Page MenuHomePhabricator
Create Task
Maniphest T140128

HTTPS-only for stream.wikimedia.org
Closed, DeclinedPublic
Actions

Description

stream.wikimedia.org was moved behind cache_misc in T134871. It was noted during this transition that most of the current clients are using unencrypted HTTP, and that our default/sample websocket client implementations tend to break on a 301 redirect rather than follow it, so this transition may be painful.

We should start with ensuring our own documentation uses https:// and/or wss:// URLs for the stream service as appropriate, and make some announcements to the community about the problem and a plea to update their URLs for secure access, and set a future date on which we'll make this service redirect to HTTPS with 301 like all of our other public, cache-terminated hostnames in wikimedia.org.

Details

SubjectRepoBranchLines +/-
rcstream: log X-Forwarded-Protooperations/puppetproduction+7 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

BBlack created this task.Jul 12 2016, 4:48 PM
Restricted Application added a project: SRE. · View Herald TranscriptJul 12 2016, 4:48 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript
BBlack merged a task: T137915: stream.wikimedia.org doesn't redirect to HTTPS.Jul 12 2016, 4:49 PM
BBlack added a parent task: T107236: Switch port 80 to nginx on primary clusters.
BBlack added a parent task: T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination.
Danny_B added a project: HTTPS.Jul 12 2016, 10:15 PM
BBlack mentioned this in T104681: HTTPS Plans (tracking / high-level info).Jul 19 2016, 10:29 PM
gerritbot subscribed.Jul 19 2016, 10:49 PM

Change 299892 had a related patch set uploaded (by Ori.livneh):
rcstream: log X-Forwarded-Proto

https://gerrit.wikimedia.org/r/299892

gerritbot added a project: Patch-For-Review.Jul 19 2016, 10:49 PM

Change 299892 merged by Ori.livneh:
rcstream: log X-Forwarded-Proto

https://gerrit.wikimedia.org/r/299892

ori mentioned this in rOPUP08deb80de18a: rcstream: log X-Forwarded-Proto.Jul 19 2016, 10:53 PM
BBlack edited parent tasks, added: T104681: HTTPS Plans (tracking / high-level info); removed: T132521: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination.Jul 20 2016, 12:28 AM
ori moved this task from Inbox, needs triage to Backlog: Maintenance, non-prioritized on the Performance-Team board.Jul 25 2016, 6:30 PM
BBlack added a comment.Sep 6 2016, 1:28 PM

Have we sent any announcement about this to the community? We might have already, just not tracked in here.

BBlack added a comment.Sep 6 2016, 1:32 PM

Nevermind, found it via google: https://lists.wikimedia.org/pipermail/wikitech-l/2016-June/085928.html

BBlack added a comment.Sep 6 2016, 3:15 PM

Looking at the past couple days of access logs from ori's nginx patch above, it looks like the current split is still 88% insecure, 12% secure :/

BBlack mentioned this in T130651: EventStreams.Sep 6 2016, 5:45 PM
AlexMonk-WMF subscribed.EditedSep 9 2016, 8:10 PM

I did some digging and found /shared/pywikipedia/core/pywikibot/comms/rcstream.py in tools suggests stream.wikimedia.org on port 80

AlexMonk-WMF created subtask T145244: rcstream support defaults to stream.wikimedia.org:80.Sep 9 2016, 8:23 PM
AlexMonk-WMF closed subtask T145244: rcstream support defaults to stream.wikimedia.org:80 as Resolved.Sep 10 2016, 2:57 AM
AlexMonk-WMF added a comment.Sep 10 2016, 3:00 AM

That's at least one bot in tools fixed. Can you filter those access logs down to labs entries only (208.80.155.128 - 208.80.155.255), and write the result to my home directory on some production server?

Dzahn subscribed.Sep 14 2016, 6:39 PM

current access log is only about 9% https and a chunk of that is all Catchpoint monitoring.

About 32% are from python-requests UA, of which under 1% use https :/

Dzahn added a comment.Sep 14 2016, 6:42 PM
In T140128#2625078, @AlexMonk-WMF wrote:

Can you filter those access logs down to labs entries only (208.80.155.128 - 208.80.155.255), and write the result to my home directory on some production server?

I only see the 10.64.x.x IPs of cp servers in the access log. it has the http_x_forwarded_proto but not the remote IP.

BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:40 PM
BBlack added a comment.Oct 3 2016, 4:05 PM
In T140128#2637840, @Dzahn wrote:
In T140128#2625078, @AlexMonk-WMF wrote:

Can you filter those access logs down to labs entries only (208.80.155.128 - 208.80.155.255), and write the result to my home directory on some production server?

I only see the 10.64.x.x IPs of cp servers in the access log. it has the http_x_forwarded_proto but not the remote IP.

We could perhaps enable apache logging of the X-Client-IP header to see through the caches for this.

BBlack added a comment.Oct 27 2016, 2:39 PM
In T140128#2684764, @BBlack wrote:

We could perhaps enable apache logging of the X-Client-IP header to see through the caches for this.

Done in https://gerrit.wikimedia.org/r/#/c/318296/ (forgot to put Bug: link in there)

BBlack added a comment.Oct 27 2016, 2:40 PM

At a glance, it seems like the bulk of the query traffic comes from GCE and AWS, and the bulk of it's still not HTTPS.

jeremyb added a subtask: T102313: stream.wikimedia.org speaks http (not https) on port 443.Nov 3 2016, 2:52 AM
jeremyb subscribed.
Gilles moved this task from Backlog: Maintenance, non-prioritized to Radar on the Performance-Team board.Dec 7 2016, 8:43 PM
BBlack closed this task as Declined.Dec 19 2016, 4:18 PM

We're going to leave this as-is and assume eventstream replacement (which will be HTTPS-only from the get-go) will handle this for us.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL