Page MenuHomePhabricator

contint.wikimedia.org: add TLS termination
Open, MediumPublic

Description

contint is one of the very few remaining origin servers available only via plain HTTP, see T108580#6488253. We should make it available via HTTPS instead to ensure that traffic between ATS and contint is encrypted.

Event Timeline

ema created this task.Sep 25 2020, 8:12 AM
Restricted Application added a project: Operations. · View Herald TranscriptSep 25 2020, 8:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Dzahn added a subscriber: Dzahn.Sep 25 2020, 6:43 PM

This was basically all done:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/591000 tlsproxy::envoy: allow limiting firewall srange
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588973 - ATS: use contint service alias as backend for integration.wm.org
https://gerrit.wikimedia.org/r/c/labs/private/+/589544 add fake contint.wikimedia.org key
https://gerrit.wikimedia.org/r/c/operations/puppet/+/588980 ci::master: add envoy for TLS termination for integration
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589556 add certificate for contint/integration.wikimedia.org
https://gerrit.wikimedia.org/r/c/operations/dns/+/589285 add contint.wikimedia.org service alias for contint machines
https://gerrit.wikimedia.org/r/c/operations/puppet/+/589565 - ATS: switch contint backend to use TLS

except at the end I had to revert

https://gerrit.wikimedia.org/r/c/operations/puppet/+/591325 Revert "ATS: switch contint backend to use TLS"

all that is needed is that last fix

ArielGlenn triaged this task as Medium priority.Sep 28 2020, 9:35 AM
ema moved this task from Triage to Feature Requests on the Traffic board.Tue, Nov 24, 3:19 PM