Page MenuHomePhabricator
Create Task
Maniphest T132461

HTTPS redirects for graphite.wikimedia.org
Closed, ResolvedPublic
Actions

Description

Enabling this is trivial, the question is: is there any reason we *can't* enable this? Who's responsible for this service and might know of exceptions like mixed-content, or HTTPS-incapable tools which rely on it, etc? [note this a generic message being tacked into the description of several similar tickets]

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved emaT108827 Investigate TCP Fast Open for tlsproxy
 DeclinedNoneT107236 Switch port 80 to nginx on primary clusters
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedBBlackT103919 let all services on misc-web enforce http->https redirects
 ResolvedBBlackT132461 HTTPS redirects for graphite.wikimedia.org
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

BBlack created this task.Apr 12 2016, 3:43 PM
BBlack added a project: Grafana.Apr 12 2016, 9:55 PM
BBlack added a subscriber: fgiunchedi.
fgiunchedi added a comment.Apr 13 2016, 9:44 AM

the most critical I can think of is check_graphite which already supports https (not sure about following redirects)

$ /usr/lib/nagios/plugins/check_graphite -U https://graphite.wikimedia.org check_threshold servers.neon.cpu.total.idle -C 10 -W 10 --under
OK: Less than 1.00% under the threshold [10.0]
gerritbot subscribed.Apr 13 2016, 3:51 PM

Change 283210 had a related patch set uploaded (by BBlack):
HTTPS for graphite monitor URLs T132461

https://gerrit.wikimedia.org/r/283210

gerritbot added a project: Patch-For-Review.Apr 13 2016, 3:51 PM
gerritbot added a comment.Apr 13 2016, 3:58 PM

Change 283210 merged by BBlack:
HTTPS for graphite monitor URLs T132461

https://gerrit.wikimedia.org/r/283210

gerritbot added a comment.Apr 13 2016, 4:03 PM

Change 283214 had a related patch set uploaded (by BBlack):
graphite.wm.o HTTPS redirect T132461

https://gerrit.wikimedia.org/r/283214

BBlack added a comment.Apr 13 2016, 4:14 PM

With the check_graphite stuff switched to HTTPS, so far neon doesn't seem to be suffering from any significant increase in overall CPU utilization. I think we're ok here...

gerritbot added a comment.Apr 13 2016, 4:43 PM

Change 283214 merged by BBlack:
graphite.wm.o HTTPS redirect T132461

https://gerrit.wikimedia.org/r/283214

BBlack closed this task as Resolved.Apr 13 2016, 4:44 PM
BBlack claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits