Page MenuHomePhabricator

The "Server: mw•" response header is missing on mwmaint/noc.wm.o
Open, MediumPublic

Description

In debugging here I can never tell which one I hit (mwmaint100x / mwmaint200x).

The appserver module we use to replace Server: Apache with Server: mw#### seems to not be included/enabled here.

Event Timeline

Krinkle created this task.Tue, Jun 16, 10:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Jun 16, 10:29 PM
Krinkle updated the task description. (Show Details)Tue, Jun 16, 10:31 PM

Change 606218 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: add server-header config

https://gerrit.wikimedia.org/r/606218

Krinkle triaged this task as Medium priority.Tue, Jun 23, 6:21 PM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.
Dzahn claimed this task.Thu, Jun 25, 4:36 PM
Dzahn added a comment.Thu, Jun 25, 4:43 PM

First, confirmed the difference:

[mwdebug1001:~] $  curl -s --head localhost | grep Server:
Server: mwdebug1001.eqiad.wmnet

[mwmaint1002:~] $ curl -s --head localhost | grep Server
Server: Apache

Then.. the reason is:

There is a ::httpd::conf { 'server_header': snippet in puppet which does this:

` 1 # Make the Server response header equal to the host's FQDN.

2 <IfModule security2_module>
3     ServerTokens Full
4     SecServerSignature "<%= scope['::fqdn'] %>"
5 </IfModule>`

This puppet code is used in profile::mediawiki::httpd which in turn is included in profile::mediawiki::webserver which is used in:

role::mediawiki::appserver
role::mediawiki::appserver::api
role::mediawiki:;parsoid::testing

but NOT in role::mediawiki::maintenance, the role for mwmaint servers.

Since the full webserver is not needed there, the fix above is to just add the server_header snippet.

Change 606218 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: add server-header config

https://gerrit.wikimedia.org/r/606218

Mentioned in SAL (#wikimedia-operations) [2020-06-25T17:37:43Z] <mutante> mwmaint1002 - restarted apache2 to add server_headers snippet for T255629 - but not working as expected yet

Dzahn added a comment.Thu, Jun 25, 5:42 PM

I merged the change, ran puppet and restarted apache2 on mwmaint1002 but it's not applied yet because the code has <IfModule security2_module>
around it and that module is also not installed on mwmaint servers while it is installed on mw appservers.

Change 607848 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*

https://gerrit.wikimedia.org/r/607848