Page MenuHomePhabricator

Serve SSL/HTTPS sites out of same domain names as HTTP access:
Closed, ResolvedPublic


Longtime annoyance, really needs to be taken care of soon. :)

We'll need:

  • HTTPS proxies on the same IPs as the various front-end HTTP proxies
  • Some reasonably sanely priced wildcard SSL certs

Note bug 16822 covers this (or a simpler setup) just for, so we can "practice" there before fiddling with the main web servers.

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:50 PM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz20643.
bzimport added a subscriber: Unknown Object (MLST).
brion created this task.Sep 14 2009, 4:30 PM

brian wrote:

I’m not sure if it’s worth filing an additional bug for this: once we do this, we can enable STS [0]. We should also get the HTTPS Everywhere [1] ruleset for Wikimedia sites and any similar data updated.


Giving half of Fred's old bugs to Jeluf since I trust him to handle them or give them away if he can't.

jeluf wrote:

Is it possible to have multiple domains within a wildcard cert?,, etc pp are all served from the same IP, so that we'd need a single cert for * and * and * etc.

(In reply to comment #3)

Is it possible to have multiple domains within a wildcard cert?

SubjectAltName will do the job. But not all clients support it (AFAIS wget is one of them).

Reedy added a comment.Jul 6 2011, 8:10 PM

Removing "shell" keyword for things that aren't directly doable by shell users etc

brion added a comment.Jul 6 2011, 8:13 PM

Restoring "shell" keyword for things that only a subset of shell users can possibly do.

Reedy added a comment.Jul 6 2011, 8:31 PM

Adding ops keyword

Reedy added a comment.Jul 6 2011, 8:31 PM

Removing shell keyword if exists

brion added a comment.Oct 3 2011, 8:41 PM

This is now mostly live, but some sites don't work due to additional subdomains (bug 31335) and the mobile sites don't offer HTTPS at all on their front-end proxy (bug 31333).

This was fixed, and was made to redirect, the old scripts removed. So bug 31335 is more of an ongoing annoyance than a blocker.

What exactly is blocking marking this ticket fixed?
I don't see any dependency bugs left.

This is fixed. Thanks to everyone in the Wikimedia operations team for working to make this happen. :-)

Restricted Application added a project: Traffic. · View Herald TranscriptAug 5 2016, 11:41 AM