Page MenuHomePhabricator

Serve SSL/HTTPS sites out of same domain names as HTTP access: https://en.wikipedia.org/
Closed, ResolvedPublic

Description

Longtime annoyance, really needs to be taken care of soon. :)

We'll need:

  • HTTPS proxies on the same IPs as the various front-end HTTP proxies
  • Some reasonably sanely priced wildcard SSL certs

Note bug 16822 covers this (or a simpler setup) just for upload.wikimedia.org, so we can "practice" there before fiddling with the main web servers.


Version: unspecified
Severity: normal
URL: https://en.wikipedia.org/

Details

Reference
bz20643

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 10:50 PM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz20643.
bzimport added a subscriber: Unknown Object (MLST).
brion created this task.Sep 14 2009, 4:30 PM

brian wrote:

I’m not sure if it’s worth filing an additional bug for this: once we do this, we can enable STS [0]. We should also get the HTTPS Everywhere [1] ruleset for Wikimedia sites and any similar data updated.

[0] https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Transport_Security
[1] https://www.eff.org/https-everywhere

Giving half of Fred's old bugs to Jeluf since I trust him to handle them or give them away if he can't.

jeluf wrote:

Is it possible to have multiple domains within a wildcard cert? wikipedia.org, wikimedia.org, wiktionary.org etc pp are all served from the same IP, so that we'd need a single cert for *.wikipedia.org and *.wikimedia.org and *.wiktionary.org etc.

(In reply to comment #3)

Is it possible to have multiple domains within a wildcard cert?

SubjectAltName will do the job. But not all clients support it (AFAIS wget is one of them).

Reedy added a comment.Jul 6 2011, 8:10 PM

Removing "shell" keyword for things that aren't directly doable by shell users etc

brion added a comment.Jul 6 2011, 8:13 PM

Restoring "shell" keyword for things that only a subset of shell users can possibly do.

Reedy added a comment.Jul 6 2011, 8:31 PM

Adding ops keyword

Reedy added a comment.Jul 6 2011, 8:31 PM

Removing shell keyword if exists

brion added a comment.Oct 3 2011, 8:41 PM

This is now mostly live, but some sites don't work due to additional subdomains (bug 31335) and the mobile sites don't offer HTTPS at all on their front-end proxy (bug 31333).

This was fixed, and secure.wikimedia.org was made to redirect, the old scripts removed. So bug 31335 is more of an ongoing annoyance than a blocker.

What exactly is blocking marking this ticket fixed?
I don't see any dependency bugs left.

This is fixed. Thanks to everyone in the Wikimedia operations team for working to make this happen. :-)

Restricted Application added a project: Traffic. · View Herald TranscriptAug 5 2016, 11:41 AM