Page MenuHomePhabricator
Create Task
Maniphest T253816

*.toolforge.org hostnames unexpectly treated as tools.wmflabs.org when the URL's path starts with a match to a grid engine webservice
Closed, ResolvedPublic
Actions

Description

Discovered by @MusikAnimal and reported on irc.

Examples:

'dspull' is not special; it was just the first tool I saw running on the job grid to test with. The behavior is the same for any webservice running on the job grid.

urlproxy.lua is allowing too many things to fall through to prefix based lookups. When the route_backend_and_exit_if_ok(subdomain, "/") case fails, the next check should be to see if ngx.var.http_host is exactly tools.wmflabs.org. If it is not, then an ngx.exit(ngx.OK) return should be done to pass handling on to the Kubernetes ingress layer.

Details

SubjectRepoBranchLines +/-
toolforge: urlproxy: refresh code commentsoperations/puppetproduction+10 -8
dynamicproxy: Short-circuit urlproxy lookups against canonical_domainoperations/puppetproduction+18 -7
Customize query in gerrit

Event Timeline

bd808 created this task.May 27 2020, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 27 2020, 10:39 PM
bd808 triaged this task as High priority.May 27 2020, 10:39 PM
bd808 moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
gerritbot added a comment.May 27 2020, 11:26 PM

Change 599139 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] dynamicproxy: Short-circuit urlproxy lookups against canonical_domain

https://gerrit.wikimedia.org/r/599139

gerritbot added a project: Patch-For-Review.May 27 2020, 11:26 PM
Stashbot added a comment.May 28 2020, 10:31 AM

Mentioned in SAL (#wikimedia-cloud) [2020-05-28T10:31:00Z] <arturo> livehacking puppetmaster and toolsbeta-proxy-1 to test https://gerrit.wikimedia.org/r/c/operations/puppet/+/599139 (T253816)

gerritbot added a comment.May 28 2020, 11:27 AM

Change 599139 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] dynamicproxy: Short-circuit urlproxy lookups against canonical_domain

https://gerrit.wikimedia.org/r/599139

Stashbot added a comment.May 28 2020, 11:27 AM

Mentioned in SAL (#wikimedia-cloud) [2020-05-28T11:27:23Z] <arturo> merging change to front-proxy: https://gerrit.wikimedia.org/r/c/operations/puppet/+/599139 (T253816)

Maintenance_bot removed a project: Patch-For-Review.May 28 2020, 12:10 PM
gerritbot added a comment.May 28 2020, 12:22 PM

Change 599315 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] toolforge: urlproxy: refresh code comments

https://gerrit.wikimedia.org/r/599315

gerritbot added a project: Patch-For-Review.May 28 2020, 12:22 PM

Change 599315 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] toolforge: urlproxy: refresh code comments

https://gerrit.wikimedia.org/r/599315

aborrero closed this task as Resolved.May 28 2020, 12:32 PM
aborrero claimed this task.

Thanks @MusikAnimal and @bd808 for this!

I did some tests in both toolsbeta (before merging) and in tools (after merging) and everything seems fine now.
The two examples in the task description now lands where they are supposed to!

Maintenance_bot removed a project: Patch-For-Review.May 28 2020, 1:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL