Maniphest T197248

Force HTTPS use in PAWS
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Chicocvenancio
	Jun 14 2018, 4:45 PM

Description

Force redirection to https in PAWS.

Related Objects

Mentioned In: T195217: Simplify ingress methods for PAWS
Mentioned Here: T195217: Simplify ingress methods for PAWS

Event Timeline

Chicocvenancio created this task.Jun 14 2018, 4:45 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2018, 4:45 PM

Chicocvenancio triaged this task as High priority.Jun 14 2018, 4:46 PM

Chicocvenancio moved this task from Backlog to MVP (Most Valuable PAWS) on the PAWS (JupyterHub 0.9) board.Jun 16 2018, 12:58 PM

Mentioned in SAL (#wikimedia-cloud) [2018-06-16T19:27:02Z] <chicocvenancio> edited nginx-proxy-config configMap to add redirect to https based on x_forwarded_proto header T197248

Adding

location-snippet: |
  if ($http_x_forwarded_proto = "http") {
        return 301 https://paws-beta.wmflabs.org$request_uri;
    }

to the nginx-proxy-config is enough to achieve this in PAWS-beta. Opened an issue upstream to get this automated in the Helm chart.

Chicocvenancio mentioned this in T195217: Simplify ingress methods for PAWS.Jun 16 2018, 7:47 PM

In the PAWS outage that gave rise to T195217, I set the nodePort directly to the chp container, bypassing the nginx container for PAWS. To allow the above snippet to work in PAWS I need to move the NodePort from the chp container to the nginx one, this may bring a brief downtime. To prevent paging to several Cloud-Services team members I'll wait until someone schedules downtime for PAWS in Icinga.

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:00:39Z] <chicocvenancio> changing proxy-http service back to ClusterIP T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:03:39Z] <chicocvenancio> moved proxy-public service to port 32611 T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:06:58Z] <chicocvenancio> adding location-snippet to nginx-proxy-config configmap to force https T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:18:03Z] <chicocvenancio> removed location-snippet from nginx-proxy-config configmap T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:01Z] <chicocvenancio> edited paws-proxy-01 to pass http_x_forwarded_proto as it receives T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:17Z] <chicocvenancio> added location-snippet to nginx-proxy-config configmap T197248

PAWS now is https only. This was configured in way compatible with the proposed changes in T195217

• Vvjjkkii renamed this task from Force HTTPS use in PAWS to 7zaaaaaaaa.Jul 1 2018, 1:03 AM

• Vvjjkkii reopened this task as Open.

• Vvjjkkii removed Chicocvenancio as the assignee of this task.

• Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).

• Vvjjkkii updated the task description. (Show Details)

• Vvjjkkii removed a subscriber: Aklapper.

CommunityTechBot renamed this task from 7zaaaaaaaa to Force HTTPS use in PAWS.Jul 2 2018, 7:30 AM

CommunityTechBot closed this task as Resolved.

CommunityTechBot assigned this task to Chicocvenancio.

CommunityTechBot updated the task description. (Show Details)

CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.

CommunityTechBot added a subscriber: Aklapper.

Force HTTPS use in PAWSClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Force HTTPS use in PAWS
Closed, ResolvedPublic
Actions