Page MenuHomePhabricator
Create Task
Maniphest T202982

Requests to MW 404 when on HTTPS
Closed, ResolvedPublic
Actions

Description

As part of the switch-over effort (cf. T199073: Perform a datacenter switchover (2018-19 Q1)), we are moving to encrypted connections to MediaWiki. Unfortunately, Proton's Chromium has a problem with our TLS CA, so it was instructed to ignore HTTPS protocol errors. Alas, this causes Chromium to receive 404s from MW:

_status: 404,
_url: 'https://api-rw.discovery.wmnet/w/index.php?title=Foo',
_fromDiskCache: false,
_fromServiceWorker: false,
_headers: 
 { status: '404',
   date: 'Tue, 28 Aug 2018 10:41:30 GMT',
   'content-type': 'text/html',
   'content-length': '930',
   server: 'mw1348.eqiad.wmnet',
   'last-modified': 'Tue, 17 Jul 2018 17:07:05 GMT',
   etag: '"3a2-57134f9c13cba"',
   'accept-ranges': 'bytes',
   'backend-timing': 'D=337 t=1535452890761446' },
_securityDetails: 
 SecurityDetails {
   _subjectName: 'api.svc.eqiad.wmnet',
   _issuer: 'Puppet CA: palladium.eqiad.wmnet',
   _validFrom: 1490711956,
   _validTo: 1648478356,
   _protocol: 'TLS 1.2' } }

I am not yet positive, but it seems that Chromium does not send the Host header, even though it's available in its request context:

Request {
  _requestId: '4A4EE83A1C289A5BAB65BDB7B81C2E13',
  _isNavigationRequest: true,
  _interceptionId: null,
  _allowInterception: false,
  _interceptionHandled: false,
  _response: [Circular],
  _failureText: null,
  _url: 'https://api-rw.discovery.wmnet/w/index.php?title=Foo',
  _resourceType: 'document',
  _method: 'GET',
  _postData: undefined,
  _headers: 
   { 'upgrade-insecure-requests': '1',
     'user-agent': 'Proton/WMF',
     'x-devtools-emulate-network-conditions-client-id': '3477EFE499310F132D0CFBE83115E8F3',
     host: 'en.wikipedia.org',
     'x-subdomain': '' } }

For the time being, we have Proton using the HTTP end point, but a solution needs to be found here.

Apart from finding a way to force Chromium to use our CA, two other possible solutions we might want to consider are:

  • Use MW in the local DC. Proton only ever asks for the HTML contents of a page, so it performs read-only requests. It is thus safe to use MW from the local DC, which would alleviate the need for using TLS.
  • Pass through nginx/Varnish when requesting the HTML. That is, instead of calling https://api-rw.discovery.wmnet, use https://{domain}/. This would ensure the proper certificates are downloaded, but causes indirections and makes the request chain more complex.

Related Objects

Event Timeline

mobrovac triaged this task as High priority.Aug 28 2018, 10:52 AM
mobrovac created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 28 2018, 10:52 AM
MoritzMuehlenhoff subscribed.Aug 28 2018, 10:56 AM
mobrovac added a project: Platform Team Workboards (Doing).Dec 20 2018, 12:43 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:18 PM
ovasileva moved this task from Triage to Backlog on the Proton board.Feb 22 2019, 3:04 PM
Jhernandez added a project: Product-Infrastructure-Team-Backlog-Deprecated.Feb 25 2019, 1:23 PM
Jhernandez moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.
WDoranWMF edited projects, added Platform Team Legacy (Later); removed Platform Team Workboards (Doing), Services (doing).Jul 5 2019, 5:58 PM
Pchelolo edited projects, added Platform Engineering (Needs Cleaning - Services Operations); removed Platform Team Legacy (Later).Jul 17 2019, 4:58 PM
Pchelolo edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering (Needs Cleaning - Services Operations).Nov 1 2019, 9:54 PM
Pchelolo subscribed.

Seems like it's been fixed, the only thing left to be done is to remove the hacky line from puppet.

WDoranWMF moved this task from Inbox to Backlog on the Platform Team Workboards (Clinic Duty Team) board.Nov 7 2019, 8:20 PM
akosiaris added a comment.Nov 8 2019, 1:27 PM
In T202982#5627916, @Pchelolo wrote:

Seems like it's been fixed, the only thing left to be done is to remove the hacky line from puppet.

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/455565/ was that revert and has been merged back in 2018. So, should we resolve this?

mobrovac closed this task as Resolved.Nov 8 2019, 1:37 PM
mobrovac claimed this task.
mobrovac moved this task from Backlog to Done on the Platform Team Workboards (Clinic Duty Team) board.

Indeed all's good here.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL