Page MenuHomePhabricator

Setup internal wikis as https only
Closed, ResolvedPublic


From wikitech-l thread:

Private wikis should require HTTPS by default.

Roughly this would need;

  • Setup a server for this role and give it an external ip.
  • Configure to answer https: with the star certificate and then perform the normal wiki routing.
  • Redirect http to https.
  • Change usage of bits load.php to the local one (avoid mixed content warnings and protect against active attackers).
  • Change the dns records to the new ip.
  • Profit!

No need for caching layer in front of it, as anonymous users can't read it. If there were, $wgCookieSecure may need to be manually set.

Version: unspecified
Severity: enhancement



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:28 PM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz27622.
bzimport added a subscriber: Unknown Object (MLST).

We're now testing in http/https dual mode on the regular domain (per bug 20643); forcing it to SSL-only at this point should be pretty easy.

At this point rather than setting up a second HTTPS-only server to handle a couple domains, I'd recommend just continuing to build out that infrastructure for the other private/internal wikis and then flipping them to require SSL for logins; adding as a dependency. is now HTTPS only with a redirect.

I guess we can establish a list and start migrating all the other private wikis.

You mean a list like private.dblist?

Ticket 2565 has been closed on March 19th. The private wikis have been to relocate to HTTPS.