Debops for WP offers.

Add the role carlalexander.wordpress to https://galaxy.ansible.com/.

The "Purge Varnish" button from the recommended plugin never worked. That's because it requires custom logic to ban all the pages. This is all in their distributed Varnish configuration.

I'm not going to add support by default, but it should be documented in the wiki like for WooCommerce.

I think it would make sense to support WooCommerce out of the box

http://docs.woothemes.com/document/configuring-caching-plugins/

After speaking with @drybjed yesterday, it seems that the wordpress role would also benefit from a change of structure for its secrets. WordPress secrets aren't tied to {{ ansible_fqdn }}, but to the WordPress installation. This will be a problem once we look at distributed architecture.

Instead, the storage format should be secret/wordpress/{{ wordpress_domain }}/credentials/{{ wordpress_user }}/password. This decouples the secret from {{ ansible_fqdn }} and ties it to the WordPress installation instead.

At least in the Debian community some install wordpress via apt (there was a short poll in a DebConf15 talk and most of the people there install wp via apt :) ). Did you think about this?

https://packages.debian.org/search?keywords=wordpress
http://packages.ubuntu.com/search?suite=vivid&searchon=names&keywords=wordpress

Writing the plugin management page made me realize that we don't handle site creation for multisite. There's no way to tell on which site a plugin can be activated because we don't manage them like we do plugins. We need to make some improvements there so that we can pre-create sites using DebOps and WP-CLI.

This is probably going to be a long-term discussion. The major hurdle comment so far has been around the installation process. It's a hurdle that I thought good documentation might overcome. Once done, I haven't heard of any issues getting the rest to work.

I think it might be a good idea in the long run to create an install script and remove that friction. Or maybe the solution is to create a cli tool on top of DebOps similar to EasyEngine. Maybe we can try to find a way to extend the DebOps cli instead.

I get this error when running debops -u root:

TASK: [debops.pki/env | Prepare debops.pki environment] ***********************
fatal: [dev.zackrothauser.com] => Failed to template {{ lookup("template", "lookup/pki_env_secret_directories.j2") | from_yaml }}: unable to read /Users/zrothauser/Library/Application Support/debops/debops-playbooks/roles/debops.pki/env/tasks/lookup/pki_env_secret_directories.j2

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
debops.core | Create root directories ---------------------------------- 19.15s
debops.core | Save local facts ------------------------------------------ 6.00s
debops.core | Install local fact scripts -------------------------------- 5.75s
debops.core | Update APT cache and install required packages ------------ 3.87s
debops.core | Read the host UUID ---------------------------------------- 1.34s
debops.core | Check IP address of current Ansible Controller ------------ 0.02s
debops.pki/env | Prepare debops.pki environment ------------------------- 0.02s
debops.core | Gather local facts if they changed ------------------------ 0.01s
           to retry, use: --limit @/Users/zrothauser/site.retry

dev.zackrothauser.com      : ok=8    changed=0    unreachable=1    failed=0

I tested the multisite thing and that is not bad but it would also nice to have the option for completely separate wordpress installations. With the wpcli that should be double. Other things which need to be adjusted for this is the Varnish/Nginx setup. This is more a long term issue through.

Not everyone will know how to make postfix work properly to send emails. Emails should always work whether someone set their hostname properly or not.

the line ~ 28 = 'repo.central.path': 'var/run/hhvm/hhvm.hhbc'

I could be wrong but you might be missing a leading / on var.

We can use rolespec which is the library that DebOps uses

Ran into an issue where Varnish wouldn't restart at all. This was the error:

Running VCC-compiler failed, exited with 2

VCL compilation failed

The only mention of a similar issue was on Server Fault. This mentions that there was no space to compile the VCL. I couldn't confirm that this was the same issue here. Rebooting the server fixed the issue though.

I used debops.rsnapshot recently. It's easy to setup and works out of the box. It's probably worth creating a cookbook to explain how to set it up, how to do restores, etc.

I need to install SSL on my server. And I am a little confused at the moment. So far what I have done is:

1. Generated thewebsitedev.csr and thewebsitedev.key files.
2. Bought and activated PositiveSSL certificate through Namecheap. I received the certificate (.crt) file.

As per the documentation I need to enter absolute path to the certificate.crt and certificate.key files. As far as I understand 'certificate.crt' is the file issued by the SSL certificate issuer (the .crt file that I received). And the certificate.key file is the file I created earlier (thewebsitedev.key). Is this correct?

So now,

1. I need to create vars.yml file under debops-wordpress/inventory/host_vars/www.thewebsitedev.com/ with the below content (after replacing the file paths):

wordpress_ssl: True
wordpress_ssl_crt: '/absolute/path/to/certificate.crt'
wordpress_ssl_key: '/absolute/path/to/certificate.key'

1. Run debops -u root command.

Is this correct? Am I on the right path?

I have a bare repo on my server that I push to as a remote. In the post_receive hook, it copies the contents of the repo to the /var/www// folder.

Most of the time when doing this, I have to restart the php5-fpm service or I get a 500 series error when going to the site.

Here's the contents of my post-receive:

#!/bin/bash
echo "Copying site content to web root..."
git --work-tree=/var/www/example.com/ --git-dir=/var/repo checkout -f
cd /var/www/example.com/
composer update --no-dev
echo "Setting File Ownership"
chown www-data:www-data /var/www/example.com/* -R
echo "Clearing Varnish Cache..."
varnishadm "ban req.url ~ /"
echo "Deployment Complete"
echo "Restart PHP5-FPM"
service php5-fpm restart;
touch /var/www/example.com/index.php
echo "Done"

Restarting php5-fpm and touching the index.php where both attempts at fixing this problem - but neither have been reliable. I still have to SSH in and restart the service.

I'm finishing up my config for Rocketeer. I've written a custom task that'll automatically run the build process for gulp but this means the dependencies need to be installed on the server. Currently I've ssh'd into the server and installed this manually. How easy would it be for me to extend debops to run these commands during the installation process? I'm sure this is a pretty basic question, but I really don't know much about Ansible/DebOps

1. https://getcomposer.org/doc/00-intro.md#globally
2. https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-an-ubuntu-14-04-server#how-to-install-using-nvm
3. npm install -g gulp bower

I'm going to make sure this repo also has great documentation. You can have a look at how it's started to be put together here: https://github.com/schrapel/wordpress-deploy/wiki/Configuring-DebOps

I get this error running debops wordpress -u root:

TASK [debops.mariadb : Create databases] ***************************************
fatal: [dev.zackrothauser.com]: UNREACHABLE! => {"changed": false, "msg": "All items completed", "results": [{"item": {"name": "wordpress"}, "msg": "SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue", "unreachable": true}]}

and with the -vvvv option:

TASK [debops.mariadb : Create databases] ***************************************
task path: /Users/zrothauser/Library/Application Support/debops/debops-playbooks/roles/debops.mariadb/tasks/manage_contents.yml:12
<ubuntu-zack-rothauser> ESTABLISH SSH CONNECTION FOR USER: None
<ubuntu-zack-rothauser> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/Users/zrothauser/.ansible/cp/ansible-ssh-%h-%p-%r -tt ubuntu-zack-rothauser '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1459703888.71-49233069928093 `" && echo "` echo $HOME/.ansible/tmp/ansible-tmp-1459703888.71-49233069928093 `" )'"'"''
fatal: [dev.zackrothauser.com]: UNREACHABLE! => {"changed": false, "msg": "All items completed", "results": [{"item": {"name": "wordpress"}, "msg": "SSH encountered an unknown error. The output was:\nOpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011\ndebug1: Reading configuration data /etc/ssh_config\r\ndebug1: /etc/ssh_config line 20: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/Users/zrothauser/.ansible/cp/ansible-ssh-ubuntu-zack-rothauser-22-zrothauser\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to ubuntu-zack-rothauser [198.105.244.228] port 22.\r\ndebug2: fd 5 setting O_NONBLOCK\r\ndebug1: connect to address 198.105.244.228 port 22: Operation timed out\r\ndebug1: Connecting to ubuntu-zack-rothauser [198.105.254.228] port 22.\r\ndebug2: fd 5 setting O_NONBLOCK\r\ndebug1: connect to address 198.105.254.228 port 22: Operation timed out\r\nssh: connect to host ubuntu-zack-rothauser port 22: Operation timed out\r\n", "unreachable": true}]}
    to retry, use: --limit @/Users/zrothauser/debops-wordpress/playbooks/wordpress.retry

Steps to reproduce:

• Set up the project as per normal;
• Visit the WP site running Twenty Sixteen in Safari.

As you’ll see, most of the text doesn’t render at all. This affects the admin area, too.

If you open the web inspector, you’ll see that the there are still requests running. Clicking the “stop” button ends these requests, and causes the fonts to load.

Not sure what this is about, but I think it has something to do with Varnish; when I ran the project without the Varnish components, it worked fine.

Supporting multisite will probably be a bit more challenging. Will have to test the interaction with the varnish proxy host and other factors.

Either making this part of your configuration instructions to change it somewhere, or to make it another username that's stored in the secret folder along with the password. "admin" is the old WordPress default username and is used in all sorts of automated attacks against WP sites.

It'd be good to add some recipes for some known situations:

• Overriding the default WordPress configuration
• Creating another sudoer user and locking down root
• Creating an FTP user
• Migrating an existing site

Although WordPress doesn't recommend calling cURL directly, and using wp_remote_get instead, there are some plugins and libraries that make use of the native PHP functions, which require the extension.

sudo apt-get install php5-curl

Supporting bedrock should just be a question of adding additional roles and creating a bedrock.yml playbook.

There's a few situations that seem to cause blank pages from WordPress. It doesn't seem like the request wasn't received. Instead, it seems like there's no HTML sent. Or maybe it's a redirect response that doesn't make it to the browser.

Investigate blank screen for:

• Installing a new plugin from the admin
• Importing XML
• Core update

https://en.wikipedia.org/wiki/Uniform_Resource_Locator#Syntax

Sorry, but I just had to link to this https://www.youtube.com/watch?v=2Tvy_Pbe5NA&t=2m44s

Other DebOps roles use a list like wordpress_domain for this.

After installation of a fresh installed debops-wordpress on a digitalocean droplet my error log is going to filled with the following error message.
The site works in general but some times some page are don't render completly especialy during installation of plugins the page stops with a whitescreen.

2015/09/30 17:29:30 [crit] 1473#0: *55947 connect() to unix:/var/run/hhvm/hhvm.sock failed (2: No such file or directory) while connecting to upstream, client: 127.0.0.1, server: example.com, request: "HEAD /
HTTP/1.1", upstream: "fastcgi://unix:/var/run/hhvm/hhvm.sock:", host: "example.com"

Would it be sensible to add something like this?

http://www.htpcguides.com/wordpress-ddos-attack-protection-varnish-4-firewall/

Is there an easy way to mimic this setup with Vagrant when developing locally? And how do you currently deploy the db/files from local to staging/production?

To run this command

debops-update

you have to run this command first

apt-get install git

By default, DebOps configures WordPress around the nginx user www-data. This isn't ideal at all. The HHVM and php-fpm pool that WordPress uses should be configured around a different user.

Doing system updates isn't mandatory per say. We already handle automatic security updates by default. That said, it might be nice to do a small cookbook for anyone who wants to do system updates.

In practice, it's just running apt-get upgrade and then rebooting the server. But maybe we could have a few small precautions, explain that you can power off the machine and take a snapshot with Digital Ocean for example.

When I try to connect to the server via Rocketeer I get the following error. If I try to connect via SSH it works fine. If I try to connect via Rocketeer before installing debops-wordpress it connects fine (albeit tells me a lot of dependencies like php, composer, etc are not installed). I know there ideally should be a deploy user to handle this but there has to be some variable/setting changed during the installation process that stops Rocketeer connecting.

PHP Notice:  No compatible key exchange algorithms found in /Users/tobyschrapel/.composer/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 1359

Notice: No compatible key exchange algorithms found in /Users/tobyschrapel/.composer/vendor/phpseclib/phpseclib/phpseclib/Net/SSH2.php on line 1359

  [Rocketeer\Exceptions\ConnectionException]                                                                                                       
  Unable to connect to remote server.                                                                                                              
  With credentials:                                                                                                                                

On a side note I've created a task to push/pull the db and uploads folder via rocketeer that looks ready to go.

Would you accept a pull request for a wordpress_setup flag that defaults to true.

When it is false it will not install wp-cli, download core, setup the config or install wordpress?

I always go into the var/www/ and rm -rf in the directory before I deploy my git repository anyway.

Or is there a better way to go about it?

This is weird issue i found i just deploy a successful WordPress installation. but i have to import my database backup so i delete the old database. when i delete old database the website is gone i show error every where

The error is :

Error 503 Backend fetch failed

Backend fetch failed

Guru Meditation:

XID: 51

Varnish cache server

I noticed DebOps has ACME integration. Is this something that can be integrated easily?

https://github.com/debops/ansible-pki/blob/master/docs/acme-integration.rst
https://github.com/debops/ansible-nginx/blob/master/docs/acme-support.rst
http://docs.debops.org/en/latest/ansible/roles/ansible-pki/docs/acme-integration.html

I got this error - FAILED! => {"changed": false, "failed": true, "msg": "file not found: /var/backups/pki-snapshot-debops-wordpress.tar"} when I ran the common DebOps playbook. Is this fine? We don't have WordPress yet so I guess that is the reason? Just confirming before I move ahead.

My play recap is ok=37 changed=20 unreachable=0 failed=1.

Hello,

I am getting the below error on step 2 of installation (Install Ansible and DebOps).

File "/private/tmp/pip-build-gCpPLJ/pycrypto/setup.py", line 278, in run raise RuntimeError("autoconf error")

Command "/usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/pip-build-gCpPLJ/pycrypto/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-TA6WBT-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /private/tmp/pip-build-gCpPLJ/pycrypto

What can be the issue?

Hi Carl

I've set up several of your configurations before, with your generous help, but it's not working today. I'm getting multiple "skipping: no hosts matched" messages.

I've tried it on 2 different Macs (1 which has never had debops on it) and a fresh DigitalOcean droplet (Ubuntu 14.04) to see whether it's a Mac thing. Always get the same problem - below is the output from the DO U14.04 version.

Many thanks
Mike

root@debops:~/debops-wordpress# debops -u root
Running Ansible playbook from:
/root/.local/share/debops/debops-playbooks/playbooks/site.yml ...

PLAY [Prepare core environment] ***********************************************
skipping: no hosts matched

PLAY [Common configuration for all hosts] *************************************
skipping: no hosts matched

PLAY [Configure swap files] ***************************************************
skipping: no hosts matched

PLAY [Manage users with git-shell accounts] ***********************************
skipping: no hosts matched

PLAY [Manage users with SFTPonly accounts] ************************************
skipping: no hosts matched

PLAY [Manage OpenLDAP service] ************************************************
skipping: no hosts matched

PLAY [Configure Logical Volume Manager] ***************************************
skipping: no hosts matched

PLAY [Configure iSCSI Initiator] **********************************************
skipping: no hosts matched

PLAY [Configure encrypted filesystems] ****************************************
skipping: no hosts matched

PLAY [Manage NFS service] *****************************************************
skipping: no hosts matched

PLAY [Manage NodeJS environment] **********************************************
skipping: no hosts matched

PLAY [Manage Ruby environment] ************************************************
skipping: no hosts matched

PLAY [Manage Go environment] **************************************************
skipping: no hosts matched

PLAY [Manage Java environment] ************************************************
skipping: no hosts matched

PLAY [Manage PHP5 environment] ************************************************
skipping: no hosts matched

PLAY [Manage fcgiwrap instances] **********************************************
skipping: no hosts matched

PLAY [Configure internal networks] ********************************************
skipping: no hosts matched

PLAY [Configure Router Advertisement Daemon] **********************************
skipping: no hosts matched

PLAY [Manage ISC DHCP server] *************************************************
skipping: no hosts matched

PLAY [Configure dnsmasq] ******************************************************
skipping: no hosts matched

PLAY [Configure tinc VPN] *****************************************************
skipping: no hosts matched

PLAY [Configure stunnel] ******************************************************
skipping: no hosts matched

