Force redirection to https in PAWS.
Description
Related Objects
- Mentioned In
- T195217: Simplify ingress methods for PAWS
- Mentioned Here
- T195217: Simplify ingress methods for PAWS
Event Timeline
Mentioned in SAL (#wikimedia-cloud) [2018-06-16T19:27:02Z] <chicocvenancio> edited nginx-proxy-config configMap to add redirect to https based on x_forwarded_proto header T197248
Adding
location-snippet: | if ($http_x_forwarded_proto = "http") { return 301 https://paws-beta.wmflabs.org$request_uri; }
to the nginx-proxy-config is enough to achieve this in PAWS-beta. Opened an issue upstream to get this automated in the Helm chart.
In the PAWS outage that gave rise to T195217, I set the nodePort directly to the chp container, bypassing the nginx container for PAWS. To allow the above snippet to work in PAWS I need to move the NodePort from the chp container to the nginx one, this may bring a brief downtime. To prevent paging to several Cloud-Services team members I'll wait until someone schedules downtime for PAWS in Icinga.
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:00:39Z] <chicocvenancio> changing proxy-http service back to ClusterIP T197248
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:03:39Z] <chicocvenancio> moved proxy-public service to port 32611 T197248
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:06:58Z] <chicocvenancio> adding location-snippet to nginx-proxy-config configmap to force https T197248
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:18:03Z] <chicocvenancio> removed location-snippet from nginx-proxy-config configmap T197248
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:01Z] <chicocvenancio> edited paws-proxy-01 to pass http_x_forwarded_proto as it receives T197248
Mentioned in SAL (#wikimedia-cloud) [2018-06-20T17:39:17Z] <chicocvenancio> added location-snippet to nginx-proxy-config configmap T197248
PAWS now is https only. This was configured in way compatible with the proposed changes in T195217