Page MenuHomePhabricator
Create Task
Maniphest T107236

Switch port 80 to nginx on primary clusters
Closed, DeclinedPublic
Actions

Description

We'll eventually want to switch the cache clusters' port 80 to being served directly by nginx (ideally, with no proxy backend - just 301/403/etc logic to force other traffic off to HTTPS). It's more efficient and it simplifies request-routing as there's no conditional on where the traffic first enters at - all initial termination of HTTP(S) happens in one piece of software.

We're not really ready to make this transition yet, as we're still allowing HTTP traffic to flow through the varnish instances in various corner cases. In the meantime, we can take a few preparatory steps to ease the transition in the future.

  • - Configure varnish frontend listeners to listen on an alternate port, in addition to port 80. The backends use 3128. Port 3127 is available and makes sense.
  • - Restart varnishes to get port 3127 working
  • - Configure nginx HTTPS proxies to proxy traffic into port 3127 instead of port 80. This should have the side-benefit of making it easier to analyze remaining non-HTTPS traffic that's hitting varnish's port 80 directly (negative regexes against ReqStart or XFP are annoyingly difficult to mix with other varnishlog filters).
  • - Configure vhtcpd to use 3127 as well
  • - Set up new 301/403 code in our nginx config that can terminate all HTTP traffic directly, but on a temporary alternate port such as 8080, and test/vet it.
  • - Wait until we've resolved all the other issues and effectively killed off all non redirect/forbidden traffic on port 80
  • - Go through a complicated two-stage process of depooling nodes one by one and switching off the varnish port 80 listener then turning on the nginx port 80 listener.
  • - Cleanup - varnish code can now assume all requests are HTTPS, so we can kill some related logic here

Details

SubjectRepoBranchLines +/-
tlsproxy: redirect-only service on 8080operations/puppetproduction+28 -0
vhtcpd: use port 3127 for feoperations/puppetproduction+1 -1
r::c::ssl: use 3127 for upstream_portoperations/puppetproduction+6 -2
r::c::ssl::unified: set explicit server name www.wikimedia.orgoperations/puppetproduction+2 -0
varnish: systemd unit varnish4.1 compat for "-a"operations/puppetproduction+4 -0
r::c::instances: frontends also listen on :3127operations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved emaT108827 Investigate TCP Fast Open for tlsproxy
 DeclinedNoneT107236 Switch port 80 to nginx on primary clusters
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedDzahnT103773 check if services behind misc-web enforce http->https redirect or not
 Resolved ezachteT93702 Fix the mixed content issue on Wikimedia Statistics
 ResolvedBBlackT132459 HTTPS redirects for config-master.wikimedia.org
 ResolvedBBlackT132460 HTTPS redirects for git.wikimedia.org
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132462 HTTPS redirects for parsoid-tests.wikimedia.org
 ResolvedBBlackT132463 HTTPS redirects for datasets.wikimedia.org
 ResolvedBBlackT132464 HTTPS redirects for transparency.wikimedia.org
 ResolvedBBlackT132465 HTTPS redirects for stats.wikimedia.org
 ResolvedBBlackT105794 Insecure POST traffic
 Resolved PcheloloT107030 Restbase insecure POST requests to MW api.php
 Resolved PcheloloT86737 Generalize request templating for service requests
 DeclinedvalhallaswT121020 Update Java 7 to Java 8
 Resolved Whatamidoing-WMFT136674 Help contact bot owners about the end of HTTP access to the API
 DuplicateNoneT137915 stream.wikimedia.org doesn't redirect to HTTPS
 ResolvedVgutierrezT133548 Create a secure redirect service for large count of non-canonical / junk domains
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts
 ResolvedNoneT134447 letsencrypt puppetization: upgrade for scalability
 ResolvedNoneT141266 letsencrypt puppetization: add parallel rsa+ecdsa cert support
 DuplicateNoneT152622 Wikipedia.cz and other domains owned by WMCZ have invalid certificate
 ResolvedKrenairT194962 Create and deploy a centralized letsencrypt service
 ResolvedBBlackT194965 gdnsd plugin support for ACME DNS challenges
 ResolvedMarcoAurelioT198541 Set up CI for new repo operations/software/certcentral.git
 ResolvedKrenairT153577 Make standalone puppetmasters optionally use PuppetDB
 ResolvedscfcT154104 role::puppetmaster::puppetdb depends on Ganglia and cannot be used in Labs
 ResolvedVgutierrezT207476 Create production LE accounts
 ResolvedVgutierrezT220518 acme-chief: Validate that configured certificates can be actually issued
 ResolvedVgutierrezT224539 Provide nginx support in compile_redirects()
 OpenVgutierrezT225096 Provide acme-chief/TLS SNI list support in compile_redirects()
 ResolvedVgutierrezT228382 Provide prometheus metrics for the ncredir service
 DeclinedNoneT140128 HTTPS-only for stream.wikimedia.org
 Resolved AlexMonk-WMFT145244 rcstream support defaults to stream.wikimedia.org:80
 ResolvedfaidonT102313 stream.wikimedia.org speaks http (not https) on port 443

Event Timeline

BBlack created this task.Jul 29 2015, 12:05 AM
BBlack claimed this task.
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, Traffic.
BBlack added subscribers: BBlack, faidon.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 29 2015, 12:05 AM
BBlack triaged this task as Medium priority.Jul 29 2015, 12:05 AM
BBlack added subtasks: T102824: Clean up DNS/redirects for TLS, T103919: let all services on misc-web enforce http->https redirects, T105794: Insecure POST traffic.Jul 29 2015, 1:41 AM
MZMcBride subscribed.Jul 29 2015, 2:41 AM
BBlack mentioned this in T103021: Switch $wgSecureLogin to false for WMF wikis where https is forced.Jul 29 2015, 4:07 PM
BBlack added a comment.Aug 5 2015, 5:32 PM

Coincident with and related to this: there might be future plans afoot (still ill-defined) to blend the cache clusters in general (as in: text + upload on same machines, without any initial change to how things work from the user or mediawiki POV, then later coalescing the IPs for them at the nginx level and splitting on Host header).

So, the first step there should probably take that into account, and assign a new set up of alternate (to be primary, eventually) ports for all of the varnish fe and be services, using unique port numbers per cluster so that they don't conflict during later work.

BBlack mentioned this in T109321: Inbound TLS for tier-1 varnish backend caches.Aug 17 2015, 3:55 PM
Chmarkine subscribed.Aug 20 2015, 9:07 AM
BBlack added a subtask: T119396: Create globally-unique varnish cache cluster port/instancename mappings.Nov 23 2015, 3:31 PM
BBlack closed subtask T103919: let all services on misc-web enforce http->https redirects as Resolved.Apr 13 2016, 6:49 PM
BBlack added a subtask: T137915: stream.wikimedia.org doesn't redirect to HTTPS.Jun 15 2016, 6:43 PM
gerritbot subscribed.Jun 15 2016, 6:47 PM

Change 294532 had a related patch set uploaded (by BBlack):
r::c::instances: frontends also listen on :3127

https://gerrit.wikimedia.org/r/294532

gerritbot added a project: Patch-For-Review.Jun 15 2016, 6:47 PM

Change 294532 merged by BBlack:
r::c::instances: frontends also listen on :3127

https://gerrit.wikimedia.org/r/294532

BBlack mentioned this in rOPUP50e16c9309cb: r::c::instances: frontends also listen on :3127.Jun 15 2016, 6:49 PM
BBlack updated the task description. (Show Details)Jun 15 2016, 6:50 PM
BBlack set Security to None.
BBlack edited subtasks, added: T133548: Create a secure redirect service for large count of non-canonical / junk domains; removed: T119396: Create globally-unique varnish cache cluster port/instancename mappings, T102824: Clean up DNS/redirects for TLS.Jun 15 2016, 6:54 PM
Stashbot subscribed.Jun 15 2016, 7:11 PM

Mentioned in SAL [2016-06-15T19:11:44Z] <bblack> rolling restart of global varnish frontends (salt -b 1: depool -> sleep 15 -> restart -> repool) - estimated ~30 mins to completion - T107236

gerritbot added a comment.Jun 15 2016, 7:19 PM

Change 294537 had a related patch set uploaded (by BBlack):
varnish: systemd unit varnish4.1 compat for "-a"

https://gerrit.wikimedia.org/r/294537

gerritbot added a comment.Jun 15 2016, 7:20 PM

Change 294537 merged by BBlack:
varnish: systemd unit varnish4.1 compat for "-a"

https://gerrit.wikimedia.org/r/294537

BBlack mentioned this in rOPUP6efc6ca44a2b: varnish: systemd unit varnish4.1 compat for "-a".Jun 15 2016, 7:22 PM
Stashbot added a comment.Jun 15 2016, 7:25 PM

Mentioned in SAL [2016-06-15T19:25:13Z] <bblack> rolling restart of global varnish frontends (salt -b 1: depool -> sleep 15 -> restart -> repool) - estimated ~35 mins to completion - T107236 (...._

gerritbot added a comment.Jun 16 2016, 12:48 PM

Change 294703 had a related patch set uploaded (by BBlack):
r::c::ssl::unified: set explicit server name www.wikimedia.org

https://gerrit.wikimedia.org/r/294703

gerritbot added a comment.Jun 16 2016, 12:48 PM

Change 294704 had a related patch set uploaded (by BBlack):
r::c::ssl: use 3127 for upstream_port

https://gerrit.wikimedia.org/r/294704

gerritbot added a comment.Jun 16 2016, 12:48 PM

Change 294705 had a related patch set uploaded (by BBlack):
vhtcpd: use port 3127 for fe

https://gerrit.wikimedia.org/r/294705

gerritbot added a comment.Jun 16 2016, 12:48 PM

Change 294706 had a related patch set uploaded (by BBlack):
tlsproxy: redirect-only service on 8080

https://gerrit.wikimedia.org/r/294706

gerritbot added a comment.Jun 16 2016, 1:51 PM

Change 294703 merged by BBlack:
r::c::ssl::unified: set explicit server name www.wikimedia.org

https://gerrit.wikimedia.org/r/294703

BBlack mentioned this in rOPUP7788a253889b: r::c::ssl::unified: set explicit server name www.wikimedia.org.Jun 16 2016, 1:52 PM
gerritbot added a comment.Jun 16 2016, 2:26 PM

Change 294704 merged by BBlack:
r::c::ssl: use 3127 for upstream_port

https://gerrit.wikimedia.org/r/294704

gerritbot added a comment.Jun 16 2016, 2:26 PM

Change 294705 merged by BBlack:
vhtcpd: use port 3127 for fe

https://gerrit.wikimedia.org/r/294705

BBlack mentioned this in rOPUP42651850ed62: r::c::ssl: use 3127 for upstream_port.Jun 16 2016, 2:28 PM
BBlack mentioned this in rOPUP9b0d70c8cd46: vhtcpd: use port 3127 for fe.
BBlack updated the task description. (Show Details)Jun 16 2016, 2:29 PM
BBlack mentioned this in rOPUPa902bba10ba6: tlsproxy: redirect-only service on 8080.Jun 17 2016, 6:05 PM
BBlack mentioned this in rOPUPcac87a987598: r::c::ssl::unified: set explicit server name www.wikimedia.org.
BBlack mentioned this in rOPUP4eaf96d13069: r::c::ssl: use 3127 for upstream_port.
BBlack mentioned this in rOPUP0a14bf641def: vhtcpd: use port 3127 for fe.
BBlack mentioned this in rOPUP3309353678eb: tlsproxy: redirect-only service on 8080.
gerritbot added a comment.Jun 20 2016, 5:08 PM