PLAY [Manage docker-gen service] **********************************************
skipping: no hosts matched

PLAY [Manage nginx service] ***************************************************
skipping: no hosts matched

PLAY [Manage SNMP service] ****************************************************
skipping: no hosts matched

PLAY [Manage Monit service] ***************************************************
skipping: no hosts matched

PLAY [Manage Dovecot service] *************************************************
skipping: no hosts matched

PLAY [Manage TFTP service] ****************************************************
skipping: no hosts matched

PLAY [Manage Samba service] ***************************************************
skipping: no hosts matched

PLAY [Manage iSCSI Target service] ********************************************
skipping: no hosts matched

PLAY [Manage MariaDB server] **************************************************
skipping: no hosts matched

PLAY [Manage MariaDB client] **************************************************
skipping: no hosts matched

PLAY [Manage MySQL server] ****************************************************
skipping: no hosts matched

PLAY [Manage PostgreSQL server] ***********************************************
skipping: no hosts matched

PLAY [Manage PostgreSQL client] ***********************************************
skipping: no hosts matched

PLAY [Manage Elasticsearch server] ********************************************
skipping: no hosts matched

PLAY [Manage memcached server] ************************************************
skipping: no hosts matched

PLAY [Manage Redis server] ****************************************************
skipping: no hosts matched

PLAY [Manage Redis sentinel server] *******************************************
skipping: no hosts matched

PLAY [Manage reprepro repositories] *******************************************
skipping: no hosts matched

PLAY [Manage SMS gateway] *****************************************************
skipping: no hosts matched

PLAY [Manage Salt master service] *********************************************
skipping: no hosts matched

PLAY [Manage fail2ban service] ************************************************
skipping: no hosts matched

PLAY [Manage SKS Keyserver] ***************************************************
skipping: no hosts matched

PLAY [Manage iPXE configuration files] ****************************************
skipping: no hosts matched

PLAY [Manage BoxBackup service] ***********************************************
skipping: no hosts matched

PLAY [Manage rsnapshot service] ***********************************************
skipping: no hosts matched

PLAY [Manage Mailman service] *************************************************
skipping: no hosts matched

PLAY [Manage LibreNMS] ********************************************************
skipping: no hosts matched

PLAY [Manage DokuWiki] ********************************************************
skipping: no hosts matched

PLAY [Manage Etherpad service] ************************************************
skipping: no hosts matched

PLAY [Manage Preseed server] **************************************************
skipping: no hosts matched

PLAY [Manage ownCloud service] ************************************************
skipping: no hosts matched

PLAY [Manage phpIPAM service] *************************************************
skipping: no hosts matched

PLAY [Manage RStudio Server] **************************************************
skipping: no hosts matched

PLAY [Manage GitLab service] **************************************************
skipping: no hosts matched

PLAY [Manage GitLab CI service] ***********************************************
skipping: no hosts matched

PLAY [Manage GitLab CI Runner service] ****************************************
skipping: no hosts matched

PLAY [Install DebOps recursively] *********************************************
skipping: no hosts matched

PLAY [Manage LXC hosts] *******************************************************
skipping: no hosts matched

PLAY [Manage Docker service] **************************************************
skipping: no hosts matched

PLAY [Manage libvirt servers] *************************************************
skipping: no hosts matched

PLAY [Manage libvirt hosts] ***************************************************
skipping: no hosts matched

PLAY [Manage OpenVZ Hardware Nodes] *******************************************
skipping: no hosts matched

PLAY [Configure HWRaid support] ***********************************************
skipping: no hosts matched

PLAY [Configure GRUB] *********************************************************
skipping: no hosts matched

PLAY RECAP ********************************************************************

root@debops:~/debops-wordpress#

The initial work to support SSL connections is there (nginx proxy vhost). Dynamically creating the vhost is more work than it should be. Will work to see how to do this better with debops.nginx.

This is the last hardening step missing based on what's on the codex

Now that DebOps supports Mariadb, there's no need for this project to have its own role.

I will probably do this during rework and make it optional. Any thoughts?

It might be worth the time to investigate the default options for MariaDB. Is there anything we can do to have some better defaults?

The debops.mariadb_server options are pretty barebone as well. We might be able to push some of these upstream too. I'll start by running MySQLTuner and see what it says.

When running debops wordpress -u root I get this error message.

TASK [debops.fail2ban : Configure custom fail2ban actions] *********************
fatal: [test.tobyschrapel.com]: FAILED! => {"failed": true, "msg": "lookup plugin (template_src) not found"}

If I set wordpress_fail2ban_enabled: False it obviously works fine

Drop the current swap role. There are better roles out there. You can even include them in this git repo via submodules.

After a quick review of the roles on Galaxy, tersmitten.swapfile looks the most promising.

I get this error after sending command debops in the terminal.
TASK [debops.pki : Initialize PKI authorities] ********************************* failed: [46.101.101.63 -> localhost] => (item={u'subdomain': u'root-ca', u'name': u'root', u'subject': [u'o=Ubuntu-worddebo-fra1-01 Certificate Authority']}) => {"changed": true, "cmd": ["./lib/pki-authority", "init", "--name", "root", "--default-sign-base", "365", "--root-sign-multiplier", "12", "--ca-sign-multiplier", "10", "--cert-sign-multiplier", "3"], "delta": "0:00:00.134644", "end": "2016-02-29 15:31:38.885341", "failed": true, "item": {"name": "root", "subdomain": "root-ca", "subject": ["o=Ubuntu-worddebo-fra1-01 Certificate Authority"]}, "rc": 2, "start": "2016-02-29 15:31:38.750697", "stderr": "./lib/pki-authority: line 77: declare: -g: invalid option\ndeclare: usage: declare [-afFirtx] [-p] [name[=value] ...]", "stdout": "", "stdout_lines": [], "warnings": []} failed: [46.101.101.63 -> localhost] => (item={u'subdomain': u'domain-ca', u'name': u'domain', u'issuer_name': u'root', u'subject': [u'o=Ubuntu-worddebo-fra1-01', u'ou=Domain CA']}) => {"changed": true, "cmd": ["./lib/pki-authority", "init", "--name", "domain", "--default-sign-base", "365", "--root-sign-multiplier", "12", "--ca-sign-multiplier", "10", "--cert-sign-multiplier", "3"], "delta": "0:00:00.015934", "end": "2016-02-29 15:31:39.063942", "failed": true, "item": {"issuer_name": "root", "name": "domain", "subdomain": "domain-ca", "subject": ["o=Ubuntu-worddebo-fra1-01", "ou=Domain CA"]}, "rc": 2, "start": "2016-02-29 15:31:39.048008", "stderr": "./lib/pki-authority: line 77: declare: -g: invalid option\ndeclare: usage: declare [-afFirtx] [-p] [name[=value] ...]", "stdout": "", "stdout_lines": [], "warnings": []} skipping: [46.101.101.63] => (item={u'type': u'service', u'subdomain': u'service-ca', u'enabled': False, u'name': u'service', u'subject': [u'o=Ubuntu-worddebo-fra1-01', u'ou=Internal Services CA']})

on the page https://github.com/carlalexander/debops-wordpress/wiki/Installation

in the installing ansible section I had to add these extra packages before the install of ansible truly completed successfully.

On Ubuntu 14.04.02 LTS

apt-get install python-dev
pip install pycrypto

Documenting an issue found by @outerbridge. He updated to WordPress 4.4.1 and Varnish stopped working for all his sites using SSL. After looking into the logs and some troubleshooting, I found that the issue was that WordPress was now returning 301s from the backend probes. Varnish assumed the backend was sick because of it.

Further troubleshooting made me realize that the probe wasn't sending the X-Forwarded-Proto: https header. This means that WordPress would try to redirect the request since the vhost wouldn't flag the request as HTTPS.

We can fix this by adding the header in the probe request as such:

    .request =
      "HEAD / HTTP/1.1"
      "X-Forwarded-Proto: https"
      "Host: {{ varnish_backend_probe_host }}"
      "Connection: close";

Why this worked before is beyond me. It shouldn't have worked and it still works for some sites because mine doesn't have any issues. That said, we need to change the varnish role so that we can add extra headers to the probe like this one when needed.