Page MenuHomePhabricator

Deprecate and disable port 80 for one-off sites under canonical domains
Open, MediumPublic

Description

Leveraging the fact that WMF canonical domains are on the HSTS preload list, we don't need to listen on port 80, as every request even http:// ones should reach the servers via https thanks to HSTS.

The first step will be to replace the current redirect from http to https with a simple 403, on a second stage we will disable port 80 completely.

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptNov 20 2019, 4:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 551950 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] librenms: Reject plain text requests with a 403

https://gerrit.wikimedia.org/r/551950

Note very old browsers may not support HSTS preload list or even HSTS itself; probably we want to configure a specific 403 message (or still redirect them when user agent is these browsers).

we are targeting here the one-off sites, some of them are already configured to support TLSv1.2 only, that's usually a stricter requirement for UAs than HSTS support itself.

Comparing https://caniuse.com/#feat=tls1-2 VS https://caniuse.com/#feat=stricttransportsecurity it looks like all the UAs that support TLSv1.2 also support HSTS wit h the exception of Opera Mini, I believe that's not a blocker for the one-off sites.

Just to be clear, wikipedia and the rest of the canonical sites are out of scope for this task :)

Vgutierrez triaged this task as Medium priority.Nov 20 2019, 5:22 AM
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 551950 merged by Vgutierrez:
[operations/puppet@production] librenms: Reject plain text requests with a 403

https://gerrit.wikimedia.org/r/551950

Seb35 added a subscriber: Seb35.Nov 28 2019, 11:25 AM

For information, due to this bug in Firefox, when the user type the URL without the "https://" prefix Firefox does not even try to connect to https when port 80 is closed. This means Firefox displays a timeout error - I just tried with Firefox Nightly. Hence some users could report "Wikipedia is unreachable".

Hmm with HSTS the browser shouldn't even try port 80.

Seb35 added a comment.Nov 28 2019, 2:54 PM

Yes, indeed, I have to precise my test was with a non-HSTS site, and it seems there is no issue with HSTS-preloaded sites according to this comment. I tested connecting to Wikipedia as an HSTS-preloaded site and blocking locally my port 80 in output with iptables, there is no issue.

So this Firefox bug is not an issue here.