Page MenuHomePhabricator
Create Task
Maniphest T153042

Enable TLS termination on the MediaWiki clusters
Closed, ResolvedPublic
Actions

Description

In order to do enable TLS termination on the appservers, we need to configure tlsproxy to work on the appservers. Since we don't want to expose our own public TLS certs on the appservers, we need to be able to sign a certificate similar to our unified one for each of the backend clusters, which should include the FQDN of the cluster (e.g. appservers.svc.eqiad.wmnet) as common name and all our domains and wildcards as SANs.

Details

SubjectRepoBranchLines +/-
mediawiki: add https endpoints for all web clusters in codfwoperations/puppetproduction+258 -154
role::mediawiki::webserver: add hack to allow installing nginxoperations/puppetproduction+15 -0
ssl: add public TLS certs for mw clustersoperations/puppetproduction+240 -0
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacertoperations/puppetproduction+38 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Joe created this task.Dec 13 2016, 8:02 AM
Joe moved this task from Backlog to Doing on the User-Joe board.Dec 13 2016, 9:59 AM
gerritbot added a comment.Dec 13 2016, 10:00 AM

Change 326910 had a related patch set uploaded (by Giuseppe Lavagetto):
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert

https://gerrit.wikimedia.org/r/326910

gerritbot added a project: Patch-For-Review.Dec 13 2016, 10:00 AM
gerritbot added a comment.Dec 13 2016, 10:40 AM

Change 326910 merged by Giuseppe Lavagetto:
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert

https://gerrit.wikimedia.org/r/326910

gerritbot added a comment.Dec 13 2016, 3:02 PM

Change 326921 merged by Giuseppe Lavagetto:
ssl: add public TLS certs for mw clusters

https://gerrit.wikimedia.org/r/326921

fgiunchedi mentioned this in T150822: Internal PKI for secure communication - Barcelona Ops offsite 2016.Dec 13 2016, 6:29 PM
gerritbot added a comment.Dec 14 2016, 10:21 AM

Change 327164 had a related patch set uploaded (by Giuseppe Lavagetto):
role::mediawiki::webserver: add hack to allow installing nginx

https://gerrit.wikimedia.org/r/327164

gerritbot added a comment.Dec 14 2016, 10:43 AM

Change 327164 merged by Giuseppe Lavagetto:
role::mediawiki::webserver: add hack to allow installing nginx

https://gerrit.wikimedia.org/r/327164

ema moved this task from Backlog to TLS on the Traffic board.Dec 14 2016, 3:59 PM
gerritbot added a comment.Dec 15 2016, 1:15 PM

Change 327493 had a related patch set uploaded (by Giuseppe Lavagetto):
mediawiki: add https endpoints for all web clusters in codfw

https://gerrit.wikimedia.org/r/327493

gerritbot added a comment.Dec 15 2016, 3:25 PM

Change 327493 merged by Giuseppe Lavagetto:
mediawiki: add https endpoints for all web clusters in codfw

https://gerrit.wikimedia.org/r/327493

hashar unsubscribed.Dec 15 2016, 3:30 PM
Stashbot added a comment.Dec 15 2016, 8:13 PM

Mentioned in SAL (#wikimedia-operations) [2016-12-15T20:13:22Z] <_joe_> restarting pybal low-traffic in eqiad to pick up new TLS endpoints for appservers, T153042

Joe closed this task as Resolved.Dec 15 2016, 8:17 PM
BBlack merged a task: T109315: Enable HTTPS on internal MediaWiki appserver virtual service hostnames.Dec 16 2016, 4:57 AM
BBlack added subscribers: BBlack, Matanya, faidon.
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits