Page MenuHomePhabricator
Create Task
Maniphest T254235

Let ats-tls handle port 80
Closed, InvalidPublic
Actions

Description

port 80 traffic is still being handled by varnish-frontend. We must move this to ats-tls if we intend to use atskafka to provide data to the analytics cluster.

varnish currently returns a "301 TLS Redirect" for GET/HEAD requests and a "403 Insecure Request Forbidden" for any other HTTP method:

willikins:puppet vgutierrez$ curl http://en.wikipedia.org/wiki/Main_Page -v
*   Trying 91.198.174.192...
* TCP_NODELAY set
* Connected to en.wikipedia.org (91.198.174.192) port 80 (#0)
> GET /wiki/Main_Page HTTP/1.1
> Host: en.wikipedia.org
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 301 TLS Redirect
< Date: Tue, 02 Jun 2020 12:41:48 GMT
< Server: Varnish
< X-Varnish: 10843471
< X-Cache: cp3058 int
< X-Cache-Status: int-front
< Server-Timing: cache;desc="int-front"
< Set-Cookie: WMF-Last-Access=02-Jun-2020;Path=/;HttpOnly;secure;Expires=Sat, 04 Jul 2020 12:00:00 GMT
< Set-Cookie: WMF-Last-Access-Global=02-Jun-2020;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Sat, 04 Jul 2020 12:00:00 GMT
< X-Client-IP: 46.222.230.216
< Location: https://en.wikipedia.org/wiki/Main_Page
< Content-Length: 0
< Connection: keep-alive
<
* Connection #0 to host en.wikipedia.org left intact
* Closing connection 0
willikins:puppet vgutierrez$ curl -X POST http://en.wikipedia.org/wiki/Main_Page -v
*   Trying 91.198.174.192...
* TCP_NODELAY set
* Connected to en.wikipedia.org (91.198.174.192) port 80 (#0)
> POST /wiki/Main_Page HTTP/1.1
> Host: en.wikipedia.org
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 403 Insecure Request Forbidden - use HTTPS - https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-May/000110.html
< Date: Tue, 02 Jun 2020 12:41:53 GMT
< Server: Varnish
< X-Varnish: 78776135
< X-Cache: cp3058 int
< X-Cache-Status: int-front
< Server-Timing: cache;desc="int-front"
< Set-Cookie: WMF-Last-Access=02-Jun-2020;Path=/;HttpOnly;secure;Expires=Sat, 04 Jul 2020 12:00:00 GMT
< Set-Cookie: WMF-Last-Access-Global=02-Jun-2020;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Sat, 04 Jul 2020 12:00:00 GMT
< X-Client-IP: 46.222.230.216
< Content-Type: text/html; charset=utf-8
< Content-Length: 1928
< Connection: keep-alive

We will have to add some Lua code to handle pybal checks to tls.lua too, something along these lines:

function do_global_read_request()
    if ts.client_request.header['Host'] == 'varnishcheck.wikimedia.org' and ts.client_request.get_uri() == '/from/pybal' then
        ts.http.intercept(function()
            ts.say('HTTP/1.0 200 OK\r\n' ..
                   'Content-Type: text/plain\r\n' ..
                   'Content-Length: 0\r\n' ..
                   'Cache-Control: no-cache\r\n')
        end)
    end
end

The Host header used by pybal should also be changed from varnishcheck.wikimedia.org to something else which isn't software-specific like "healthecks.wikimedia.org" or whatever.

Details

SubjectRepoBranchLines +/-
ATS: Provide http to https redirection logic in luaoperations/puppetproduction+141 -18
ATS: Support listening on multiple portsoperations/puppetproduction+27 -18
Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez created this task.Jun 2 2020, 12:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 2 2020, 12:53 PM
Vgutierrez triaged this task as Medium priority.Jun 2 2020, 12:53 PM
ema subscribed.Jun 2 2020, 12:54 PM
gerritbot added a comment.Jun 8 2020, 12:41 PM

Change 603447 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Add support on tls.lua for http requests

https://gerrit.wikimedia.org/r/603447

gerritbot added a project: Patch-For-Review.Jun 8 2020, 12:41 PM
ema moved this task from Backlog to TLS on the Traffic board.Jun 9 2020, 6:57 AM
ema updated the task description. (Show Details)Jun 10 2020, 9:25 AM
gerritbot added a comment.Jul 9 2020, 1:53 PM

Change 610821 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Support listening on multiple ports

https://gerrit.wikimedia.org/r/610821

gerritbot added a comment.Jul 20 2020, 12:29 PM

Change 610821 merged by Vgutierrez:
[operations/puppet@production] ATS: Support listening on multiple ports

https://gerrit.wikimedia.org/r/610821

BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BBlack moved this task from Backlog to Roadmap on the Traffic-Icebox board.Apr 13 2022, 8:27 PM
gerritbot added a comment.Oct 28 2022, 8:28 AM

Change 603447 abandoned by Vgutierrez:

[operations/puppet@production] ATS: Provide http to https redirection logic in lua

Reason:

https://gerrit.wikimedia.org/r/603447

Maintenance_bot removed a project: Patch-For-Review.Oct 28 2022, 8:30 AM
Vgutierrez closed this task as Invalid.Nov 22 2022, 10:10 AM

ats-tls has been deprecated in favor of HAProxy

Vgutierrez mentioned this in T323557: Let HAProxy handle port 80.Nov 22 2022, 10:11 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL