Page MenuHomePhabricator
Create Task
Maniphest T120486

Set "https_upgrade" configuration flag for domainproxy to enforce HTTPS upgrade for GET|HEAD requests
Closed, ResolvedPublic
Actions

Description

Follow the implementation of T102367: Migrate tools.wmflabs.org to https only (and set HSTS) for domainproxy (*.wmflabs.org shared proxy)

  • 2020-08-18:
  • 2021-02-02:
    • Close the POST loophole, set the HSTS header to 366 days
    • Announce the change to cloud-announce@

Original task description:
"add a https-only option to dynamicproxy"

dynamicproxy (what labs projects in wmflabs.org use to have https) (module dynamicproxy in puppet),

does https and http but does not have an option yet to enforce https and proto redirect http->https

we want that for T107627 and in general for all tools using this.

also see T102367

Details

Due Date
Feb 1 2021, 11:00 PM
SubjectRepoBranchLines +/-
domainproxy: Perform HTTPS redirects unconditionallyoperations/puppetproduction+19 -14
domainproxy: enforce TLS by defaultoperations/puppetproduction+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dzahn created this task.Dec 5 2015, 12:36 AM
Dzahn raised the priority of this task from to Needs Triage.
Dzahn updated the task description. (Show Details)
Dzahn added projects: SRE, Cloud-VPS.
Dzahn subscribed.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptDec 5 2015, 12:36 AM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript
Dzahn added a project: HTTPS.Dec 5 2015, 12:36 AM
Dzahn set Security to None.
Dzahn added a parent task: T107627: Quarry should be HTTPS-only.
chasemp triaged this task as Medium priority.Dec 7 2015, 8:33 PM
Dzahn moved this task from Backlog to Services to fix on the HTTPS board.Dec 8 2015, 12:30 AM
Aklapper added a project: Traffic.Feb 23 2016, 6:12 PM
AlexMonk-WMF mentioned this in T131288: Make Cloud Services shared HTTP proxies enforce TLS.Sep 8 2016, 10:22 PM
BBlack moved this task from Backlog to Radar/Not for service by Traffic on the Traffic board.Oct 4 2016, 1:24 PM
BBlack moved this task from Radar/Not for service by Traffic to BadHerald on the Traffic board.Oct 4 2016, 1:27 PM
bd808 added a parent task: T131288: Make Cloud Services shared HTTP proxies enforce TLS.Oct 15 2017, 8:04 PM
bd808 mentioned this in T163019: Allow tool's maintainers to force HTTPS for their tool.Oct 15 2017, 8:55 PM
Legoktm mentioned this in T183755: Redirect http to https on new codesearch.wmflabs.org.Dec 29 2017, 7:26 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:27 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.Mar 24 2019, 10:29 AM
Framawiki subscribed.Mar 24 2019, 3:50 PM
bd808 moved this task from Backlog to Dynamicproxy on the Cloud-VPS board.Nov 10 2019, 11:54 PM
Krenair subscribed.Nov 20 2019, 10:29 PM

done in https://gerrit.wikimedia.org/r/c/operations/puppet/+/482142 ?

bd808 subscribed.Nov 22 2019, 7:40 PM
In T120486#5680210, @Krenair wrote:

done in https://gerrit.wikimedia.org/r/c/operations/puppet/+/482142 ?

My guess is that @Dzahn was asking for a per-proxy feature flag when he originally wrote this task. I think a better solution today actually would be to enable the same kind of http->https redirects for GET & HEAD requests that we did for Toolforge in the patch @Krenair linked. This leaves the "POST loophole" open, but that is a problem that we can address later (possibly as a part of the loosely planned wmflabs.org -> wmcloud.org domain conversion).

Dzahn added a comment.Nov 22 2019, 7:44 PM

Yea, that's true. It's been a long time since i wrote that and i had a per-proxy feature in mind. I am ok with closing this ticket if there is a better global solution nowadays.

bd808 renamed this task from add a https-only option to dynamicproxy to Set "https_upgrade" configuration flag for domainproxy to enforce HTTPS upgrade for GET|HEAD requests.Apr 16 2020, 11:20 PM
bd808 updated the task description. (Show Details)
bd808 removed projects: Traffic, SRE.
gerritbot added a comment.Aug 13 2020, 9:31 PM

Change 620122 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] domainproxy: enforce TLS by default

https://gerrit.wikimedia.org/r/620122

gerritbot added a project: Patch-For-Review.Aug 13 2020, 9:31 PM
bd808 added a comment.Aug 13 2020, 9:37 PM
In https://gerrit.wikimedia.org/r/620122, @bd808 wrote:

We really never saw any problems of note when we enabled this same functionality for tools.wmflabs.org. It feels safe to me to merge and deploy this and follow up with an email to cloud-announce@ letting folks know that it was done. We should do one things differently this time however. We should also set a date at which we will close the POST loophole from the start. Maybe something like 6 months later?

bd808 added a comment.Aug 13 2020, 9:45 PM

Here's my strawman timeline and communications plan:

  • week of 2020-08-17:
  • 2021-02-01:
    • Close the POST loophole, set the HSTS header to 366 days
    • Announce the change to cloud-announce@
Nintendofan885 subscribed.Aug 17 2020, 9:58 PM
gerritbot added a comment.Aug 18 2020, 2:32 PM

Change 620122 merged by Andrew Bogott:
[operations/puppet@production] domainproxy: enforce TLS by default

https://gerrit.wikimedia.org/r/620122

bd808 added a comment.Aug 18 2020, 3:06 PM

Change and timeline announced to community: https://lists.wikimedia.org/pipermail/cloud-announce/2020-August/000306.html

bd808 updated the task description. (Show Details)Aug 18 2020, 3:08 PM
bd808 set Due Date to Feb 1 2021, 11:00 PM.
bd808 removed a project: Patch-For-Review.
bd808 moved this task from Inbox to Watching on the cloud-services-team (Kanban) board.
bd808 claimed this task.Feb 2 2021, 4:14 PM
bd808 moved this task from Watching to Doing on the cloud-services-team (Kanban) board.
Restricted Application added a project: User-bd808. · View Herald TranscriptFeb 2 2021, 4:14 PM
gerritbot added a comment.Feb 2 2021, 4:25 PM

Change 661140 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] domainproxy: Perform HTTPS redirects unconditionally

https://gerrit.wikimedia.org/r/661140

gerritbot added a project: Patch-For-Review.Feb 2 2021, 4:25 PM
bd808 mentioned this in T273648: Force HTTPS and set HSTS header to 366 days for profile::wmcs::proxy::static proxies.Feb 2 2021, 5:04 PM
bd808 mentioned this in T273651: Force HTTPS and set HSTS header to 366 days for profile::toolforge::static proxies.Feb 2 2021, 5:19 PM
gerritbot added a comment.Feb 2 2021, 5:25 PM

Change 661140 merged by Andrew Bogott:
[operations/puppet@production] domainproxy: Perform HTTPS redirects unconditionally

https://gerrit.wikimedia.org/r/661140

bd808 added a comment.Feb 2 2021, 5:54 PM

Closure of POST loophole announced: https://lists.wikimedia.org/pipermail/cloud-announce/2021-February/000364.html

bd808 updated the task description. (Show Details)Feb 2 2021, 5:55 PM
bd808 closed this task as Resolved.Feb 2 2021, 6:02 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 2 2021, 6:11 PM
Bugreporter mentioned this in T260701: Make Wikispore HTTPS-only.Jun 5 2022, 8:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL