Page MenuHomePhabricator
Create Task
Maniphest T251558

multilevel domains in the 'maps' project don't use tls
Closed, ResolvedPublic
Actions

Description

For a while now we've only supported three-element proxy names: <name>.wmflabs.org. Maps has several proxies from before that rule was put in place, as the wmcs-novastats-proxyleaks script indicates:

ignoring outlier a.tiles.wmflabs.org.
ignoring outlier b.tiles.wmflabs.org.
ignoring outlier c.tiles.wmflabs.org.
ignoring outlier 0.wma.wmflabs.org.
ignoring outlier 1.wma.wmflabs.org.
ignoring outlier 2.wma.wmflabs.org.
ignoring outlier 3.wma.wmflabs.org.
ignoring outlier 4.wma.wmflabs.org.
ignoring outlier 5.wma.wmflabs.org.
ignoring outlier 6.wma.wmflabs.org.
ignoring outlier 7.wma.wmflabs.org.
ignoring outlier label.wma.wmflabs.org.

I'd like those gone. Ideally we could just determine that no one is using them and delete them wholesale. Failing that, maybe they could become cnames pointing elsewhere?

Details

SubjectRepoBranchLines +/-
profile:wmcs:proxy:static: add acme-chief certs as specified by hieraoperations/puppetproduction+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Apr 30 2020, 6:56 PM
Andrew added a subtask: T233995: Setup a dedicated HTTPS terminating proxy for maps project.Apr 30 2020, 7:02 PM
Andrew added a subscriber: bd808.Apr 30 2020, 7:15 PM

These will be addressed with a local, specific-to-maps solution. Quoth @bd808:

yeah, the 4 level names used to all be floating ips. They are well known and uses.
the reason for them is working around the way that pre-HTTP/2 browsers throttled parallel connections per host name
so map clients would round-robin across 3 hostnames to get more parallel requests
Its the "standard" pattern for OSM tile servers

JHedden triaged this task as High priority.May 5 2020, 4:09 PM
JHedden raised the priority of this task from High to Needs Triage.
JHedden triaged this task as High priority.
JHedden moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
Andrew added a comment.May 17 2020, 9:59 PM

All these proxies are now hosted on maps-proxy-01 in the project-proxy project, using the new profile::wmcs::proxy::static setup. Four-level domains are still a bit of a problem since we rely on the *.wmflabs.org wildcard, but once we have a reasonable let's encrypt setup we should be able to automate per-domain certs here.

Andrew renamed this task from multilevel domains in the 'maps' project to multilevel domains in the 'maps' project don't use tls.May 17 2020, 10:00 PM
Andrew removed a parent task: T131290: Abolish use of labs proxies in domains other than .wmflabs.org.
Andrew added a subtask: T252721: cloud-vps solution for Let's Encrypt.
Andrew closed subtask T233995: Setup a dedicated HTTPS terminating proxy for maps project as Resolved.
Andrew changed the status of subtask T252721: cloud-vps solution for Let's Encrypt from Open to Stalled.May 26 2020, 5:26 PM
gerritbot added a comment.Jun 3 2020, 9:59 PM

Change 602178 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] profile:wmcs:proxy:static: add acme-chief certs for each mapped domain

https://gerrit.wikimedia.org/r/602178

gerritbot added a project: Patch-For-Review.Jun 3 2020, 9:59 PM
gerritbot added a comment.Jun 3 2020, 10:38 PM

Change 602178 merged by Andrew Bogott:
[operations/puppet@production] profile:wmcs:proxy:static: add acme-chief certs as specified by hiera

https://gerrit.wikimedia.org/r/602178

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2020, 11:10 PM
Andrew closed subtask T252721: cloud-vps solution for Let's Encrypt as Resolved.Jun 10 2020, 1:47 PM
Andrew closed this task as Resolved.Jun 10 2020, 2:32 PM

These domains are now handled by a maps-proxy-01 and maps-proxy-02, and they have proper LE certs via acme-chief.

bd808 awarded a token.Jun 10 2020, 4:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits