Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	BBlack
	Apr 12 2016, 10:21 PM

Description

Before we can enable HSTS includeSub/preload for wikimedia.org, we need to thoroughly audit all the services there. Those that are mapped to our standard cache termination clusters (text, upload, maps, misc) are dealt with separately in other tickets and are relatively-easy to quantify. This is about auditing all of the ones that aren't on standard termination: those that are one-off public-facing hosts with their own custom configuration for HTTP[S] service termination to the public.

I've begun an audit process that starts with the DNS zonefile for wikimedia.org and scans for all hostnames which serve HTTP or HTTPS at all, will post more updates here. Note also data from @Chmarkine's survey of services here: https://wikitech.wikimedia.org/wiki/HTTPS/domains (we can ignore those on the 4 standard clusters for this ticket's purposes).

Will update with audit data as I get it processed into shape....

Details

Subject	Repo	Branch	Lines +/-
stream.wm.o: rewrite / => /rcstream_status	operations/puppet	production	+3 -0
librenms: use chain cert correctly	operations/puppet	production	+1 -1
ganglia web: HTTP->HTTPS redir	operations/puppet	production	+2 -17
tendril: use 301 for https redir	operations/puppet	production	+1 -1
wikitech: use 301 for https redir	operations/puppet	production	+1 -1
icinga web: use 301 for https redir	operations/puppet	production	+1 -1
gerrit web: use 301 for https redir	operations/puppet	production	+1 -1
Add HSTS=1y to several one-off public services	operations/puppet	production	+6 -6

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	BBlack	T104681 HTTPS Plans (tracking / high-level info)
Resolved	BBlack	T102824 Clean up DNS/redirects for TLS
Resolved	ArielGlenn	T107575 download.wiki[mp]edia.org are using an invalid certificate
Resolved	Chmarkine	T110511 sitemap.wikimedia.org uses invalid SSL certificate
Resolved	BBlack	T104244 Preload HSTS
Resolved	BBlack	T102814 Decom old multiple-subdomain wikis in wikipedia.org
Resolved	BBlack	T104942 TLS and .wap/.mobile multi-level subdomains of wikipedia.org
Resolved	BBlack	T102815 Decom www.$lang hostnames/redirects
Resolved	BBlack	T102826 Fix/decom multiple-subdomain wikis in wikimedia.org
Resolved	BBlack	T102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
Resolved	• CCogdill_WMF	T130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
Declined	BBlack	T111967 Preload HSTS for select hostnames within wikimedia.org
Duplicate	BBlack	T111998 investigate/remove hostname login.m.wikimedia.org
Resolved	BBlack	T40516 Enable HSTS on Wikimedia sites
Resolved	BBlack	T132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
Resolved	Krenair	T133360 Fix wikitech-static TLS config
Resolved	Jgreen	T137161 Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains
Resolved	RobH	T170140 revoke benefactorevents.wikimedia.org SSL certificate
Duplicate	None	T137915 stream.wikimedia.org doesn't redirect to HTTPS
Resolved	BBlack	T105905 Switch blog to HTTPS-only
Invalid	None	T64488 Wikimedia blog has unsecured elements on https
Resolved	BBlack	T132452 HSTS preload for wmfusercontent.org
Resolved	BBlack	T132685 Preload STS for wikimedia.org
Resolved	BBlack	T34796 status.wikimedia.org has no (valid) HTTPS
Resolved	BBlack	T132450 enable https for (ubuntu\|apt\|mirrors).wikimedia.org
Resolved	BBlack	T132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

BBlack created this task.Apr 12 2016, 10:21 PM

Restricted Application added a project: SRE. · View Herald TranscriptApr 12 2016, 10:21 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

BBlack added a parent task: T40516: Enable HSTS on Wikimedia sites.Apr 12 2016, 10:21 PM

Dzahn mentioned this in T132543: enable HSTS on *.planet.wikimedia.org.Apr 13 2016, 5:09 AM

Poyekhali triaged this task as Medium priority.Apr 13 2016, 5:12 AM

Audit Data

Methodology:

The starting point is our raw DNS zone data for wikimedia.org on our authdns servers. I filtered down from the raw data for:

only hostnames which have A or CNAME records (and specifically not geoip!foo, which is for our cache clusters which are covered in other tickets)
removed obvious LVS servers
removed obvious network gear (e.g. cr1-*, etc)
removed all entries in subdomains eqiad, codfw, esams, ulsfo, and frdev (clearly not public service hostnames and/or can be worked around)
the remaining hostnames were filtered for those that actually respond to public traffic on ports 80 and/or 443

Then the data is split into two sets for clarity. The first group I'm calling "servers" - they're public hostnames which respond on port 80, but the HTTP[S] domainnames they serve are not their own hostnames - they're just the hosts on which other service hostnames reside. The second group is actual service hostnames which are accessible over HTTP[S] legitimately.

Servers:

Not important to audit directly (in hostname terms), they're only really listed for reference as we audit the actual service hostnames below.

Of particular note are the following issues/oddities not directly blocking this ticket:

gallium and californium seem to only be webservers for services behind cache_misc, and thus could probably be moved to our internal networks if they don't need direct outside access for some other reason.
ms1001 seems to duplicate dataset1001 functionality, but dataset1001 is the one actually in use?
fundraising-eqiad seems to alias barium, and may just be a virtual name for the same
the labtestweb2001 and labtestcontrol2001 hosts serve some broken-ish things, but probably don't matter at this time

hostname	Notes
barium	server for civicrm? (fundraising!)
californium	server for horizon (cache_misc)
carbon	server for mirrors, apt, and ubuntu
dataset1001	server for download (cache_text), dumps (direct)
fermium	server for lists
frdata-eqiad	server for frdata
fundraising-eqiad	server for civicrm? (fundraising!)
gallium	server for doc (cache_misc), integration (cache_misc)
labtestweb2001	server for labtesthorizon (nxdomain) and labtestwikitech
labtestcontrol2001	server for puppetmaster.wikimedia.org (nxdomain)?
magnesium	server for rt
ms1001	claims server for dumps/download like dataset1001?
neon	server for icinga and tendril
netmon1001	server for librenms, servermon, smokeping, and torrus
radium	server for tor-eqiad-1
silver	server for wikitech
titanium	server for archiva
uranium	server for ganglia
ytterbium	server for gerrit

Services:

hostname	HTTPS	HTTP-redirected	HSTS	Notes / Minor Issues
ripe-atlas-eqiad	Yes	No	No	HTTPS cert is for XXX.anchors.atlas.ripe.net
ripe-atlas-codfw	Yes	No	No	HTTPS cert is for XXX.anchors.atlas.ripe.net
ripe-atlas-ulsfo	Yes	No	No	HTTPS cert is for XXX.anchors.atlas.ripe.net
dumps	Yes	Yes	None
lists	Yes	Yes	1y
apt	No	No	None	server:carbon
archiva	Yes	Yes	None
pinkunicorn	Yes	Yes	1y
eventdonations	Yes	Yes	None	3rd party, redir=302
benefactorevents	Yes	Yes	None	3rd party, redir=302, and http redir is to https on another domain...
frdata	Yes	No	None
labtest-puppetmaster-codfw	No	No	No	Port 443 listens, but "Unknown SSL protocol error..."
gerrit	Yes	Yes	1y	redir=302
icinga	Yes	Yes	1y	redir=302
librenms	Yes	Yes	None
payments	Yes	Yes*	180d	No HTTP port 80 at all
payments-listener	Yes	Yes*	180d	No HTTP port 80 at all
policy	Yes	Yes	1y/sub/preload	HSTS jumps the gun here (do not submit), 3rd party
rt	Yes	Yes	1y
civicrm	Yes	Yes	None
stream	Yes	No	None
blog	Yes	No	None	3rd party
fundraising	Yes	No	None	both protos do proto-rel redirects to //wikimediafoundation.org/wiki/Donate
ganglia	Yes	No	None
tendril	Yes	Yes	None	redir=302
store	Yes	No	None	3rd party
status	No	No	None	3rd party
tor-eqiad-1	Yes	No*	None	uses some tor-specific stuff for cert, no real chain to root, doesn't match hostname, etc
ubuntu	No	No	None	server:carbon
mirrors	No	No	None	server:carbon
wikitech	Yes	Yes	1y	redir=302
wikitech-static	Yes	Yes	1y	redir=302
labtestwikitech	Yes	Yes	1y	invalid self-signed cert for CN="Andrew Bogott"

While we should fix all of these issues in the long term (they should all be 301->https on the same domain, should all emit HSTS, etc), we should focus on the most-basic issue first: So long as there are entries on this list which do not support a working HTTPS listener at all, and which users might visit with HSTS-enabled browsers and care about, we can't turn on HSTS-preload for all of wikimedia.org, as it would black out those sites.

From the above, these are the sites with basic HTTPS issues:

hostname	notes
ripe-atlas-eqiad	bad cert, probably ignorable
ripe-atlas-codfw	bad cert, probably ignorable
ripe-atlas-ulsfo	bad cert, probably ignorable
tor-eqiad-1	bad cert, probably ignorable
labtestwikitech	bad cert, probably not important
labtest-puppetmaster-codfw	SSL listener broken, probably not important
apt	host is carbon, no HTTPS at all
ubuntu	host is carbon, no HTTPS at all
mirrors	host is carbon, no HTTPS at all
status	3rd-party (watchmouse), no HTTPS at all

As for the rest of the work, IMHO we should re-purpose the wiki tracking page at https://wikitech.wikimedia.org/wiki/HTTPS/domains to cover longer-term progress on the rest of these issues and leave this ticket open until we get them all resolved. We can remove the ones with standard cache termination (text, upload, misc, maps) because they're easily enumerated and dealt with elsewhere and will be enforced consistently by the code for the cache clusters, and expand that table with the new entries from the audit above, etc.

In the long run we're going to have to do better about documenting every new HTTP[s] service hostname that's running independently of the cache clusters (and its justification for doing so...) so we can maintain monitoring/auditing of them all going forward. I worry about new services with bad configs slipping through the cracks before we even finish cleaning up the existing ones at this rate.

In T132521#2202254, @BBlack wrote:

As for the rest of the work, IMHO we should re-purpose the wiki tracking page at https://wikitech.wikimedia.org/wiki/HTTPS/domains to cover longer-term progress on the rest of these issues and leave this ticket open until we get them all resolved. We can remove the ones with standard cache termination (text, upload, misc, maps) because they're easily enumerated and dealt with elsewhere and will be enforced consistently by the code for the cache clusters, and expand that table with the new entries from the audit above, etc.

Agreed! Please feel free to edit that table.

BBlack mentioned this in T104681: HTTPS Plans (tracking / high-level info).Apr 13 2016, 6:21 PM

BBlack added a parent task: T104681: HTTPS Plans (tracking / high-level info).Apr 14 2016, 1:25 PM

BBlack added a subtask: T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.Apr 14 2016, 1:27 PM

BBlack mentioned this in T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.

BBlack added a subtask: T34796: status.wikimedia.org has no (valid) HTTPS.Apr 14 2016, 1:30 PM

BBlack mentioned this in T133149: Move californium to an internal host?.Apr 20 2016, 1:59 PM

BBlack mentioned this in T133150: Move gallium to an internal host?.

I've started refactoring https://wikitech.wikimedia.org/wiki/HTTPS/domains - it now has the merged data from the above, columns changed, etc. I'm not done with auditing (much less fixing) everything. In the long run, we probably want to move away from having to re-audit these all the time, and instead build a process around approving new HTTP[S] services in production domains before they get added to DNS.

Change 284502 had a related patch set uploaded (by BBlack):
Add HSTS=1y to several one-off public services

https://gerrit.wikimedia.org/r/284502

gerritbot added a project: Patch-For-Review.Apr 20 2016, 6:24 PM

Change 284502 merged by BBlack:
Add HSTS=1y to several one-off public services

https://gerrit.wikimedia.org/r/284502

I've missed some meta-tracking (putting bug refs on patches, etc), but status update:

I've fixed all the trivial low-hanging fruit, adding HSTS to several sites, fixing a few minor config/cert issues along the way, etc, and completed a basic audit of them all with the data in https://wikitech.wikimedia.org/wiki/HTTPS/domains

Lots of minor issues remain, but the next easy-ish priorities are:

ganglia.wm.o doesn't redirect
wikitech-static doesn't include a necessary chain cert
several sites redirect with 302 instead of 301
several sites lack "robust" forward secrecy (the ones marked FS:WMB) - for many of them that are on our servers and hosted with apache, T133217 will probably lead to fixing them all en-masse.

And then of course there's status.wikimedia.org, which is the lone real deal-breaker left for STS-preload of wikimedia.org :(

One more thing I didn't note above:

stream.wm.o lacks HSTS on fetch of /, because that's a 404 and nginx doesn't apply add_header to [45]xx...

Change 284760 had a related patch set uploaded (by BBlack):
stream.wm.o: rewrite / => /rcstream_status

https://gerrit.wikimedia.org/r/284760

Change 284803 had a related patch set uploaded (by BBlack):
ganglia web: HTTP->HTTPS redir

https://gerrit.wikimedia.org/r/284803

Change 284811 had a related patch set uploaded (by BBlack):
gerrit web: use 301 for https redir

https://gerrit.wikimedia.org/r/284811

Change 284812 had a related patch set uploaded (by BBlack):
icinga web: use 301 for https redir

https://gerrit.wikimedia.org/r/284812

Change 284813 had a related patch set uploaded (by BBlack):
wikitech: use 301 for https redir

https://gerrit.wikimedia.org/r/284813

Change 284814 had a related patch set uploaded (by BBlack):
tendril: use 301 for https redir

https://gerrit.wikimedia.org/r/284814

Change 284811 merged by BBlack:
gerrit web: use 301 for https redir

https://gerrit.wikimedia.org/r/284811

Change 284812 merged by BBlack:
icinga web: use 301 for https redir

https://gerrit.wikimedia.org/r/284812

Change 284813 merged by BBlack:
wikitech: use 301 for https redir

https://gerrit.wikimedia.org/r/284813

Change 284814 merged by BBlack:
tendril: use 301 for https redir

https://gerrit.wikimedia.org/r/284814

Change 284817 had a related patch set uploaded (by BBlack):
librenms: use chain cert correctly

https://gerrit.wikimedia.org/r/284817

BBlack created subtask T133360: Fix wikitech-static TLS config.Apr 21 2016, 10:13 PM

Krenair closed subtask T133360: Fix wikitech-static TLS config as Resolved.Apr 21 2016, 11:43 PM

Change 284803 merged by BBlack:
ganglia web: HTTP->HTTPS redir

https://gerrit.wikimedia.org/r/284803

Change 284817 merged by BBlack:
librenms: use chain cert correctly

https://gerrit.wikimedia.org/r/284817

BBlack mentioned this in T70528: stream.wikimedia.org - redirect http(s) to docs.Apr 24 2016, 4:18 PM

BBlack closed subtask T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org as Resolved.Apr 26 2016, 4:04 PM

In T132521#2202415, @Chmarkine wrote:

In T132521#2202254, @BBlack wrote:

As for the rest of the work, IMHO we should re-purpose the wiki tracking page at https://wikitech.wikimedia.org/wiki/HTTPS/domains to

Agreed! Please feel free to edit that table.

There is also https://wikitech.wikimedia.org/wiki/Httpsless_domains let's somehow merge that?

Change 284760 merged by Ori.livneh:
stream.wm.o: rewrite / => /rcstream_status

https://gerrit.wikimedia.org/r/284760

In T132521#2241038, @Dzahn wrote:

In T132521#2202415, @Chmarkine wrote:

In T132521#2202254, @BBlack wrote:

As for the rest of the work, IMHO we should re-purpose the wiki tracking page at https://wikitech.wikimedia.org/wiki/HTTPS/domains to

Agreed! Please feel free to edit that table.

There is also https://wikitech.wikimedia.org/wiki/Httpsless_domains let's somehow merge that?

Yeah, I'd like to expand HTTPS/domains further and add back the data we've had in the past (including past versions of itself), but in separate tables since they're distinct problems to solve (e.g. wmflabs.org issues and such. maybe the server-only-hostname issues too).

BBlack added a subtask: T128559: Enable HSTS on store.wikimedia.org for HTTPS.Apr 27 2016, 1:22 PM

BBlack closed subtask T34796: status.wikimedia.org has no (valid) HTTPS as Resolved.Jun 2 2016, 10:48 PM

BBlack added a subtask: T137161: Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains.Jun 6 2016, 10:54 PM

BBlack mentioned this in T40516: Enable HSTS on Wikimedia sites.Jun 14 2016, 10:04 PM

BBlack created subtask T137915: stream.wikimedia.org doesn't redirect to HTTPS.Jun 15 2016, 6:43 PM

BBlack added a subtask: T140128: HTTPS-only for stream.wikimedia.org.Jul 12 2016, 4:50 PM

When this work is done, protocol-relative URLs should be declared as deprecated for wikitext.
As of today there are no advantages for this syntax in wikitext, but it makes a lot of workflows, scripts and tools more complicated than necessary.

It will take years, untill all "//bla.foo" Links get fixed, so it should be declared as soon as possible.

In T132521#2454408, @Boshomi wrote:

When this work is done, protocol-relative URLs should be declared as deprecated for wikitext.
As of today there are no advantages for this syntax in wikitext, but it makes a lot of workflows, scripts and tools more complicated than necessary.

It will take years, untill all "//bla.foo" Links get fixed, so it should be declared as soon as possible.

Did we ever make that an official recommendation anywhere?

Short of breaking some of the httpsless domains (linked above on wikitech), there's no reason one should still be using them. Notably, linking to the wikis definitely doesn't need to and has been useless since we went https-only awhile ago.

Where would such an deprecation be announced? I would think it's more of a matter of updating style guides on the issue, if they exist.

In T132521#2454541, @demon wrote:

Where would such an deprecation be announced? I would think it's more of a matter of updating style guides on the issue, if they exist.

you can to this in https://meta.wikimedia.org/wiki/Tech/News together with one of the commits of this task.

if the protocol relative links are declared as deprecated, it would help editors to remove it.

In T132521#2454541, @demon wrote:

Did we ever make that an official recommendation anywhere?

I think we pushed the interface messages in that direction, when the HTTP vs Secure experiences were widely separate, after we started pushing people to HTTPS it wasn't as widely needed.

We probably have to be a little bit careful about broad "https all the things everywhere" sorts of efforts at this point in time. The bulk of our internal, private service endpoints are still HTTP-only. Internal, inter-service traffic may follow links as well, and may be broken if they're all explicitly https when the actual internal connection they're using is not https-capable. There are tasks around implementing HTTPS for all internal service traffic as well, but we haven't even finished tackling the basics on these, such as setting up processes around internal certificates signed by our internal CA, etc.

Peachey88 unsubscribed.Jul 14 2016, 10:08 PM

BBlack removed a subtask: T140128: HTTPS-only for stream.wikimedia.org.Jul 20 2016, 12:28 AM

Sub-tasks updated to be in sync with latest audit data. Primary issues here are the open tasks for store, blog, and the FR hosts.

BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:48 PM

BBlack closed subtask T105905: Switch blog to HTTPS-only as Resolved.Jan 26 2017, 3:03 PM

Jgreen closed subtask T137161: Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains as Resolved.Jun 28 2017, 12:27 PM

Jgreen reopened subtask T137161: Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains as Open.Jun 28 2017, 12:29 PM

Jgreen added a parent task: Restricted Task.Jul 10 2017, 1:15 PM

Jgreen removed a parent task: Restricted Task.

Jgreen added a subtask: Restricted Task.

Jgreen closed subtask T137161: Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains as Resolved.Jul 10 2017, 1:21 PM

BBlack reopened subtask T137161: Fix nits in HTTPS/HSTS configs in externally-hosted fundraising domains as Open.Jul 10 2017, 3:57 PM

BBlack removed a subtask: Restricted Task.Jul 11 2017, 4:26 PM

Resolving this and moving the last remaining ticket up the tree as a direct child of the tracker. There's no point having a sub-category for one thing.

Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster terminationClosed, ResolvedPublicActions