Page MenuHomePhabricator

Serve SSL/HTTPS sites out of same domain names as HTTP access:
Closed, ResolvedPublic


Longtime annoyance, really needs to be taken care of soon. :)

We'll need:

  • HTTPS proxies on the same IPs as the various front-end HTTP proxies
  • Some reasonably sanely priced wildcard SSL certs

Note bug 16822 covers this (or a simpler setup) just for, so we can "practice" there before fiddling with the main web servers.

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:50 PM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz20643.
bzimport added a subscriber: Unknown Object (MLST).

brian wrote:

I’m not sure if it’s worth filing an additional bug for this: once we do this, we can enable STS [0]. We should also get the HTTPS Everywhere [1] ruleset for Wikimedia sites and any similar data updated.


Giving half of Fred's old bugs to Jeluf since I trust him to handle them or give them away if he can't.

jeluf wrote:

Is it possible to have multiple domains within a wildcard cert?,, etc pp are all served from the same IP, so that we'd need a single cert for * and * and * etc.

(In reply to comment #3)

Is it possible to have multiple domains within a wildcard cert?

SubjectAltName will do the job. But not all clients support it (AFAIS wget is one of them).

Removing "shell" keyword for things that aren't directly doable by shell users etc

Restoring "shell" keyword for things that only a subset of shell users can possibly do.

Removing shell keyword if exists

This is now mostly live, but some sites don't work due to additional subdomains (bug 31335) and the mobile sites don't offer HTTPS at all on their front-end proxy (bug 31333).

This was fixed, and was made to redirect, the old scripts removed. So bug 31335 is more of an ongoing annoyance than a blocker.

What exactly is blocking marking this ticket fixed?
I don't see any dependency bugs left.

This is fixed. Thanks to everyone in the Wikimedia operations team for working to make this happen. :-)