Page MenuHomePhabricator

Enable TLS termination on the MediaWiki clusters
Closed, ResolvedPublic

Description

In order to do enable TLS termination on the appservers, we need to configure tlsproxy to work on the appservers. Since we don't want to expose our own public TLS certs on the appservers, we need to be able to sign a certificate similar to our unified one for each of the backend clusters, which should include the FQDN of the cluster (e.g. appservers.svc.eqiad.wmnet) as common name and all our domains and wildcards as SANs.

Event Timeline

Joe created this task.Dec 13 2016, 8:02 AM
Joe moved this task from Backlog to Doing on the User-Joe board.Dec 13 2016, 9:59 AM

Change 326910 had a related patch set uploaded (by Giuseppe Lavagetto):
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert

https://gerrit.wikimedia.org/r/326910

Change 326910 merged by Giuseppe Lavagetto:
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert

https://gerrit.wikimedia.org/r/326910

Change 326921 merged by Giuseppe Lavagetto:
ssl: add public TLS certs for mw clusters

https://gerrit.wikimedia.org/r/326921

Change 327164 had a related patch set uploaded (by Giuseppe Lavagetto):
role::mediawiki::webserver: add hack to allow installing nginx

https://gerrit.wikimedia.org/r/327164

Change 327164 merged by Giuseppe Lavagetto:
role::mediawiki::webserver: add hack to allow installing nginx

https://gerrit.wikimedia.org/r/327164

ema moved this task from Triage to TLS on the Traffic board.Dec 14 2016, 3:59 PM

Change 327493 had a related patch set uploaded (by Giuseppe Lavagetto):
mediawiki: add https endpoints for all web clusters in codfw

https://gerrit.wikimedia.org/r/327493

Change 327493 merged by Giuseppe Lavagetto:
mediawiki: add https endpoints for all web clusters in codfw

https://gerrit.wikimedia.org/r/327493

hashar removed a subscriber: hashar.Dec 15 2016, 3:30 PM

Mentioned in SAL (#wikimedia-operations) [2016-12-15T20:13:22Z] <_joe_> restarting pybal low-traffic in eqiad to pick up new TLS endpoints for appservers, T153042

Joe closed this task as Resolved.Dec 15 2016, 8:17 PM