Page MenuHomePhabricator
Create Task
Maniphest T111967

Preload HSTS for select hostnames within wikimedia.org
Closed, DeclinedPublic
Actions

Description

At this point we're probably going to go ahead and pre-load a few inidividual hostnames in wikimedia.org that are more-critical while the longer process plays out for the rest of it. We can't touch donate due to ongoing issues to resolve there. My short-list to get the most-important ones locked down would be just these:

meta - This gets hit a ton during browser access to other wikis, for things like banner campaigns, gadgets, etc
login - To protect CentralAutoLogin -related hits here
commons - Because it's a major wiki and again indirectly referenced a lot
payments - Doesn't even have an HTTP listener on port 80 and fairly critical

The first three all have .m. variants in DNS, although login.m doesn't seem to get real traffic in practice? Could just remove that one instead of pointlessly preloading it if so.

We'll need to address the bad www subdomains in meta and commons first as well ( T102826 )

Related Objects
Search...

Event Timeline

BBlack created this task.Sep 9 2015, 4:08 PM
BBlack claimed this task.
BBlack raised the priority of this task from to Medium.
BBlack updated the task description. (Show Details)
BBlack added projects: HTTPS, Traffic, acl*sre-team.
BBlack added a subtask: T102826: Fix/decom multiple-subdomain wikis in wikimedia.org.
BBlack added subscribers: Tbayer, MZMcBride, fgiunchedi and 8 others.
Krenair subscribed.Sep 9 2015, 4:09 PM
BBlack added a comment.Sep 9 2015, 8:09 PM

I've watched one mobile cache for hours now, and the only single request to login.m.wikimedia.org was a GET / from bingbot. Makes me wonder where they got the hostname from a little, but I think it's safe to say nothing's really using that hostname. Should probably confirm whether there were future plans there and then kill it, making the explicit set of hostnames for the preload list:

meta.wikimedia.org
meta.m.wikimedia.org
commons.wikimedia.org
commons.m.wikimedia.org
login.wikimedia.org
payments.wikimedia.org

Or in terms of varnish regex for the header: ^((meta|commons)(\.m)?)|login|payments)\.wikimedia.org$

BBlack removed a subtask: T102826: Fix/decom multiple-subdomain wikis in wikimedia.org.Sep 10 2015, 8:13 PM

Removed the subdomain blocker - it's not complete as a whole yet, but the parts that blocked this task are.

Dzahn mentioned this in T123431: Investigate if login.m.wikimedia.org needs to stay around.Jan 12 2016, 10:36 PM
Dzahn subscribed.Mar 28 2016, 6:25 PM

login.m.wikimedia.org has been removed now with T123431 / https://gerrit.wikimedia.org/r/#/c/276385/.

BBlack closed this task as Declined.Apr 12 2016, 11:43 AM

With the impending removal of *.donate, we'll actually finally be able to HSTS wikimedia.org itself at the DNS level.

Chmarkine added a comment.Apr 12 2016, 12:37 PM
In T111967#2198441, @BBlack wrote:

With the impending removal of *.donate, we'll actually finally be able to HSTS wikimedia.org itself at the DNS level.

Wait a minute. There are still some subdomains of wikimedia.org that don't even support HTTPS.

BBlack added a comment.Apr 12 2016, 12:47 PM

Right: "at the DNS level" means it's fixed in terms of not having bad DNS names with no matching certs. We still have services that don't support HTTPS, or don't redirect...

Dzahn mentioned this in T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.Apr 12 2016, 2:31 PM
In T111967#2198576, @Chmarkine wrote:

T34796 but stalled

created T132450

BBlack added a comment.Apr 13 2016, 6:46 AM

Yeah, I'm in the process of enumerating those....

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL