Page MenuHomePhabricator
Create Task
Maniphest T395721

Is it allowed to expose HTTPS services targeting machines without web proxies?
Closed, InvalidPublic
Actions

Description

WMGMC Tech Group wants to merge two etcd clusters, of which one is currently on Cloud VPS and the others is on our own server. However, etcd supports only TLS-based authentication for cluster traffic. Thus we want to expose the etcd endpoint directly.

Per Help:Exposing_IPv6_services#Important_note this is not allowed, so I am creating this task to discuss about this.

The primary reason of the rule is for privacy reasons. However, for services like etcd server-to-server endpoints, they targets other machines (more specifically, only our own machines) but not human, and a human is never allowed to use the endpoint. Thus I think there shouldn't be significant privacy concerns?

Another reason (I guess) is for anti-spam. Web proxies may block some crawlers while exposing services directly doesn't.

In our case, an alternative solution is to setup a VPN between the two servers.

Event Timeline

XtexChooser created this task.May 30 2025, 11:46 PM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptMay 30 2025, 11:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
taavi closed this task as Invalid.Jun 5 2025, 11:14 AM
taavi subscribed.

Sorry for the delay here.. as https://wikitech.wikimedia.org/wiki/Help:Cloud_Services_communication states we use Phabricator for tracking actual changes, and any support requests should generally be raised at the mailing list or IRC channel, so occasionally new tasks get lost. (And I'm marking this as Invalid as there's no change to the Cloud VPS infrastructure to be done here.)

Either way, exposing a port directly sounds reasonable for your use case. The note you link to applies to end user traffic where you should be using the web proxy, but for infrastructure like this the privacy reasoning does not apply. IIRC etcd already uses a distinct port for clustering (2380/tcp) so this does even have to use 443/tcp which user traffic would use.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits