Page MenuHomePhabricator

Set up git-driven static microsite for wikiworkshop.org
Open, MediumPublic

Description

After talking with @leila , I think we're just going to self-host the site infra inside the WMF as a standard git-driven microsite like https://bienvenida.wikimedia.org/ and others. Details about content uploading and future management to be sorted out.

  • Set up a git repo for wikiworkshop.org static content
  • Set up basic microsite puppetization to deploy in our infra
  • Configure SNI certificate for wikiworkshop.org on text cluster
  • Switch DNS to our own hosting after content is ready (we already have the DNS, but are pointing it at a third party currently)

Details

Related Gerrit Patches:
research/wikiworkshop : master2020 update
research/wikiworkshop : masterHTTPS links partial cleanup
operations/puppet : productionATS: Deploy wikiworkshop TLS certificate
operations/puppet : productionwikiworkshop: fixup for www redirect
operations/puppet : productionwikiworkshop: add to varnish allowed hosts as well
operations/puppet : productionwikiworkshop: set up cache routing
operations/puppet : productionacmechief: define public wikiworkshop.org cert
operations/puppet : productionwikiworkshop: define internal microsite setup
operations/dns : masterwikiworkshop.org: Add CAA for LE certs
operations/puppet : productionwebserver-misc-static cert: add wikiworkshop.org

Event Timeline

BBlack triaged this task as Medium priority.Jan 9 2020, 9:31 PM
BBlack created this task.
Restricted Application added a project: Operations. · View Herald TranscriptJan 9 2020, 9:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

@bmansurov you can use this task for tracking and implementing the change for bringing the hosting of wikiworkshop.org to github.

(For context: I had a chat with BBlack about https://phabricator.wikimedia.org/T240303#5738381 today and he pointed out that SRE can host it and assure its technical compliance (re encryption, later changes in technology stack, ...) as long as we set up a git/github repo for it. Hence this task.)

Reedy added a subscriber: Reedy.Jan 9 2020, 10:44 PM

@bmansurov you can use this task for tracking and implementing the change for bringing the hosting of wikiworkshop.org to github.
(For context: I had a chat with BBlack about https://phabricator.wikimedia.org/T240303#5738381 today and he pointed out that SRE can host it and assure its technical compliance (re encryption, later changes in technology stack, ...) as long as we set up a git/github repo for it. Hence this task.)

Just as an FYI, the code will need to be in gerrit, not github for deployment

Change 565078 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] webserver-misc-static cert: add wikiworkshop.org

https://gerrit.wikimedia.org/r/565078

Change 565080 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] wikiworkshop.org: Add CAA for LE certs

https://gerrit.wikimedia.org/r/565080

Change 565078 merged by BBlack:
[operations/puppet@production] webserver-misc-static cert: add wikiworkshop.org

https://gerrit.wikimedia.org/r/565078

Change 565080 merged by BBlack:
[operations/dns@master] wikiworkshop.org: Add CAA for LE certs

https://gerrit.wikimedia.org/r/565080

Change 565081 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] wikiworkshop: define internal microsite setup

https://gerrit.wikimedia.org/r/565081

Change 565081 merged by BBlack:
[operations/puppet@production] wikiworkshop: define internal microsite setup

https://gerrit.wikimedia.org/r/565081

Change 565083 had a related patch set uploaded (by BBlack; owner: BBlack):
[research/wikiworkshop@master] HTTPS links partial cleanup

https://gerrit.wikimedia.org/r/565083

Change 565084 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] acmechief: define public wikiworkshop.org cert

https://gerrit.wikimedia.org/r/565084

Change 565085 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] wikiworkshop: set up cache routing

https://gerrit.wikimedia.org/r/565085

Change 565084 merged by BBlack:
[operations/puppet@production] acmechief: define public wikiworkshop.org cert

https://gerrit.wikimedia.org/r/565084

Change 565085 merged by BBlack:
[operations/puppet@production] wikiworkshop: set up cache routing

https://gerrit.wikimedia.org/r/565085

Change 565086 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] wikiworkshop: add to varnish allowed hosts as well

https://gerrit.wikimedia.org/r/565086

Change 565086 merged by BBlack:
[operations/puppet@production] wikiworkshop: add to varnish allowed hosts as well

https://gerrit.wikimedia.org/r/565086

Change 565090 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] wikiworkshop: fixup for www redirect

https://gerrit.wikimedia.org/r/565090

Change 565090 merged by BBlack:
[operations/puppet@production] wikiworkshop: fixup for www redirect

https://gerrit.wikimedia.org/r/565090

BBlack updated the task description. (Show Details)Jan 17 2020, 3:07 PM

Most of this has been configured now, the remaining slightly difficult bit is configuring an alternate SNI cert for the domain on our new ats-tls termination.

Change 565625 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Deploy wikiworkshop TLS certificate

https://gerrit.wikimedia.org/r/565625

Mentioned in SAL (#wikimedia-operations) [2020-01-20T11:14:05Z] <vgutierrez> deploying wikiworkshop TLS certificate on the text cluster - T242374

Change 565625 merged by Vgutierrez:
[operations/puppet@production] ATS: Deploy wikiworkshop TLS certificate

https://gerrit.wikimedia.org/r/565625

Vgutierrez added a subscriber: Vgutierrez.EditedJan 20 2020, 12:33 PM

Most of this has been configured now, the remaining slightly difficult bit is configuring an alternate SNI cert for the domain on our new ats-tls termination.

the certificate has been successfully deployed on the text cluster, a quick test using curl looks good:

willikins:~ vgutierrez$ curl -v --resolve wikiworkshop.org:443:$(dig +short text-lb.esams.wikimedia.org) https://wikiworkshop.org/2020/ -o /dev/null --cert-status -s
* Added wikiworkshop.org:443:91.198.174.192 to DNS cache
* Hostname wikiworkshop.org was found in DNS cache
*   Trying 91.198.174.192...
* TCP_NODELAY set
* Connected to wikiworkshop.org (91.198.174.192) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [239 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2377 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate Status (22):
{ [535 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [115 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=wikiworkshop.org
*  start date: Jan 15 17:26:53 2020 GMT
*  expire date: Apr 14 17:26:53 2020 GMT
*  subjectAltName: host "wikiworkshop.org" matched cert's "wikiworkshop.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* SSL certificate status: good (0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fc941007400)
> GET /2020/ HTTP/2
> Host: wikiworkshop.org
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Mon, 20 Jan 2020 12:30:53 GMT
< server: Apache
< last-modified: Wed, 15 Jan 2020 18:35:53 GMT
< vary: Accept-Encoding
< backend-timing: D=970 t=1579523453501921
< cache-control: max-age=3600, must-revalidate
< content-type: text/html
< x-envoy-upstream-service-time: 1
< x-ats-timestamp: 1579523453
< x-varnish: 224613574 240455833
< age: 58
< etag: W/"6538-59c31fa77e716-gzip"
< x-cache: cp3062 miss, cp3056 hit/3
< x-cache-status: hit-front
< server-timing: cache;desc="hit-front"
< set-cookie: WMF-Last-Access=20-Jan-2020;Path=/;HttpOnly;secure;Expires=Fri, 21 Feb 2020 12:00:00 GMT
< set-cookie: WMF-Last-Access-Global=20-Jan-2020;Path=/;Domain=.wikiworkshop.org;HttpOnly;secure;Expires=Fri, 21 Feb 2020 12:00:00 GMT
< x-client-ip: 188.83.27.206
< set-cookie: GeoIP=PT:13:Porto:41.15:-8.61:v4; Path=/; secure; Domain=.wikiworkshop.org
< accept-ranges: bytes
< content-length: 25912
<
{ [7247 bytes data]
* Connection #0 to host wikiworkshop.org left intact
* Closing connection 0

Change 565083 merged by Bmansurov:
[research/wikiworkshop@master] HTTPS links partial cleanup

https://gerrit.wikimedia.org/r/565083

@Vgutierrez, thanks for working on this task. Please let me know if I can help move the task forward.

I think all that's left on our side is a DNS switch, which is pretty trivial and quick.

The content isn't in an identical state (e.g. in http://wikiworkshop.org/2020/ , the top of the invited speakers section has an entry for "Misha Teplitskiy", but our copy lacks it?). If you're ok with the content though, we can flip the switch anytime (DNS will take about an hour to propagate fully afterwards).

BBlack updated the task description. (Show Details)Tue, Feb 11, 2:01 PM

@leila what do you think about T242374#5872212. Can we get the latest code changes?

@bmansurov please reach out to Bob West and get the latest code changes from him. Once the code is updated on our end, we should do the DNS switch as soon as BBlack and colleagues can.

OK.

@BBlack I'll let you know when we get the latest code into Gerrit.

Change 571707 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2020 update

https://gerrit.wikimedia.org/r/571707

Change 571707 merged by Bmansurov:
[research/wikiworkshop@master] 2020 update

https://gerrit.wikimedia.org/r/571707

@BBlack the site has been updated. Please turn on the DNS.