It would be great to have access to the labs using HTTPS. Some tests might require us to have access to a wiki using both HTTP and HTTPS, login tests come to mind.
Following a discussion with ops, it would be possible to use a NGINX proxy as a frontend to split HTTP and HTTPS requests. HTTPS would be terminated on a second NGINX proxy just like in production.
Version: unspecified
Severity: enhancement
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T39079 deployment-prep root tracking bug (tracking) | |||
| Resolved | hashar | T38648 replicate HTTPS architecture | |||
| Resolved | None | T50210 [upstream] [worked around] nginx fails: could not build the types_hash | |||
| Resolved | Krenair | T50501 beta: Get SSL certificates for *.{projects}.beta.wmflabs.org | |||
| Restricted Task |
Chris Steipp could use HTTPS for several features that are pending on the production cluster.
We need to sort out the protoproxy puppet class to make it fit the beta environment.
Puppet:
Most settings are in manifests/protoproxy.pp
Nginx configuration is at templates/nginx/sites/proxy.erb
Enabling this would also help to test changes to login and create account forms, which display links to secure login and are affected by $wgSecureLoginDefaultHTTPS.
This is needed pretty badly for the work we're doing on auth systems. Setting to high priority.
[ccing Ariel]
Ariel and I did a brainstorming this afternoon. We now have an overall idea of the HTTPS infrastructure and Ariel about the beta setup.
Beta does not have any support for LVS right now so we can not replicate production exactly. For example, the connections are sent directly to the caches instead of through a frontend LVS server, that means we cannot catch all the HTTPS connections and direct them at a pool of nginx proxies.
Instead, the rough plan is to have a nginx proxy on each of the beta cache. It will listen on port 443, terminate the SSL connection and use the localhost cache as an upstream peer.
The SSL certificates will be problematic since we have a lot of subdomains, as a first step we will use self signed certificates.
The deployment-nginx-test instance has Gerrit change #62582 (patchset 8) applied. I have manually tweaked the configuration in the following way:
/etc/hosts makes bits.beta.wmflabs.org to 127.0.0.1
Upstream cache is set to the bits cache since my instance does not run a bits cache locally. Hence the conf shows up as:
upstream bits {
server 10.4.0.51:80; server 10.4.0.51:80;
}
Doing a local curl such as: curl https://bits.beta.wmflabs.org/ does give me some valid content. So I guess we have a first pass working.
With the help of Ariel, we got HTTPS on beta now! https://en.wikipedia.beta.wmflabs.org/wiki/Main_Page and for bits as well. The certificate names are not matching though.
This is overall fixed, we still have to generate the SSL certificates which is bug 48501. To reduce a bit the number of bugs, I hereby declare we have HTTPS architecture on beta.