Page MenuHomePhabricator
Create Task
Maniphest T122403

tool labs: provide custom domain proxy?
Closed, DeclinedPublic
Actions

Description

My idea is as follows:

  • Several tools would like to be hosted under a seperate domain name. For example https://lizenzhinweisgenerator.de (T120946) and wikispy (T97846)
  • The current solution is providing a seperate IP to these tools, and have them set up their own webserver.
    • The current solution also requires volunteers to fiddle with SSL/letsencrypt.
  • We already have infrastructure to route requests (either by domain for the labsproxy, or by path for the tools proxy), but it currently does not support arbitrary domains

What I would like:

  • a puppet class which instantiates an nginx virtualhost for a domain, and which automatically organizes a letsencrypt ssl certificate for that domain.

What I've tested:

What I still needs to figure out:

  • Letsencrypt + letsencrypt automation
  • Certificate management. How do we make sure both proxies have access to the certificates? Do we need to (maybe we can run letsencrypt on both hosts)?
  • Revocation of certificates?
  • How to link the new virtualhost into the existing proxy machinery. A simple rewrite statement is probably enough.

Related Objects

Event Timeline

valhallasw created this task.Dec 24 2015, 2:42 PM
valhallasw raised the priority of this task from to Needs Triage.
valhallasw updated the task description. (Show Details)
valhallasw added a project: Toolforge.
valhallasw subscribed.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptDec 24 2015, 2:42 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript
valhallasw added a comment.Dec 24 2015, 10:40 PM
  • Certificate management. How do we make sure both proxies have access to the certificates? Do we need to (maybe we can run letsencrypt on both hosts)?

According to my reading of letsencrypt/ACME design , it should be possible to only share the agent certificate, as 'confirm I am the owner of this domain' and 'please sign this certificate' are distinct steps.

The current letsencrypt code does not allow this, but the required changes seem to be minor. A simple hack, replacing

https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/client.py#L224

by

authzr = [messages.AuthorizationResource(uri="", new_cert_uri="https://acme-staging.api.letsencrypt.org/acme/new-cert", body=None)]

works. I'm not entirely sure how to fit this in the letsencrypt plugin framework, though...

scfc subscribed.Dec 24 2015, 11:42 PM

In general, I'd prefer if we discourage using such custom domains – IMHO they open a can of worms (trademarks, DNS management, certificate mangement, TOS, etc.) that is not worth … well, what do they bring exactly? If there is a use case for a separate domain, then it is probably also worth to buy a "proper" certificate and change it every year.

I haven't looked into Let's Encrypt, but AFAIUI it sets up a challenge-responser at the webserver at a (customizable?) URL. So the SSL connections could be terminated at the proxy and simple http requests passed on, like in the current setup for Tools. Only the proxy would need to create/sign/update certificates. There is no need to maintain the certificate at the "application" web server as well, nor would it work, as (any) proxy would break the encrypted end-to-end connection.

If the connection from the proxy to the application web server would need to be encrypted or the application web server would need to imagine that is serving https for redirects & Co. to work, we could use separate, self-signed certificates for those, i. e. Internet <- Let's Encrypt certificate -> proxy <- self-signed certificate -> application web server.

But, again :-), I'd prefer if we only use custom domains for cases where there is something to gain from them.

valhallasw added a comment.Dec 25 2015, 12:06 PM

Yes, I agree. Nonetheless, the current situation is that we already have custom domains, but implemented in an ad-hoc manner. Having a central end-point with a puppetized configuration makes it much easier to keep track of these domains.

In general, the SSL certificates would live on the proxy, and the backend services wouldn't need to change their configuration as compared to the current proxy setup. Whether those certificates are letsencrypt certs or manually-handled certs doesn't matter too much; the virtualhosts/proxying configuration would be the same.

valhallasw mentioned this in T125589: Allow each tool to have its own subdomain for browser sandbox/cookie isolation.Feb 2 2016, 10:30 PM
valhallasw mentioned this in T132812: Sort out letsencrypt puppetization for simple public hosts.Apr 15 2016, 6:16 PM
valhallasw triaged this task as Lowest priority.May 27 2016, 1:09 PM
valhallasw moved this task from Backlog to Ready to be worked on on the Toolforge board.
Nemo_bis mentioned this in T131290: Abolish use of labs proxies in domains other than .wmflabs.org.Apr 29 2018, 7:43 AM
Krenair subscribed.Sep 25 2019, 11:11 PM

I also don't think we should permit use of custom domains.

bd808 edited projects, added Cloud-VPS; removed Cloud-Services.Jan 4 2020, 8:35 PM
bd808 closed this task as Declined.Apr 2 2020, 9:41 PM
bd808 subscribed.

We can revisit this decision at some point in the future, but for now vanity domains is not a feature of the Cloud VPS hosting platform.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits