Page MenuHomePhabricator
Create Task
Maniphest T132685

Preload STS for wikimedia.org
Closed, ResolvedPublic
Actions

Description

This is the last of our major domains (aside from trivial issues with wmfusercontent.org) not in the STS-preload list. There are a few blockers to resolve first, though!

Details

SubjectRepoBranchLines +/-
Set includeSub/preload for wikimedia.org in VCLoperations/puppetproduction+2 -7
ssl_ciphersuite: standardize STS preloadoperations/puppetproduction+35 -34
Remove TLS bits from internal sites behind cache_miscoperations/puppetproduction+10 -147
Customize query in gerrit

Related Objects
Search...

Event Timeline

BBlack created this task.Apr 14 2016, 1:44 PM
BBlack added subtasks: T34796: status.wikimedia.org has no (valid) HTTPS, T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org.
Poyekhali subscribed.Apr 15 2016, 2:29 AM
BBlack added a comment.Apr 15 2016, 7:04 PM

Note that T132450 is already resolved in practice. The ticket is just still open because we need to puppetize decent administration of the solution before the certs expire 90 days from now or the box's disks die, etc.

That leaves just the http://status.wikimedia.org/ issue in T34796 blocking wikimedia.org STS-preload AFAIK (everything else in wikimedia.org that matters at all should already at least have basic HTTPS working).

BBlack closed subtask T132450: enable https for (ubuntu|apt|mirrors).wikimedia.org as Resolved.Apr 26 2016, 4:04 PM
BBlack closed subtask T34796: status.wikimedia.org has no (valid) HTTPS as Resolved.Jun 2 2016, 10:48 PM
BBlack added a comment.Jun 2 2016, 10:58 PM

We're now basically in shape to do this. I'd like to wait a few days and see how https://status.wikimedia.org/ works out first. Then we can start running through and setting preload and includeSub on our HSTS headers (both for the standard clusters, and also whatever we can from the list in https://wikitech.wikimedia.org/wiki/HTTPS/domains ), and then submit for list inclusion.

gerritbot added a comment.Jun 6 2016, 2:20 PM

Change 292928 had a related patch set uploaded (by BBlack):
Remove TLS bits from internal sites behind cache_misc

https://gerrit.wikimedia.org/r/292928

gerritbot added a project: Patch-For-Review.Jun 6 2016, 2:20 PM

Change 292929 had a related patch set uploaded (by BBlack):
ssl_ciphersuite: standardize STS preload

https://gerrit.wikimedia.org/r/292929

gerritbot added a comment.Jun 6 2016, 2:20 PM

Change 292930 had a related patch set uploaded (by BBlack):
Set includeSub/preload for wikimedia.org in VCL

https://gerrit.wikimedia.org/r/292930

gerritbot added a comment.Jun 6 2016, 2:43 PM

Change 292928 merged by BBlack:
Remove TLS bits from internal sites behind cache_misc

https://gerrit.wikimedia.org/r/292928

BBlack mentioned this in rOPUPd43c205fd48c: Remove TLS bits from internal sites behind cache_misc.Jun 6 2016, 2:46 PM
gerritbot added a comment.Jun 6 2016, 6:44 PM

Change 292929 merged by BBlack:
ssl_ciphersuite: standardize STS preload

https://gerrit.wikimedia.org/r/292929

gerritbot added a comment.Jun 6 2016, 6:45 PM

Change 292930 merged by BBlack:
Set includeSub/preload for wikimedia.org in VCL

https://gerrit.wikimedia.org/r/292930

BBlack mentioned this in rOPUP004a63bc3bef: ssl_ciphersuite: standardize STS preload.Jun 6 2016, 6:46 PM
BBlack mentioned this in rOPUPd1df37ea7cb4: Set includeSub/preload for wikimedia.org in VCL.Jun 6 2016, 6:49 PM
BBlack closed this task as Resolved.Jun 6 2016, 10:55 PM

This is submitted for preload now (which takes an agonizingly long and unpredictable time to reach the chrome list and then browsers...)

BBlack mentioned this in rOPUPf95d0b0d9eab: ssl_ciphersuite: standardize STS preload.Jun 17 2016, 6:06 PM
BBlack mentioned this in rOPUP6db4515273f0: Set includeSub/preload for wikimedia.org in VCL.
BBlack mentioned this in rOPUP9c7d001e9f79: ssl_ciphersuite: standardize STS preload.
BBlack mentioned this in rOPUPbd407d1b9282: Set includeSub/preload for wikimedia.org in VCL.
BBlack mentioned this in rOPUPe57c7f98af73: ssl_ciphersuite: standardize STS preload.
BBlack mentioned this in rOPUP7f0191a895a2: Set includeSub/preload for wikimedia.org in VCL.
BBlack mentioned this in rOPUPf01b4f69671d: ssl_ciphersuite: standardize STS preload.
BBlack mentioned this in rOPUP6b4ae02299fb: Set includeSub/preload for wikimedia.org in VCL.
BBlack mentioned this in rOPUP346a85269f29: Remove TLS bits from internal sites behind cache_misc.
BBlack mentioned this in rOPUP185bb1850ac3: Remove TLS bits from internal sites behind cache_misc.
BBlack mentioned this in rOPUP4b8000056601: ssl_ciphersuite: standardize STS preload.
BBlack mentioned this in rOPUP42cdc5a39bac: ssl_ciphersuite: standardize STS preload.
BBlack mentioned this in rOPUP2aa40b69efb9: Set includeSub/preload for wikimedia.org in VCL.
BBlack mentioned this in rOPUPed4017bdd0a4: Set includeSub/preload for wikimedia.org in VCL.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits