Page MenuHomePhabricator
Create Task
Maniphest T103919

let all services on misc-web enforce http->https redirects
Closed, ResolvedPublic
Actions

Description

all the services listed as not currently redirecting in T103773

check if there are real reasons not to let them enforce https, if possible let them all redirect

then we could do this centrally in the varnish layer and remove all the individual Apache configs in the backends

Details

SubjectRepoBranchLines +/-
HTTPS redirect for all: 3/3 remove misc custom blockoperations/puppetproduction+0 -5
HTTPS redirect for all: 2/3 remove vcl_config settingsoperations/puppetproduction+2 -10
HTTPS redirect for all: 1/3 remove VCL conditionaloperations/puppetproduction+0 -8
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved emaT108827 Investigate TCP Fast Open for tlsproxy
 DeclinedNoneT107236 Switch port 80 to nginx on primary clusters
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedDzahnT103773 check if services behind misc-web enforce http->https redirect or not
 Resolved ezachteT93702 Fix the mixed content issue on Wikimedia Statistics
 ResolvedBBlackT132459 HTTPS redirects for config-master.wikimedia.org
 ResolvedBBlackT132460 HTTPS redirects for git.wikimedia.org
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132462 HTTPS redirects for parsoid-tests.wikimedia.org
 ResolvedBBlackT132463 HTTPS redirects for datasets.wikimedia.org
 ResolvedBBlackT132464 HTTPS redirects for transparency.wikimedia.org
 ResolvedBBlackT132465 HTTPS redirects for stats.wikimedia.org
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

Dzahn created this task.Jun 25 2015, 9:22 PM
Dzahn raised the priority of this task from to Needs Triage.
Dzahn updated the task description. (Show Details)
Dzahn added projects: Traffic, acl*sre-team.
Dzahn subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJun 25 2015, 9:22 PM
Dzahn added a subtask: T103773: check if services behind misc-web enforce http->https redirect or not.Jun 25 2015, 9:23 PM

left after removing svn and dev:

git.wikimedia.org
graphite.wikimedia.org
releases.wikimedia.org
grafana.wikimedia.org
datasets.wikimedia.org
config-master.wikimedia.org
etherpad.wikimedia.org
parsoid-tests.wikimedia.org
download.wikimedia.org

Krenair added projects: HTTPS, HTTPS-by-default.Jun 25 2015, 9:31 PM
Krenair subscribed.
Dzahn added a comment.Jun 25 2015, 9:31 PM

https://wikitech.wikimedia.org/wiki/User:Dzahn/misc-web

JohnLewis subscribed.Jun 25 2015, 9:32 PM
Chmarkine subscribed.Jun 27 2015, 9:56 AM

stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?

BBlack mentioned this in T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 4:58 AM
BBlack added a parent task: T104681: HTTPS Plans (tracking / high-level info).Jul 3 2015, 5:00 AM
Dzahn triaged this task as Medium priority.Jul 10 2015, 6:17 PM
BBlack added a parent task: T107236: Switch port 80 to nginx on primary clusters.Jul 29 2015, 1:41 AM
MZMcBride subscribed.Jul 29 2015, 2:54 AM
BBlack removed a project: HTTPS-by-default.Aug 7 2015, 4:11 PM
BBlack set Security to None.
Dzahn added a comment.Aug 20 2015, 1:17 AM
In T103919#1406876, @Chmarkine wrote:

stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?

Yes, i think so. The problem here would be that the content is not in a repository (afaict).

MZMcBride added a comment.Aug 25 2015, 3:57 AM
In T103919#1402421, @Dzahn wrote:

left after removing svn and dev:

git.wikimedia.org
graphite.wikimedia.org
releases.wikimedia.org
grafana.wikimedia.org
datasets.wikimedia.org
config-master.wikimedia.org
etherpad.wikimedia.org
parsoid-tests.wikimedia.org
download.wikimedia.org

Should these domain names have individual Phabricator Maniphest tasks? I just went to look for a task about releases.wikimedia.org specifically.

Chmarkine added a comment.Aug 25 2015, 4:59 AM

According to DNS, download.wikimedia.org and gerrit.wikimedia.org are not behind misc-web. Why are these two domains in misc.inc.vcl.erb?

