Page MenuHomePhabricator

Put all zirconium vhosts behind misc varnish cluster
Closed, ResolvedPublic

Description

Zirconium.wikimedia.org has public IPv4 and IPv6 address and is used as a CNAME target for the contacts, etherpad, and *.planet virtual hosts. These CNAMES should be changed to misc-web-lb.eqiad and have related Varnish and front end SSL termination configuration added. This will allow removing the public IPs from zirconium thus reducing the attack surface of the cluster.


Version: wmf-deployment
Severity: normal

references:

contacts: T84158
old-bugzilla: T85785
etherpad: T85788
planet: T85789

Details

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:22 AM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz58048.
bzimport added a subscriber: Unknown Object (MLST).

Change 181268 had a related patch set uploaded (by John F. Lewis):
etherpad: move behind misc-lb.eqiad

https://gerrit.wikimedia.org/r/181268

Patch-For-Review

After a few talks with people, an interesting idea for this.

Currently zirconium has bugs-attachment, planet and etherpad pointing directly to it. All do these could be moved to behind misc although planet needs a bit of work in the fact the planet ssl cert needs to be available.

If all of this is moved it behind misc, zirconium could actually be put internal only and the IPs can be spared which is what I'll look at working to.

bugs-attachment shouldn't be any different from old-bugzilla. they belong together.

Change 181268 abandoned by John F. Lewis:
etherpad: move behind misc-lb.eqiad

Reason:
Two separate patches submitted.

https://gerrit.wikimedia.org/r/181268

Change 181415 had a related patch set uploaded (by John F. Lewis):
cache: install the planet SSL cert on misc-web

https://gerrit.wikimedia.org/r/181415

Patch-For-Review

planet.wikimedia.org seems to be a redirect to a metawiki page handled by zirconium. Couldn't we change the DNS to text-lb (or the correct lb or DYNC DNS setting) and have the cluster apache deal with the redirect?

This would make the planet Varnish config simpler by a few bytes.

Change 181419 had a related patch set uploaded (by John F. Lewis):
planets: add Varnish statement

https://gerrit.wikimedia.org/r/181419

Patch-For-Review

A public vs. a private IP makes little difference in the "attack surface" (zirconium is currently firewalled).

Moving behind misc-web is usually done for other reasons (individual certificate cost, caching etc.). Planet needs its own certificate anyway (second-level wildcard), so there is not much incentive here. I'm not sure why we would do this.

Contacts is a discussion on its own; it's a Drupal instance that is unpuppetized and I don't think we want to maintain. It can be argued that it doesn't even belong in the production realm.

Etherpad... sure, we can move. I doubt we can cache it though.

Change 181419 abandoned by John F. Lewis:
planets: add Varnish statement

Reason:
Pending a discussion about whether this is really worth it.

https://gerrit.wikimedia.org/r/181419

I'm generally in favour of having things behind varnish unless we have a good reason not too, if anything that lets us change/tweak/redirect things in varnish itself without changing anything external (simple example, swapping zirconium with another machine)

Change 181419 restored by John F. Lewis:
planets: add Varnish statement

https://gerrit.wikimedia.org/r/181419

Change 181984 had a related patch set uploaded (by John F. Lewis):
planets: remove SSL stanza

https://gerrit.wikimedia.org/r/181984

Patch-For-Review

Change 181985 had a related patch set uploaded (by John F. Lewis):
planet: change dns to misc-web

https://gerrit.wikimedia.org/r/181985

Patch-For-Review

Dzahn mentioned this in Unknown Object (Diffusion Commit).Jan 14 2015, 4:52 PM

all the blocking tasks have been resolved. no service names are pointing to zirconium anymore.

the reference to contacts included, that is also behind misc-web. the last thing to move was etherpad.
also no SSL config in sites-enabled on zirconium anymore.

resolving.. we could now remove the public IP if we want to.