Page MenuHomePhabricator

Force HTTPS use in PAWS
Closed, ResolvedPublic

Description

Force redirection to https in PAWS.

Event Timeline

Mentioned in SAL (#wikimedia-cloud) [2018-06-16T19:27:02Z] <chicocvenancio> edited nginx-proxy-config configMap to add redirect to https based on x_forwarded_proto header T197248

Adding

location-snippet: |
  if ($http_x_forwarded_proto = "http") {
        return 301 https://paws-beta.wmflabs.org$request_uri;
    }

to the nginx-proxy-config is enough to achieve this in PAWS-beta. Opened an issue upstream to get this automated in the Helm chart.

In the PAWS outage that gave rise to T195217, I set the nodePort directly to the chp container, bypassing the nginx container for PAWS. To allow the above snippet to work in PAWS I need to move the NodePort from the chp container to the nginx one, this may bring a brief downtime. To prevent paging to several Cloud-Services team members I'll wait until someone schedules downtime for PAWS in Icinga.

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:00:39Z] <chicocvenancio> changing proxy-http service back to ClusterIP T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:03:39Z] <chicocvenancio> moved proxy-public service to port 32611 T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:06:58Z] <chicocvenancio> adding location-snippet to nginx-proxy-config configmap to force https T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:18:03Z] <chicocvenancio> removed location-snippet from nginx-proxy-config configmap T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:01Z] <chicocvenancio> edited paws-proxy-01 to pass http_x_forwarded_proto as it receives T197248

Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:17Z] <chicocvenancio> added location-snippet to nginx-proxy-config configmap T197248

PAWS now is https only. This was configured in way compatible with the proposed changes in T195217