Page MenuHomePhabricator

Enable HTTPS for Swift traffic
Closed, ResolvedPublic

Description

We are about to enable writes from the active MediaWiki cluster to Swift clusters in both datacenters. Therefore, it would be ideal to TLS encrypt this traffic, as sometimes sensitive information (such as access tokens and relatively rarely, sensitive files) may be transmitted from/to Swift.

Details

Related Gerrit Patches:
operations/puppet : productionhieradata: enable https for swift eqiad
operations/puppet : productionhieradata: use 'localhost' vhost for icinga checks
operations/puppet : productionhieradata: use 'uri' for swift icinga configuration
operations/puppet : productionconftool-data: add nginx service to swift
operations/puppet : productionlvs: add swift https service
operations/puppet : productionhieradata: use_tls for swift proxy in codfw
operations/puppet : productionswift: terminate https with nginx

Event Timeline

faidon created this task.Feb 19 2016, 3:25 PM

Change 310549 had a related patch set uploaded (by Filippo Giunchedi):
[WIP] swift: terminate https with nginx

https://gerrit.wikimedia.org/r/310549

Gilles added a subscriber: Gilles.Oct 12 2016, 7:41 AM

Change 310549 merged by Filippo Giunchedi:
swift: terminate https with nginx

https://gerrit.wikimedia.org/r/310549

fgiunchedi renamed this task from Look into enabling HTTPS for Swift traffic to Enable HTTPS for Swift traffic.Feb 22 2017, 3:16 PM

Change 339191 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use_tls for swift proxy in codfw

https://gerrit.wikimedia.org/r/339191

Change 339191 merged by Filippo Giunchedi:
hieradata: use_tls for swift proxy in codfw

https://gerrit.wikimedia.org/r/339191

Change 339197 had a related patch set uploaded (by Filippo Giunchedi):
lvs: add swift https service

https://gerrit.wikimedia.org/r/339197

Change 339197 merged by Filippo Giunchedi:
lvs: add swift https service

https://gerrit.wikimedia.org/r/339197

Change 339410 had a related patch set uploaded (by Filippo Giunchedi):
conftool-data: add nginx service to swift

https://gerrit.wikimedia.org/r/339410

Change 339413 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use 'uri' for swift icinga configuration

https://gerrit.wikimedia.org/r/339413

Change 339410 merged by Filippo Giunchedi:
conftool-data: add nginx service to swift

https://gerrit.wikimedia.org/r/339410

Change 339413 merged by Filippo Giunchedi:
hieradata: use 'uri' for swift icinga configuration

https://gerrit.wikimedia.org/r/339413

Change 339430 had a related patch set uploaded (by Filippo Giunchedi):
hieradata: use 'localhost' vhost for icinga checks

https://gerrit.wikimedia.org/r/339430

Change 339430 merged by Filippo Giunchedi:
hieradata: use 'localhost' vhost for icinga checks

https://gerrit.wikimedia.org/r/339430

Change 342438 had a related patch set uploaded (by Filippo Giunchedi):
[operations/puppet] hieradata: enable https for swift eqiad

https://gerrit.wikimedia.org/r/342438

Change 342438 merged by Filippo Giunchedi:
[operations/puppet] hieradata: enable https for swift eqiad

https://gerrit.wikimedia.org/r/342438

fgiunchedi closed this task as Resolved.Mar 13 2017, 1:33 PM

HTTPS for ms-fe.svc is now active in eqiad and codfw