In debugging here I can never tell which one I hit (mwmaint100x / mwmaint200x).
The appserver module we use to replace Server: Apache with Server: mw#### seems to not be included/enabled here.
In debugging here I can never tell which one I hit (mwmaint100x / mwmaint200x).
The appserver module we use to replace Server: Apache with Server: mw#### seems to not be included/enabled here.
Change 606218 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: add server-header config
First, confirmed the difference:
[mwdebug1001:~] $ curl -s --head localhost | grep Server: Server: mwdebug1001.eqiad.wmnet [mwmaint1002:~] $ curl -s --head localhost | grep Server Server: Apache
Then.. the reason is:
There is a ::httpd::conf { 'server_header': snippet in puppet which does this:
` 1 # Make the Server response header equal to the host's FQDN.
2 <IfModule security2_module> 3 ServerTokens Full 4 SecServerSignature "<%= scope['::fqdn'] %>" 5 </IfModule>`
This puppet code is used in profile::mediawiki::httpd which in turn is included in profile::mediawiki::webserver which is used in:
role::mediawiki::appserver
role::mediawiki::appserver::api
role::mediawiki:;parsoid::testing
but NOT in role::mediawiki::maintenance, the role for mwmaint servers.
Since the full webserver is not needed there, the fix above is to just add the server_header snippet.
Change 606218 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: add server-header config
Mentioned in SAL (#wikimedia-operations) [2020-06-25T17:37:43Z] <mutante> mwmaint1002 - restarted apache2 to add server_headers snippet for T255629 - but not working as expected yet
I merged the change, ran puppet and restarted apache2 on mwmaint1002 but it's not applied yet because the code has <IfModule security2_module>
around it and that module is also not installed on mwmaint servers while it is installed on mw appservers.
Change 607848 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*
Change 607848 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*
Change 618161 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: install modsecurity-crs
@Krinkle This works now:
[mwmaint1002:/] $ curl -s --head localhost | grep Server: Server: mwmaint1002.eqiad.wmnet
But the ticket should not be closed yet. I need to follow-up and reported a bug to Debian about what I said in the latest commit message above.
Change 618161 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: install modsecurity-crs