Page MenuHomePhabricator

replicate HTTPS architecture
Closed, ResolvedPublic

Description

It would be great to have access to the labs using HTTPS. Some tests might require us to have access to a wiki using both HTTP and HTTPS, login tests come to mind.

Following a discussion with ops, it would be possible to use a NGINX proxy as a frontend to split HTTP and HTTPS requests. HTTPS would be terminated on a second NGINX proxy just like in production.


Version: unspecified
Severity: enhancement

Details

Reference
bz36648

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:21 AM
bzimport set Reference to bz36648.
hashar created this task.May 8 2012, 4:54 PM
hashar added a comment.May 8 2012, 4:54 PM

Moving to very low priority, we do not need HTTPS right now.

  • Bug 34367 has been marked as a duplicate of this bug. ***

Chris Steipp could use HTTPS for several features that are pending on the production cluster.

We need to sort out the protoproxy puppet class to make it fit the beta environment.

Puppet:
Most settings are in manifests/protoproxy.pp
Nginx configuration is at templates/nginx/sites/proxy.erb

Enabling this would also help to test changes to login and create account forms, which display links to secure login and are affected by $wgSecureLoginDefaultHTTPS.

This is needed pretty badly for the work we're doing on auth systems. Setting to high priority.

hashar added a comment.May 6 2013, 7:09 PM

[ccing Ariel]

Ariel and I did a brainstorming this afternoon. We now have an overall idea of the HTTPS infrastructure and Ariel about the beta setup.

Beta does not have any support for LVS right now so we can not replicate production exactly. For example, the connections are sent directly to the caches instead of through a frontend LVS server, that means we cannot catch all the HTTPS connections and direct them at a pool of nginx proxies.

Instead, the rough plan is to have a nginx proxy on each of the beta cache. It will listen on port 443, terminate the SSL connection and use the localhost cache as an upstream peer.

The SSL certificates will be problematic since we have a lot of subdomains, as a first step we will use self signed certificates.

hashar added a comment.May 7 2013, 3:31 PM

The deployment-nginx-test instance has Gerrit change #62582 (patchset 8) applied. I have manually tweaked the configuration in the following way:

/etc/hosts makes bits.beta.wmflabs.org to 127.0.0.1

Upstream cache is set to the bits cache since my instance does not run a bits cache locally. Hence the conf shows up as:

upstream bits {

server 10.4.0.51:80;
server 10.4.0.51:80;

}

Doing a local curl such as: curl https://bits.beta.wmflabs.org/ does give me some valid content. So I guess we have a first pass working.

With the help of Ariel, we got HTTPS on beta now! https://en.wikipedia.beta.wmflabs.org/wiki/Main_Page and for bits as well. The certificate names are not matching though.

This is overall fixed, we still have to generate the SSL certificates which is bug 48501. To reduce a bit the number of bugs, I hereby declare we have HTTPS architecture on beta.