Chmarkine added a subtask: T93702: Fix the mixed content issue on Wikimedia Statistics.Aug 26 2015, 4:39 PM
BBlack subscribed.Apr 12 2016, 3:25 PM

I've done a bunch of cleanup on misc-web today, including:

  1. removing the dead service entries (download, gerrit, rt)
  2. inverting the existing TLS-redirect conditional (to list the hosts which do not redirect for HTTPS)
  3. making varnish do the TLS redirect for all domains that were already doing it at the application layer (checked with curl)
  4. Sharing most of the HTTPS code with the common VCL that text/upload/maps use, except for the redirect part, which means:
  5. misc now emits HSTS according to the global rules as well (no preload/includeSub on wikimedia.org, but yes on the others)

I also went ahead and added wmfusercontent.org to the global HSTS rules, but the preload part there is still blocked on T132452

What's left now for hostnames which flow through cache_misc but do not have HTTPS redirects are these...

config-master.wikimedia.org
git.wikimedia.org
graphite.wikimedia.org
parsoid-tests.wikimedia.org
datasets.wikimedia.org
transparency.wikimedia.org
stats.wikimedia.org

... which are now explicit in the VCL and waiting to be deleted if possible here: https://github.com/wikimedia/operations-puppet/blob/production/templates/varnish/misc-frontend.inc.vcl.erb#L24

BBlack added a comment.Apr 12 2016, 3:27 PM

I should add: once we can kill the last entry in that last of HTTPS-exceptions, we can drop that whole block and simply set cache_misc's https_redirects option to true (or eliminate the option completely, since this is the only exception that as well).

BBlack created subtask T132459: HTTPS redirects for config-master.wikimedia.org.Apr 12 2016, 3:41 PM
BBlack created subtask T132460: HTTPS redirects for git.wikimedia.org.
BBlack created subtask T132461: HTTPS redirects for graphite.wikimedia.org.
BBlack created subtask T132462: HTTPS redirects for parsoid-tests.wikimedia.org.Apr 12 2016, 3:43 PM
BBlack created subtask T132463: HTTPS redirects for datasets.wikimedia.org.
BBlack created subtask T132464: HTTPS redirects for transparency.wikimedia.org.
BBlack created subtask T132465: HTTPS redirects for stats.wikimedia.org.
BBlack added a parent task: T40516: Enable HSTS on Wikimedia sites.Apr 12 2016, 10:23 PM
BBlack closed subtask T132459: HTTPS redirects for config-master.wikimedia.org as Resolved.Apr 13 2016, 2:42 PM
BBlack closed subtask T132462: HTTPS redirects for parsoid-tests.wikimedia.org as Resolved.Apr 13 2016, 3:32 PM
BBlack closed subtask T132464: HTTPS redirects for transparency.wikimedia.org as Resolved.Apr 13 2016, 3:35 PM
BBlack closed subtask T132465: HTTPS redirects for stats.wikimedia.org as Resolved.
BBlack closed subtask T132463: HTTPS redirects for datasets.wikimedia.org as Resolved.Apr 13 2016, 3:43 PM
BBlack closed subtask T132461: HTTPS redirects for graphite.wikimedia.org as Resolved.Apr 13 2016, 4:44 PM
BBlack closed subtask T132460: HTTPS redirects for git.wikimedia.org as Resolved.Apr 13 2016, 5:52 PM
gerritbot subscribed.Apr 13 2016, 6:15 PM

Change 283249 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 1/3 remove VCL conditional

https://gerrit.wikimedia.org/r/283249

gerritbot added a comment.Apr 13 2016, 6:18 PM

Change 283250 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 2/3 remove vcl_config settings

https://gerrit.wikimedia.org/r/283250

gerritbot added a project: Patch-For-Review.Apr 13 2016, 6:18 PM

Change 283251 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 3/3 remove misc custom block

https://gerrit.wikimedia.org/r/283251

gerritbot added a comment.Apr 13 2016, 6:22 PM

Change 283249 merged by BBlack:
HTTPS redirect for all: 1/3 remove VCL conditional

https://gerrit.wikimedia.org/r/283249

gerritbot added a comment.Apr 13 2016, 6:34 PM

Change 283250 merged by BBlack:
HTTPS redirect for all: 2/3 remove vcl_config settings

https://gerrit.wikimedia.org/r/283250

gerritbot added a comment.Apr 13 2016, 6:34 PM

Change 283251 merged by BBlack:
HTTPS redirect for all: 3/3 remove misc custom block

https://gerrit.wikimedia.org/r/283251

BBlack closed this task as Resolved.Apr 13 2016, 6:49 PM
BBlack claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL