Page MenuHomePhabricator

Deprecate and disable port 80 for one-off sites under canonical domains
Open, MediumPublic

Description

Leveraging the fact that WMF canonical domains are on the HSTS preload list, we don't need to listen on port 80, as every request even http:// ones should reach the servers via https thanks to HSTS.

The first step will be to replace the current redirect from http to https with a simple 403, on a second stage we will disable port 80 completely.

Sites rejecting traffic on port 80 with a 403 response:

  • apt.wikimedia.org
  • archiva.wikimedia.org
  • icinga.wikimedia.org
  • dumps.wikimedia.org
  • gerrit.wikimedia.org
  • gitlab.wikimedia.org
  • librenms.wikimedia.org
  • lists.wikimedia.org
  • mirrors.wikimedia.org
  • orchestrator.wikimedia.org

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 551950 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] librenms: Reject plain text requests with a 403

https://gerrit.wikimedia.org/r/551950

Note very old browsers may not support HSTS preload list or even HSTS itself; probably we want to configure a specific 403 message (or still redirect them when user agent is these browsers).

we are targeting here the one-off sites, some of them are already configured to support TLSv1.2 only, that's usually a stricter requirement for UAs than HSTS support itself.

Comparing https://caniuse.com/#feat=tls1-2 VS https://caniuse.com/#feat=stricttransportsecurity it looks like all the UAs that support TLSv1.2 also support HSTS wit h the exception of Opera Mini, I believe that's not a blocker for the one-off sites.

Just to be clear, wikipedia and the rest of the canonical sites are out of scope for this task :)

Vgutierrez triaged this task as Medium priority.Nov 20 2019, 5:22 AM
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 551950 merged by Vgutierrez:
[operations/puppet@production] librenms: Reject plain text requests with a 403

https://gerrit.wikimedia.org/r/551950

For information, due to this bug in Firefox, when the user type the URL without the "https://" prefix Firefox does not even try to connect to https when port 80 is closed. This means Firefox displays a timeout error - I just tried with Firefox Nightly. Hence some users could report "Wikipedia is unreachable".

Hmm with HSTS the browser shouldn't even try port 80.

Yes, indeed, I have to precise my test was with a non-HSTS site, and it seems there is no issue with HSTS-preloaded sites according to this comment. I tested connecting to Wikipedia as an HSTS-preloaded site and blocking locally my port 80 in output with iptables, there is no issue.

So this Firefox bug is not an issue here.

BBlack added a subscriber: BBlack.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Change 859449 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] orchestrator: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859449

Change 859449 merged by Vgutierrez:

[operations/puppet@production] orchestrator: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859449

Change 859457 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] icinga: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859457

Change 859467 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] dumps: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859467

Change 859467 merged by Vgutierrez:

[operations/puppet@production] dumps: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859467

Change 859498 had a related patch set uploaded (by David Caro; author: David Caro):

[operations/puppet@production] dumps: fix http alert to check the new status

https://gerrit.wikimedia.org/r/859498

Change 859498 merged by David Caro:

[operations/puppet@production] dumps: fix http alert to check the new status

https://gerrit.wikimedia.org/r/859498

Change 859457 merged by Vgutierrez:

[operations/puppet@production] icinga: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859457

Mentioned in SAL (#wikimedia-operations) [2022-11-22T13:57:46Z] <vgutierrez> block plain text requests on icinga.wm.o - T238720

Change 859983 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] archiva: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859983

Change 859986 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] gerrit: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859986

Change 859983 merged by Vgutierrez:

[operations/puppet@production] archiva: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859983

Change 859986 merged by Vgutierrez:

[operations/puppet@production] gerrit: Reject non-tls requests with a 403

https://gerrit.wikimedia.org/r/859986