Page MenuHomePhabricator

get certificate for phab.wmfusercontent.org
Closed, ResolvedPublic

Description

https://rt.wikimedia.org/Ticket/Display.html?id=8212

Long story short, need a cert for the file serving domain. Without this and according to the legal requirements, users cannot upload files.

Details

Reference
fl560

Event Timeline

flimport raised the priority of this task from to High.Sep 12 2014, 1:46 AM
flimport set Reference to fl560.

dzahn wrote on 2014-08-28 01:27:43 (UTC)

you should ping RobH about this

dzahn wrote on 2014-08-28 01:29:18 (UTC)

and i would request *.wmfusercontent.org right away, i _think_ we want a unified one in this case, not a separate one for each service to come. that being said, if we actually kill BZ, what else IS going to use it? technically, lists.wm allows users to upload stuff

So I propose to uninstall Files and open LDAP. The only reason to keep LDAP closed is that we don't want people to upoload files, right?

Qgil assigned this task to chasemp.Sep 18 2014, 10:13 AM
Qgil moved this task from Backlog to Doing on the Phabricator-Production-Instance board.
In T373#5, @Qgil wrote:

So I propose to uninstall Files

We cannot --- "This application is required for Phabricator to operate, so all users must have access to it."

Qgil updated the task description. (Show Details)Sep 19 2014, 12:17 PM
Qgil set Security to None.

Drifting from "certificate"-only topic into general "separate server for attachments and setting that up" land.
Status summary, as far as I understand it:

I've asked Mark on IRC today: He wrote that "the nginx stuff is all done, sni/nginx that is. i finished that on thursday last week. but there's no backend setup for it yet that I'm aware of".

Backend setup "means, a web server vhost on the phabricator needs to be setup for it that varnish will talk to
and phabricator needs to be configured for it
and it all depends on how phabricator handles that
so yeah, we could do that, but i have no idea if that'd be consistent with the plans for it, and given that there are security implications of it all
i'd rather not guess and wait a few days until Chase can work it out"

Qgil raised the priority of this task from High to Unbreak Now!.Sep 25 2014, 8:21 AM

Using the "Unbreak Now!" priority for the first time, to signal that from all the High priorities this is the highest, because it is blocking open registration, the current milestone that we must complete before moving onto RT/Bugzilla migration -- see T463#30

jeremyb added a comment.EditedSep 28 2014, 6:00 AM

I don't understand the last few comments here.

The cert is installed and working. check yourself whether you get any SSL/TLS related errors in your browser at https://phab.wmfusercontent.org/

The server sends an error message (after client successfully authenticates the server unless client has some non-standard root CA store):
[Core Exception/Exception] Specified domain phab.wmfusercontent.org is not configured for Phabricator requests. Please use https://phabricator.wikimedia.org to visit this instance.

That indicates to me that all further work to get that domain working for uploads is on iridium (and manifests thereof), not varnish/nginx/etc. (and I *think* I saw the same error message before T373#17 so this was already fixed by then)

I don't see any upload tickets related to this one. So morph into fixing the iridium conf or make a new one?

jeremyb removed a subscriber: jeremyb.Sep 28 2014, 6:01 AM
Qgil added a subscriber: jeremyb.Sep 28 2014, 5:49 PM
In T373#22, @jeremyb wrote:

I don't understand the last few comments here.

(snip)

I don't see any upload tickets related to this one. So morph into fixing the iridium conf or make a new one?

I don't know enough about the problem to create a new task, and I'm fine reusing this one after the actual problem is solved: users being able to upload files securely in phabricator.wikimedia.org.

to clarify and ensure we're all on the same page:

the security blocker for T463: Enable registration for everybody at phabricator.wikimedia.org is not securing the process of uploading, (which is what I think when I read "users being able to upload files securely"). the issue is that after upload is done, uploaded content that's available for download must be prevented from escalating uploader's access to a different user's phab session. this is done by making those downloads come from a different origin (in this case even a different effective second-level domain).

chasemp closed this task as Resolved.Sep 29 2014, 7:41 PM
chasemp removed chasemp as the assignee of this task.Oct 2 2014, 3:57 PM
chasemp removed chasemp as the assignee of this task.Oct 2 2014, 4:13 PM
Dzahn removed a subscriber: Dzahn.Oct 3 2014, 12:46 AM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptJun 20 2017, 6:18 AM