Change 294706 merged by BBlack:
tlsproxy: redirect-only service on 8080

https://gerrit.wikimedia.org/r/294706

BBlack updated the task description. (Show Details)Jun 20 2016, 5:09 PM
BBlack mentioned this in rOPUPb06dc6967d9a: tlsproxy: redirect-only service on 8080.Jun 20 2016, 5:13 PM
BBlack added a parent task: T108827: Investigate TCP Fast Open for tlsproxy.Jul 11 2016, 4:20 PM
faidon added a comment.Jul 12 2016, 12:50 PM

Perhaps we should wait until Varnish 5.0, supposedly out in a couple of months and with HTTP/2.0 support, before we proceed with this change?

BBlack added a comment.Jul 12 2016, 1:07 PM

It will be another 6 months before we're even settled into a full Varnish 4 world. We have several major followup projects pending on that (e.g. xkey, and finally sorting out TTL/grace issues well, etc) as well as other unrelated projects ongoing. Even if all of that were out of the way, we can't be confident of the V5 release timeline yet, and I'm not sure how difficult a transition Varnish 5 will be or how long it will take us once we start on it.

Even once we're past pre-requisite timeline issues, V5 probably still won't support inbound TLS (at least, not well enough!) to not put a TLS proxy in front of it, so the bulk of the traffic will still be TCP-terminating separately in nginx or similar.

By the time we get around to seriously considering V5, we can also re-evaluate whether we want to pursue ATS or not as well.

So basically, in the net I see V5 as too far off to plan anything around in the short to medium term, and unrelated to this anyways since it still won't be able to terminate TCP TLS connections on its own for us.

The upside of switching port 80 to nginx is it removes complexity and confusion around a security-critical issue. Currently there are two paths for traffic into Varnish: through the TLS terminator, or directly into Varnish's port 80. The VCL that does initial frontend processing of things like HTTPS-enforcement, X-Client-IP, X-Forwarded-For, etc has to deal with two very distinct cases, and carefully redirect rather than proxy for traffic that didn't legitimately pass through TLS termination. With port 80 moved to nginx, and that nginx virtual server configured to only return 301/403 and never proxy, VCL can assume all traffic is properly TLS-terminated from the get-go, and we can know more-concretely that there's no logical hole allowing insecure traffic into the the caches and beyond.

BBlack added a subtask: T140128: HTTPS-only for stream.wikimedia.org.Jul 12 2016, 4:49 PM
BBlack closed subtask T105794: Insecure POST traffic as Resolved.Jul 19 2016, 10:26 PM
BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:43 PM
BBlack closed subtask T140128: HTTPS-only for stream.wikimedia.org as Declined.Dec 19 2016, 4:18 PM
elukey subscribed.Aug 31 2018, 8:49 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:13 PM
Aklapper removed a project: Patch-For-Review.Mar 1 2020, 6:11 AM

@BBlack: Hi! This task has been assigned to you a while ago. Do you still plan to work on this task?
If this task has been resolved in the meantime: Please update the task status (via Add Action...Change Status in the dropdown menu).
If this task is not resolved and only if you do not plan to work on this task anymore: Please consider removing yourself as assignee (via Add Action...Assign / Claim in the dropdown menu): That would allow others to work on this (in theory), as others won't think that someone is already working on this. Thanks! :)

BBlack closed this task as Declined.Mar 18 2020, 6:44 PM

We're not using nginx software for this functionality anymore, and everything else related to these parts of the software stack have changed and are still evolving, so this task doesn't make a ton of sense anymore as it stands.

BBlack removed BBlack as the assignee of this task.Mar 18 2020, 6:47 PM
Aklapper closed subtask T133548: Create a secure redirect service for large count of non-canonical / junk domains as Resolved.Jun 17 2021, 9:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL