https://auth.wikimedia.beta.wmflabs.org/enwiki/wiki/Special:UserLogin and https://auth.wikimedia.beta.wmflabs.org/enwiki/w/index.php load fine.
When manually viewing the domain root:
https://auth.wikimedia.beta.wmflabs.org/ -> Invalid request URI (requestUri=/), can't determine language. - this is expected, we added this security check.
https://auth.wikimedia.beta.wmflabs.org/foo -> File not found. - this isn't. We should make sure there's no way to reach files.
https://auth.wikimedia.beta.wmflabs.org/enwiki/wiki/Special:UserLogin and https://auth.wikimedia.beta.wmflabs.org/enwiki/w/index.php load fine. I assume this is about when you manually view the domain root? (I've updated the task based on that assumption).
This error message comes from wmf-config, because it isn't a valid /:dbname/* url.
Unlike the other self::error() conditions, though, this one is trivially reachable and so may be deserving a custom response, or redirect, or separate docroot with a static index.html file.
The "File not found." is not coming from anywhere in operations/mediawiki-config though. And it doesn't look like an Apache error either, unless we have customized them really weirdly.
It is the same kind of "File not found." served at these URLs:
It comes from Apache (or php-fpm), for URLs that match a rewrite rule that PHP is meant to serve.
It does not happen for https://en.wikipedia.org/foo (without .php) in production, because that isn't directed to PHP.
I'm guessing that our auth-specific ^/([^/]*)/(.*)$ rewrite rule (Puppet source) might be matching this? It seems like it wouldn't because it contains two non-optional slashes. On the other hand, both of the match groups accept zero or more, so // and //foo would match which is unexpected. It might be that Apache is being "helpful" in tolerating additional slashes.
Alternatively, it might be that the vhost is lacking an include for the default config that declares ErrorDocument 404 /w/404.php. This semes unlikely, since afaik that is unconditionally included and not restricted by VirtualHost.
Ah, so that's a php-fpm error message. The problem and the suggestions here match what we're seeing: https://stackoverflow.com/a/72320136
I'll take a stab at this if you don't mind. I wanted to learn a bit more about Puppet and our Apache config,
I don't think the error message is a problem per se - we just need to understand exactly what's going on so we can be confident that there is no way to access files that shouldn't be accessed (e.g. PrivateSettings). That's very likely the case since those are protected by Apache permissions, and especially since as @Krinkle pointed out the presence of this error is not very different from normal wikis. But an accurate description of what's happening would be nice.
After reading the config files, old commits and Apache docs for most of today, I think I figured out why the weird "File not found." error happens:
I found this by blaming this unusual line referring to /w/404.php: https://gerrit.wikimedia.org/g/operations/puppet/+/29611a362ba427b1843b735eb6cf5aa373679c2f/modules/mediawiki/templates/apache/sites/wwwportals.conf.erb#67 through which I found T158782, which was in fact the same problem on the portals site. It's from 2017, I apparently filed that task myself, and Timo was involved in fixing it.
We should be able to fix this next week in a similar manner. I'd also like to avoid those ugly 404 errors for normal requests ending with .php, maybe we can do that too. And also add a nice landing page.
Change #1100530 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[operations/puppet@production] MediaWiki: Ensure nice 404 instead of php-fpm 404 on auth domain
Change #1100532 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[operations/puppet@production] MediaWiki: Redirect auth domain root to wikimedia.org portal
Change #1100534 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[operations/puppet@production] MediaWiki: Only proxy existing .php files, otherwise return nice 404
I've cherry-picked these patches to the beta cluster (following these instructions) and they all seem to work correctly. You can test right now.
I scheduled them for the Puppet request window tomorrow to be officially blessed: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20241205T1700 (that seems like a lot of patches, so we might not complete them all).
The patches were not blessed today because the engineer handling the Puppet request window was not comfortable being the sole reviewer on them. Someone more familiar with the beta cluster has to review them. Not sure who that would be.
Change #1100530 merged by RLazarus:
[operations/puppet@production] MediaWiki: Ensure nice 404 instead of php-fpm 404 on auth domain
Change #1100532 merged by RLazarus:
[operations/puppet@production] MediaWiki: Redirect auth domain root to wikimedia.org portal
That should do it.
I filed T382357 about the ugly "File not found." message and moved the remaining patch there. Fixing that does not block SUL3.