Page MenuHomePhabricator

Redirect all space.wmflabs.org traffic to HTTPS
Closed, ResolvedPublic

Description

We need to force redirect all http traffic to https on space.wmflabs.org. Currently all links and navigation point to HTTPS, but we'd like to have this forced so there are no accidents. :) I've tried doing this at the Apache level (via .htaccess rules).

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Don't allow indexing in directories
Options -Indexes

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I also have a rule in the WordPress config which is recommended as a best practice. This does not force HTTPS for subpages space.wmflabs.org/sometthing can still be accessed via http

/* SSL Settings */
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS'] = 'on';

define('FORCE_SSL_CONTENT', true);
define('FORCE_SSL_ADMIN', true);

define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/');
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/');

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 1 2019, 6:32 PM
Tgr added a subscriber: Tgr.EditedJul 1 2019, 7:09 PM

The HTTPS connection is terminated at the proxy server so the app server sees the traffic coming in on port 80. Presumably the proxy will set X-Forwarded-Proto so you can use something like RewriteCond %{HTTP:X-Forwarded-Proto} http instead.

Reedy updated the task description. (Show Details)Jul 1 2019, 7:28 PM
Qgil assigned this task to CKoerner_WMF.Jul 5 2019, 9:08 AM
Qgil triaged this task as High priority.
Qgil edited projects, added Space (Jul-Sep-2019); removed Space.
Qgil renamed this task from Redirect all Wikimedia Space traffic to HTTPS to Redirect all space.wmflabs.org traffic to HTTPS.Jul 5 2019, 10:08 AM
Qgil added a subscriber: Qgil.

Can this be related with the fact that images imported from Discourse / discuss-space.wmflabs.org are broken when you are logged in to space.wmflabs.org? They work fine for anonymous users. See for instance at the bottom of https://space.wmflabs.org/2019/06/26/how-to-follow-the-blog/

Qgil added a comment.Jul 9 2019, 8:09 AM

https://discuss-space.wmflabs.org/t/new-advanced-mobile-contribution-features-coming-to-mobile/437 )a blog post automatically replicated in Discourse) features the first image but the other two are broken. I have checked the blog post but couldn't see anything strange. I wonder whether this is another case of images not rendering perhaps due to a https inconsistency side effect.

CKoerner_WMF added a comment.EditedJul 9 2019, 2:52 PM

@Tgr, that tip has made some progress. I now have:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now the main domain redirects to https. Huzzah! However, any other /something URL does not.

I think I'm missing something in the steps here. Turn Rewrite on, check if https, if not https, redirect to https. Or at least that's how I understand the rules, which is probably wrong. :)

Setting RewriteCond %{HTTP:X-Forwarded-Proto} http put me in a redirect loop.

@Qgil Can we file a separate task for the resource loading across domains issue? It might be related, but it also might be a configuration in the calls (WordPress is using a webhook from Discourse for example) between Discourse/WordPress.

CKoerner_WMF updated the task description. (Show Details)Jul 17 2019, 5:49 PM
CKoerner_WMF updated the task description. (Show Details)
CKoerner_WMF updated the task description. (Show Details)Jul 17 2019, 6:16 PM
bd808 added a subscriber: bd808.Jul 17 2019, 7:18 PM

The non-HTTPS rewrite rules for most things in Puppet look something like:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect]
Header always merge Vary X-Forwarded-Proto env=ProtoRedirect

This looks a lot like the rules from T227019#5317434. The E=ProtoRedirect and Header always merge Vary X-Forwarded-Proto env=ProtoRedirect parts are hints for an upstream cache which should not matter in a Cloud VPS project.

Maybe its time to do something like T102367: Migrate tools.wmflabs.org to https only (and set HSTS) for the Cloud VPS proxy?

Try reordering the rules with the HTTPS redirect rule on top. Something like:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

I think what's happening is the index.php rule gets triggered and the flag [L] (last) is stopping it from processing any more rules.

CKoerner_WMF closed this task as Resolved.Jul 17 2019, 9:57 PM

@JHedden I owe you a lunch. That was it. 🙃

Qgil moved this task from Started to Evaluated on the Space (Jul-Sep-2019) board.Tue, Sep 3, 8:13 AM