Page MenuHomePhabricator
Create Task
Maniphest T255629

The "Server: mw•" response header is missing on mwmaint/noc.wm.o
Closed, ResolvedPublic
Actions

Description

In debugging here I can never tell which one I hit (mwmaint100x / mwmaint200x).

The appserver module we use to replace Server: Apache with Server: mw#### seems to not be included/enabled here.

Details

SubjectRepoBranchLines +/-
mediawiki::maintenance: install modsecurity-crsoperations/puppetproduction+4 -1
mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*operations/puppetproduction+6 -0
mediawiki::maintenance: add server-header configoperations/puppetproduction+4 -0
Customize query in gerrit

Event Timeline

Krinkle created this task.Jun 16 2020, 10:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2020, 10:29 PM
Krinkle updated the task description. (Show Details)Jun 16 2020, 10:31 PM
gerritbot added a comment.Jun 17 2020, 4:30 PM

Change 606218 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: add server-header config

https://gerrit.wikimedia.org/r/606218

gerritbot added a project: Patch-For-Review.Jun 17 2020, 4:30 PM
Krinkle triaged this task as Medium priority.Jun 23 2020, 6:21 PM
Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.
Dzahn claimed this task.Jun 25 2020, 4:36 PM
Dzahn added a comment.Jun 25 2020, 4:43 PM

First, confirmed the difference:

[mwdebug1001:~] $  curl -s --head localhost | grep Server:
Server: mwdebug1001.eqiad.wmnet

[mwmaint1002:~] $ curl -s --head localhost | grep Server
Server: Apache

Then.. the reason is:

There is a ::httpd::conf { 'server_header': snippet in puppet which does this:

` 1 # Make the Server response header equal to the host's FQDN.

2 <IfModule security2_module>
3     ServerTokens Full
4     SecServerSignature "<%= scope['::fqdn'] %>"
5 </IfModule>`

This puppet code is used in profile::mediawiki::httpd which in turn is included in profile::mediawiki::webserver which is used in:

role::mediawiki::appserver
role::mediawiki::appserver::api
role::mediawiki:;parsoid::testing

but NOT in role::mediawiki::maintenance, the role for mwmaint servers.

Since the full webserver is not needed there, the fix above is to just add the server_header snippet.

gerritbot added a comment.Jun 25 2020, 5:31 PM

Change 606218 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: add server-header config

https://gerrit.wikimedia.org/r/606218

Stashbot added a comment.Jun 25 2020, 5:37 PM

Mentioned in SAL (#wikimedia-operations) [2020-06-25T17:37:43Z] <mutante> mwmaint1002 - restarted apache2 to add server_headers snippet for T255629 - but not working as expected yet

Dzahn added a comment.Jun 25 2020, 5:42 PM

I merged the change, ran puppet and restarted apache2 on mwmaint1002 but it's not applied yet because the code has <IfModule security2_module>
around it and that module is also not installed on mwmaint servers while it is installed on mw appservers.

gerritbot added a comment.Jun 25 2020, 5:53 PM

Change 607848 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*

https://gerrit.wikimedia.org/r/607848

fgiunchedi moved this task from Inbox to Radar on the observability board.Jul 20 2020, 12:57 PM
gerritbot added a comment.Aug 3 2020, 10:40 PM

Change 607848 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: load mod_security2 also on mwmaint*, not just mw*

https://gerrit.wikimedia.org/r/607848

gerritbot added a comment.Aug 4 2020, 12:34 AM

Change 618161 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] mediawiki::maintenance: install modsecurity-crs

https://gerrit.wikimedia.org/r/618161

Dzahn added a comment.Aug 4 2020, 1:39 AM

@Krinkle This works now:

[mwmaint1002:/] $  curl -s --head localhost | grep Server:
Server: mwmaint1002.eqiad.wmnet

But the ticket should not be closed yet. I need to follow-up and reported a bug to Debian about what I said in the latest commit message above.

gerritbot added a comment.Aug 4 2020, 5:08 PM

Change 618161 merged by Dzahn:
[operations/puppet@production] mediawiki::maintenance: install modsecurity-crs

https://gerrit.wikimedia.org/r/618161

Dzahn closed this task as Resolved.Aug 10 2020, 3:19 PM

Done

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL