Page MenuHomePhabricator

Applayer services without TLS
Open, MediumPublic

Description

The following application layer services have been defined in ATS as accessible only via plain HTTP. We should figure out whether they currently support TLS. If not, they should, to allow us to perform cross-DC HTTPS requests with ATS.

The list is in the format $origin_server - $websites and was generated with P7842.

Details

Related Gerrit Patches:
operations/puppet : productionreleases: close port 80 for caching servers.
operations/puppet : productionATS: switch doc.wikimedia.org to https to backend
operations/puppet : productiondoc: add envoy for TLS termination on doc1001
operations/puppet : productionssl: update cert for doc.discovery.wmnet to include doc.wikimedia.org
operations/puppet : productionadd certificate for envoy TLS termination on doc1001
operations/puppet : productionATS: switch backend URL to https for grafana-labs
operations/puppet : productionATS: switch backend URL to https/discovery for graphite-labs
operations/puppet : productionATS: switch grafana-labs backends from http to https
operations/puppet : productionssl: add certificate for grafana-labs.discovery.wmnet
operations/puppet : productionwmcs::monitoring: add envoy for TLS termination for grafana-labs
labs/private : masteradd fake key for grafana-labs.discovery.wmnet cert
operations/dns : masteradd graphite-labs.discovery.wmnet
operations/dns : masteradd grafana-labs.discovery.wmnet
operations/dns : masteradd doc.discovery.wmnet for use in envoy config
labs/private : masteradd fake key for doc.discovery.wmnet
operations/puppet : productionATS: switch OTRS to use TLS and discovery record
operations/puppet : productionATS: use TLS to noc.wikimedia.org backend
operations/puppet : productionssl: add noc.wikimedia.org to mwmaint puppet TLS cert
operations/dns : masteradd ticket.discovery.wmnet, point to mendelevium
operations/puppet : productionotrs: add envoy for TLS termination behind ATS
operations/puppet : productionmediawiki::maintenance: add envoy for TLS termination for noc.wm.org
operations/dns : masterrename maintenance.discovery to mwmaint.discovery
operations/puppet : productiondbtree: add https VirtualHost
operations/puppet : productionacme_chief: add dbtree.wm.org to tendril cert SAN
operations/puppet : productionATS: use port 7443 for debmonitor
operations/puppet : productiondebmonitor: expect 302 on successful TLS termination
operations/puppet : productiondebmonitor: terminate TLS on port 7443
operations/puppet : productiondebmonitor: update certificate
operations/puppet : productionphabricator: do not rewrite /ws/
operations/puppet : productionphabricator: allow websockets via tls terminator
operations/puppet : productionATS: fix typo in phabricator wss remap rule
operations/puppet : productionphabricator: include uri path in ProxyPass directive
operations/puppet : productionATS: map phabricator ws to TLS encrypted wss
operations/puppet : productionrequesttracker: re-enable envoy if on buster
operations/puppet : productionATS: fix envoy backend port for RT to 443
operations/puppet : productionATS: use TLS to connect to labweb
operations/puppet : productionAdd labweb-ssl LVS service
operations/deployment-charts : masterblubberoid: Add TLS termination
operations/puppet : productionlabweb: add TLS termination with envoy
labs/private : mastersecret: dummy key for labweb
operations/puppet : productionlabweb: add certificate
operations/puppet : productionATS: use TLS and DNS discovery to connect to puppetboard
operations/puppet : productionpuppetboard: add TLS termination with envoy
operations/dns : masterAdd puppetboard.discovery.wmnet pointing to puppetboard1001
operations/puppet : productionpuppetboard: add certificate
labs/private : mastersecret: dummy key for puppetboard
operations/puppet : productionATS: use TLS and DNS discovery to connect to graphite
operations/dns : masterAdd graphite.discovery.wmnet pointing to graphite1004
operations/puppet : productiongraphite: add TLS termination with envoy
operations/puppet : productiongraphite: add certificate
operations/puppet : productionATS: use TLS and DNS discovery to connect to kibana
labs/private : mastersecret: dummy key for graphite
operations/puppet : productionAdd kibana-ssl LVS service
operations/puppet : productionkibana: add TLS termination with envoy
operations/puppet : productionssl: re-issue cert for performance.discovery.wmnet
operations/puppet : productionATS: use TLS to connect to WDQS
operations/puppet : productionAdd wdqs-ssl LVS service
operations/puppet : productionwdqs: TLS termination with envoy
operations/puppet : productionwdqs: envoy TLS termination for internal cluster
operations/puppet : productionwdqs: add certificate
labs/private : mastersecret: dummy key for wdqs
operations/dns : masteradd maintenance.discovery.wmnet and point to mwmaint1002
operations/puppet : productionATS: switch webperf backends to TLS and discovery name
operations/puppet : productionATS: switch releases-jenkins to TLS
operations/puppet : productionadd certificate for mwmaint servers
operations/puppet : productionpeopleweb: add people.wikimedia.org to SubjAltName
operations/puppet : productionplanet: add *.planet.wikimedia.org to SubjAltName
operations/puppet : productionATS: use TLS to connect to etherpad
operations/puppet : productionetherpad: set TLS port to 7443
operations/puppet : productionetherpad: TLS termination with envoy
operations/puppet : productionetherpad: add certificate
labs/private : mastersecret: dummy key for etherpad
operations/puppet : productionATS: use TLS with RESTbase
operations/puppet : productionenvoyproxy: accept HTTP/1.0
operations/puppet : productionlvs: add restbase-ssl
operations/puppet : productionwebperf: add envoy for TLS termination
operations/puppet : productionATS/varnish: switch backend for releases.wm.org to use TLS
operations/puppet : productionreleases: add envoy for TLS termination
operations/puppet : productionrestbase: TLS termination with envoy on port 7443
operations/puppet : productionATS: switch people.wikimedia.org to https backend
operations/puppet : productionpeopleweb: add TLS termination with envoy
operations/dns : masteradd peopleweb.discovery.wmnet
operations/puppet : productionATS/varnish: switch planet to discovery name, disable codfw backend
operations/puppet : productionplanet: add Hiera keys and include class vor envoy
operations/puppet : productionssl: add certificate for planet
operations/puppet : productionplanet: include envoy for TLS termination
operations/puppet : productionATS/varnish: switch wikimania scholarships to miscweb, use TLS
operations/puppet : productionwebserver_misc_apps: only include envoy if on stretch
operations/puppet : productionATS/varnish: switch iegreview to miscweb backend and use TLS
operations/puppet : productionAdd discovery hostname to docker-registry certificate
operations/dns : masterAdd discovery CNAME webserver-misc-apps -> miscweb1001
operations/puppet : productionmisc_apps::httpd: do not load SSL httpd module
operations/puppet : productionRevert "webserver_misc_apps: do not install envoy"
operations/puppet : productionwebserver_misc_apps: do not install envoy
operations/puppet : productionATS: use TLS for grafana1001
operations/puppet : productionAdd TLS termination for grafana
operations/puppet : productiongrafana: add certificate
labs/private : mastersecret: dummy key for grafana
operations/puppet : productionlogstash: add TLS support via profile::tlsproxy::service
operations/puppet : productionAdd TLS termination for webserver_misc_apps
labs/private : mastersecret: dummy key for webserver-misc-apps
operations/puppet : productionwebserver-misc-apps: add certificate
operations/puppet : productionATS: use TLS and discovery hostname for phabricator
operations/puppet : productionrestbase: add TLS support via profile::tlsproxy::service
operations/puppet : productionAdd TLS termination for phabricator.discovery.wmnet
operations/dns : masterAdd discovery CNAME phabricator -> phab1003
operations/puppet : productionplanet: re-add support for https for traffic server
operations/puppet : productionphabricator.discovery.wmnet: add certificate
labs/private : mastersecret: dummy key for phabricator
operations/puppet : productionATS: use TLS and discovery hostname for bromine
operations/puppet : productionrole::webserver_misc_static: add TLS termination with envoy
operations/puppet : productionprofile::tlsproxy::envoy: new TLS terminator for services
operations/dns : masterAdd discovery CNAME webserver-misc-static -> bromine
labs/private : mastersecret: dummy key for webserver-misc-static
operations/puppet : productionwebserver-misc-static: add certificate
operations/puppet : productionATS: use TLS for thorium, dbmonitor, netmon
operations/puppet : productionATS: use TLS to connect to matomo
operations/puppet : productionATS: use TLS to connect to analytics hosts
operations/puppet : productionprofile::druid::turnilo::proxy: add Location to httpd Vhost
operations/puppet : productionkibana: add certificate
labs/private : mastersecret: dummy key for kibana
operations/puppet : productionrestbase: add certificate for restbase.discovery.wmnet
operations/puppet : productionAdd profile::tlsproxy::service
labs/private : mastersecret: dummy key for restbase

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
ema updated the task description. (Show Details)Oct 25 2019, 8:44 AM

Change 546280 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] requesttracker: re-enable envoy if on buster

https://gerrit.wikimedia.org/r/546280

Change 546280 merged by Dzahn:
[operations/puppet@production] requesttracker: re-enable envoy if on buster

https://gerrit.wikimedia.org/r/546280

Change 546308 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: fix envoy backend port for RT to 443

https://gerrit.wikimedia.org/r/546308

Change 546308 merged by Dzahn:
[operations/puppet@production] ATS: fix envoy backend port for RT to 443

https://gerrit.wikimedia.org/r/546308

Dzahn updated the task description. (Show Details)Oct 25 2019, 10:42 PM
Dzahn updated the task description. (Show Details)Oct 30 2019, 6:37 PM

RT (requesttracker) moved from jessie and public IP (ununpentium) to buster and private IP (moscovium) and https to backend via https://rt.discovery.wmnet

Change 549816 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: map phabricator ws to TLS encrypted wss

https://gerrit.wikimedia.org/r/549816

Change 549817 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: include uri path in ProxyPass directive

https://gerrit.wikimedia.org/r/549817

Change 549816 merged by Ema:
[operations/puppet@production] ATS: map phabricator ws to TLS encrypted wss

https://gerrit.wikimedia.org/r/549816

Change 549817 merged by Ema:
[operations/puppet@production] phabricator: include uri path in ProxyPass directive

https://gerrit.wikimedia.org/r/549817

Change 549818 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: fix typo in phabricator wss remap rule

https://gerrit.wikimedia.org/r/549818

Change 549818 merged by Ema:
[operations/puppet@production] ATS: fix typo in phabricator wss remap rule

https://gerrit.wikimedia.org/r/549818

Change 549821 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: allow websockets via tls terminator

https://gerrit.wikimedia.org/r/549821

Change 549821 merged by Ema:
[operations/puppet@production] phabricator: allow websockets via tls terminator

https://gerrit.wikimedia.org/r/549821

Change 549832 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] phabricator: do not rewrite /ws/

https://gerrit.wikimedia.org/r/549832

Change 549832 merged by Ema:
[operations/puppet@production] phabricator: do not rewrite /ws/

https://gerrit.wikimedia.org/r/549832

Change 550649 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: update certificate

https://gerrit.wikimedia.org/r/550649

Change 550649 merged by Ema:
[operations/puppet@production] debmonitor: update certificate

https://gerrit.wikimedia.org/r/550649

Change 550670 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: terminate TLS on port 7443

https://gerrit.wikimedia.org/r/550670

Change 550670 merged by Ema:
[operations/puppet@production] debmonitor: terminate TLS on port 7443

https://gerrit.wikimedia.org/r/550670

Change 550696 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] debmonitor: expect 302 on successful TLS termination

https://gerrit.wikimedia.org/r/550696

Change 550696 merged by Ema:
[operations/puppet@production] debmonitor: expect 302 on successful TLS termination

https://gerrit.wikimedia.org/r/550696

Change 550697 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: use port 7443 for debmonitor

https://gerrit.wikimedia.org/r/550697

Change 550697 merged by Ema:
[operations/puppet@production] ATS: use port 7443 for debmonitor

https://gerrit.wikimedia.org/r/550697

Change 551184 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] acme_chief: add dbtree.wm.org to tendril cert SAN

https://gerrit.wikimedia.org/r/551184

Change 551184 merged by Ema:
[operations/puppet@production] acme_chief: add dbtree.wm.org to tendril cert SAN

https://gerrit.wikimedia.org/r/551184

Change 551496 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] dbtree: add https VirtualHost

https://gerrit.wikimedia.org/r/551496

Change 551496 merged by Ema:
[operations/puppet@production] dbtree: add https VirtualHost

https://gerrit.wikimedia.org/r/551496

Change 552944 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] rename maintenance.discovery to mwmaint.discovery

https://gerrit.wikimedia.org/r/552944

Change 552944 merged by Dzahn:
[operations/dns@master] rename maintenance.discovery to mwmaint.discovery

https://gerrit.wikimedia.org/r/552944

Change 539633 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: add envoy for TLS termination for noc.wm.org

https://gerrit.wikimedia.org/r/539633

Change 553199 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: use TLS to noc.wikimedia.org backend

https://gerrit.wikimedia.org/r/553199

Change 552947 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] otrs: add envoy for TLS termination behind ATS

https://gerrit.wikimedia.org/r/552947

Change 553424 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch OTRS to use TLS and discovery record

https://gerrit.wikimedia.org/r/553424

Change 552947 merged by Alexandros Kosiaris:
[operations/puppet@production] otrs: add envoy for TLS termination behind ATS

https://gerrit.wikimedia.org/r/552947

Change 554125 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add ticket.discovery.wmnet, point to mendelevium

https://gerrit.wikimedia.org/r/554125

Change 554125 merged by Dzahn:
[operations/dns@master] add ticket.discovery.wmnet, point to mendelevium

https://gerrit.wikimedia.org/r/554125

Change 554177 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add noc.wikimedia.org to mwmaint puppet TLS cert

https://gerrit.wikimedia.org/r/554177

Change 554177 merged by Dzahn:
[operations/puppet@production] ssl: add noc.wikimedia.org to mwmaint puppet TLS cert

https://gerrit.wikimedia.org/r/554177

Change 553199 merged by Dzahn:
[operations/puppet@production] ATS: use TLS to noc.wikimedia.org backend

https://gerrit.wikimedia.org/r/553199

Dzahn updated the task description. (Show Details)Dec 2 2019, 10:57 PM

https://noc.wikimedia.org has been switched to use https://mwmaint.discovery.wmnet (envoy on mwmaint1002).

Change 553424 merged by Alexandros Kosiaris:
[operations/puppet@production] ATS: switch OTRS to use TLS and discovery record

https://gerrit.wikimedia.org/r/553424

Dzahn updated the task description. (Show Details)Dec 4 2019, 5:15 AM

https://ticket.wikimedia.org (OTRS) has been switched to use https://ticket.discovery.wmnet (envoy on mendelevium).

PSA!

I've noticed that usages of envoyproxy for service TLS termination uses unencrypted private key files, but the cergen certificate manifests for these are configured with a password, meaning the key files cergen outputs will be encrypted.

If you need distributable unencrypted private key files, you can just omit specifying a key password in the certificate manifest.  E.g.

eventgate-analytics.discovery.wmnet:
  authority: puppet_ca
  expiry: null
  alt_names: ['eventgate-analytics.discovery.wmnet', 'eventgate-analytics.svc.codfw.wmnet', 'eventgate-analytics.svc.eqiad.wmnet']
  key:
    algorithm: ec

Notice there is no key.password.  Cergen will output the <name>.key.private.pem file unencrypted.

This should eliminate the extra step of manually generating an unencrypted file using openssl CLI.

Also, I see that the unencrypted key file is stored in the private repo at secrets/ssl/<name>.key, which is then distributed by the sslcert::certificate define.  I suggest we symlink this file to the cergen managed one to reduce duplication and manual steps if we need to change the key.

I'm going to do this for schema.discovery.wmnet now.

Ah hm, I also just realized the public cert is manually committed to public puppet in files/ssl.

Should we maybe just change sslcert::certificate to be smart(er) about where it gets its stuff? Sure the certificate can be public, but it is already in puppet private, so maybe we should just grab it from there instead of duplicating it?

Change 572378 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] doc: add envoy for TLS termination on doc1001

https://gerrit.wikimedia.org/r/572378

Change 572380 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add doc.discovery.wmnet for use in envoy config

https://gerrit.wikimedia.org/r/572380

Change 572381 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] wmcs::monitoring: add envoy for TLS termination for grafana-labs

https://gerrit.wikimedia.org/r/572381

Change 572382 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch backend URL to https for grafana-labs

https://gerrit.wikimedia.org/r/572382

Change 572385 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572385

Change 572387 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] add graphite-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572387

Change 572391 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch backend URL to https/discovery for graphite-labs

https://gerrit.wikimedia.org/r/572391

Dzahn updated the task description. (Show Details)Feb 15 2020, 3:25 AM

meanwhile there is another one in ATS backend.yaml.

added [ ] cloudweb2001-dev.wikimedia.org - http://labtesthorizon.wikimedia.org , http://labtestwikitech.wikimedia.org

Change 572937 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake key for doc.discovery.wmnet

https://gerrit.wikimedia.org/r/572937

Change 572937 merged by Dzahn:
[labs/private@master] add fake key for doc.discovery.wmnet

https://gerrit.wikimedia.org/r/572937

Change 572380 merged by Dzahn:
[operations/dns@master] add doc.discovery.wmnet for use in envoy config

https://gerrit.wikimedia.org/r/572380

Change 572353 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] releases: remove port 80 firewall hole

https://gerrit.wikimedia.org/r/572353

Dzahn added a comment.Feb 19 2020, 6:47 PM

In this topic branch i am also switching monitoring of these services from HTTP to HTTPS:

https://gerrit.wikimedia.org/r/q/topic:%22icinga-http-https%22+(status:open%20OR%20status:merged)

Change 572385 merged by Dzahn:
[operations/dns@master] add grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572385

Change 572387 merged by Dzahn:
[operations/dns@master] add graphite-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/572387

Dzahn updated the task description. (Show Details)Tue, Mar 3, 6:33 PM

grafana-labs-admin.wikimedia.org has been removed from DNS in https://gerrit.wikimedia.org/r/c/operations/dns/+/576408 therefore also removed here

Dzahn updated the task description. (Show Details)Tue, Mar 3, 6:37 PM

labmon1001 has been replaced by cloudmetrics1002 and is still hosting grafana-labs and graphite-labs.

Change 576417 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake key for grafana-labs.discovery.wmnet cert

https://gerrit.wikimedia.org/r/576417

Change 576417 merged by Dzahn:
[labs/private@master] add fake key for grafana-labs.discovery.wmnet cert

https://gerrit.wikimedia.org/r/576417

Change 572381 merged by Dzahn:
[operations/puppet@production] wmcs::monitoring: add envoy for TLS termination for grafana-labs

https://gerrit.wikimedia.org/r/572381

Change 576428 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: add certificate for grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/576428

Change 576428 merged by Dzahn:
[operations/puppet@production] ssl: add certificate for grafana-labs.discovery.wmnet

https://gerrit.wikimedia.org/r/576428

Change 576434 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch grafana-labs backends from http to https

https://gerrit.wikimedia.org/r/576434

Change 576434 merged by Dzahn:
[operations/puppet@production] ATS: switch grafana-labs backends from http to https

https://gerrit.wikimedia.org/r/576434

Dzahn updated the task description. (Show Details)Tue, Mar 3, 8:56 PM

grafana-labs and graphite-labs have switched to TLS now.

Change 572391 abandoned by Dzahn:
ATS: switch backend URL to https/discovery for graphite-labs

Reason:
duplicate of https://gerrit.wikimedia.org/r/c/operations/puppet/ /576434

https://gerrit.wikimedia.org/r/572391

Change 572382 abandoned by Dzahn:
ATS: switch backend URL to https for grafana-labs

Reason:
grafana-labs-admin does not exist anymore. done in https://gerrit.wikimedia.org/r/c/operations/puppet/ /576434

https://gerrit.wikimedia.org/r/572382

Change 572378 merged by Dzahn:
[operations/puppet@production] doc: add envoy for TLS termination on doc1001

https://gerrit.wikimedia.org/r/572378

Change 579360 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] add certificate for envoy TLS termination on doc1001

https://gerrit.wikimedia.org/r/579360

Change 579360 merged by Dzahn:
[operations/puppet@production] add certificate for envoy TLS termination on doc1001

https://gerrit.wikimedia.org/r/579360

Dzahn updated the task description. (Show Details)Thu, Mar 12, 6:51 PM
Dzahn updated the task description. (Show Details)

Change 579390 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl: update cert for doc.discovery.wmnet to include doc.wikimedia.org

https://gerrit.wikimedia.org/r/579390

Change 579390 merged by Dzahn:
[operations/puppet@production] ssl: update cert for doc.discovery.wmnet to include doc.wikimedia.org

https://gerrit.wikimedia.org/r/579390

Change 579407 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ATS: switch doc.wikimedia.org to https to backend

https://gerrit.wikimedia.org/r/579407

Mentioned in SAL (#wikimedia-operations) [2020-03-12T21:47:28Z] <mutante> doc1001 - had to manually run "/usr/local/sbin/build-envoy-config -c /etc/envoy/" to get envoy tls_terminator_443 listener into the config or envoy would not listen on 443 (T210411)

Change 579407 merged by Dzahn:
[operations/puppet@production] ATS: switch doc.wikimedia.org to https to backend

https://gerrit.wikimedia.org/r/579407

Dzahn updated the task description. (Show Details)Thu, Mar 12, 10:04 PM

Change 572353 merged by Dzahn:
[operations/puppet@production] releases: close port 80 for caching servers.

https://gerrit.wikimedia.org/r/572353

Mentioned in SAL (#wikimedia-operations) [2020-03-25T14:46:06Z] <mutante> closed port 80 for caching servers on misc backends https://gerrit.wikimedia.org/r/q/topic:%22applayer-tls%22+(status:open%20OR%20status:merged) as final step per service on T210411