Page MenuHomePhabricator

let all services on misc-web enforce http->https redirects
Closed, ResolvedPublic

Description

all the services listed as not currently redirecting in T103773

check if there are real reasons not to let them enforce https, if possible let them all redirect

then we could do this centrally in the varnish layer and remove all the individual Apache configs in the backends

Related Objects

StatusAssignedTask
Resolvedema
OpenBBlack
OpenBBlack
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedDzahn
Resolvedezachte
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack

Event Timeline

Dzahn created this task.Jun 25 2015, 9:22 PM
Dzahn raised the priority of this task from to Needs Triage.
Dzahn updated the task description. (Show Details)
Dzahn added projects: Traffic, acl*sre-team.
Dzahn added a subscriber: Dzahn.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJun 25 2015, 9:22 PM

left after removing svn and dev:

git.wikimedia.org
graphite.wikimedia.org
releases.wikimedia.org
grafana.wikimedia.org
datasets.wikimedia.org
config-master.wikimedia.org
etherpad.wikimedia.org
parsoid-tests.wikimedia.org
download.wikimedia.org

Krenair added a subscriber: Krenair.

stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?

Dzahn triaged this task as Normal priority.Jul 10 2015, 6:17 PM
BBlack set Security to None.
Dzahn added a comment.Aug 20 2015, 1:17 AM

stats.wikimedia.org doesn't redirect http to https. It has mixed content (T93702). Do we need to fix that first?

Yes, i think so. The problem here would be that the content is not in a repository (afaict).

left after removing svn and dev:
git.wikimedia.org
graphite.wikimedia.org
releases.wikimedia.org
grafana.wikimedia.org
datasets.wikimedia.org
config-master.wikimedia.org
etherpad.wikimedia.org
parsoid-tests.wikimedia.org
download.wikimedia.org

Should these domain names have individual Phabricator Maniphest tasks? I just went to look for a task about releases.wikimedia.org specifically.

According to DNS, download.wikimedia.org and gerrit.wikimedia.org are not behind misc-web. Why are these two domains in misc.inc.vcl.erb?

BBlack added a subscriber: BBlack.Apr 12 2016, 3:25 PM

I've done a bunch of cleanup on misc-web today, including:

  1. removing the dead service entries (download, gerrit, rt)
  2. inverting the existing TLS-redirect conditional (to list the hosts which do not redirect for HTTPS)
  3. making varnish do the TLS redirect for all domains that were already doing it at the application layer (checked with curl)
  4. Sharing most of the HTTPS code with the common VCL that text/upload/maps use, except for the redirect part, which means:
  5. misc now emits HSTS according to the global rules as well (no preload/includeSub on wikimedia.org, but yes on the others)

I also went ahead and added wmfusercontent.org to the global HSTS rules, but the preload part there is still blocked on T132452

What's left now for hostnames which flow through cache_misc but do not have HTTPS redirects are these...

config-master.wikimedia.org
git.wikimedia.org
graphite.wikimedia.org
parsoid-tests.wikimedia.org
datasets.wikimedia.org
transparency.wikimedia.org
stats.wikimedia.org

... which are now explicit in the VCL and waiting to be deleted if possible here: https://github.com/wikimedia/operations-puppet/blob/production/templates/varnish/misc-frontend.inc.vcl.erb#L24

I should add: once we can kill the last entry in that last of HTTPS-exceptions, we can drop that whole block and simply set cache_misc's https_redirects option to true (or eliminate the option completely, since this is the only exception that as well).

Change 283249 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 1/3 remove VCL conditional

https://gerrit.wikimedia.org/r/283249

Change 283250 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 2/3 remove vcl_config settings

https://gerrit.wikimedia.org/r/283250

Change 283251 had a related patch set uploaded (by BBlack):
HTTPS redirect for all: 3/3 remove misc custom block

https://gerrit.wikimedia.org/r/283251

Change 283249 merged by BBlack:
HTTPS redirect for all: 1/3 remove VCL conditional

https://gerrit.wikimedia.org/r/283249

Change 283250 merged by BBlack:
HTTPS redirect for all: 2/3 remove vcl_config settings

https://gerrit.wikimedia.org/r/283250

Change 283251 merged by BBlack:
HTTPS redirect for all: 3/3 remove misc custom block

https://gerrit.wikimedia.org/r/283251

BBlack closed this task as Resolved.Apr 13 2016, 6:49 PM
BBlack claimed this task.