Page MenuHomePhabricator
Create Task
Maniphest T97530

SCB services should not use a proxy for our domains
Closed, ResolvedPublic0 Estimated Story Points
Actions

Description

Services residing on the SCB cluster use url-downloader.wikimedia.org as a proxy. However, it should return a 403 code when a URL resolves to one of WMF's IPs. Hence, the services need not to use it when making requests to our domains. The current approach is to provide helper methods in service-template-node that will allow users to make normal requests for the MW and RESTBase APIs, which will be templated and their URIs replaced by the LVS addresses for these entities.

Details

SubjectRepoBranchLines +/-
service::node: Do not use the proxy by defaultoperations/puppetproduction+6 -4
Config: Do not use the proxy at allmediawiki/services/mobileapps/deploymaster+5 -5
Config: Add discovery.wmnet to no_proxy_listmediawiki/services/mobileapps/deploymaster+1 -0
Config: Add discovery.wmnet to no_proxy_listmediawiki/services/cxserver/deploymaster+1 -0
service::node: Add the list of domains for which not to use the proxyoperations/puppetproduction+174 -5
Revert "Allow the full configuration of domains which shouldn't be proxied"mediawiki/services/citoidmaster+7 -12
Allow the full configuration of domains which shouldn't be proxiedmediawiki/services/citoidmaster+12 -7
Customize query in gerrit

Related Objects

Event Timeline

mobrovac created this task.Apr 29 2015, 1:46 PM
mobrovac claimed this task.
mobrovac raised the priority of this task from to Unbreak Now!.
mobrovac updated the task description. (Show Details)
mobrovac added projects: Services, Citoid, Graphoid, Mobile-Apps, service-template-node, acl*sre-team.
mobrovac subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2015, 1:46 PM
gerritbot subscribed.Apr 29 2015, 2:57 PM

Change 207454 had a related patch set uploaded (by Mobrovac):
service::node: Add the list of domains for which not to use the proxy

https://gerrit.wikimedia.org/r/207454

gerritbot added a project: Patch-For-Review.Apr 29 2015, 2:57 PM
gerritbot added a comment.Apr 29 2015, 3:54 PM

Change 207467 had a related patch set uploaded (by Mobrovac):
Allow the full configuration of domains which shouldn't be proxied

https://gerrit.wikimedia.org/r/207467

gerritbot added a comment.Apr 29 2015, 3:54 PM

Change 207467 merged by Mobrovac:
Allow the full configuration of domains which shouldn't be proxied

https://gerrit.wikimedia.org/r/207467

mobrovac mentioned this in rGCIT0d358ad79763: Allow the full configuration of domains which shouldn't be proxied.Apr 29 2015, 3:55 PM
mobrovac lowered the priority of this task from Unbreak Now! to Medium.Apr 29 2015, 6:24 PM
mobrovac added a subscriber: akosiaris.

@akosiaris reverted the LVS IP block in https://gerrit.wikimedia.org/r/#/c/207489 until we come up with a proper solution.

gerritbot added a comment.Apr 29 2015, 7:44 PM

Change 207538 had a related patch set uploaded (by Mobrovac):
Revert "Allow the full configuration of domains which shouldn't be proxied"

https://gerrit.wikimedia.org/r/207538

gerritbot added a comment.Apr 29 2015, 7:44 PM

Change 207538 merged by Mobrovac:
Revert "Allow the full configuration of domains which shouldn't be proxied"

https://gerrit.wikimedia.org/r/207538

mobrovac mentioned this in rGCITe8b1eb496615: Revert "Allow the full configuration of domains which shouldn't be proxied".Apr 29 2015, 7:45 PM
Mvolz moved this task from Backlog to Production on the Citoid board.May 4 2015, 7:45 PM
Mvolz removed a project: Patch-For-Review.
Mvolz set Security to None.
mobrovac moved this task from Backlog to Next on the Services board.Jun 2 2015, 12:29 PM
mobrovac raised the priority of this task from Medium to High.Aug 13 2015, 11:57 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 13 2015, 11:57 PM
mobrovac added a project: Mobile-Content-Service.Aug 13 2015, 11:59 PM
mobrovac removed a subscriber: gerritbot.
bearND removed a project: Mobile-Content-Service.Aug 27 2015, 3:47 PM
mobrovac removed a project: Mobile-Apps.Aug 28 2015, 3:39 PM
gerritbot added a comment.Sep 23 2015, 10:11 PM

Change 207454 abandoned by Mobrovac:
service::node: Add the list of domains for which not to use the proxy

https://gerrit.wikimedia.org/r/207454

mobrovac added a parent task: T134241: graphoid should not use the http proxy to connect to the mediawiki api and other internal services.May 13 2016, 1:49 PM
mobrovac renamed this task from SCA services should not use a proxy for our domains to SCB services should not use a proxy for our domains.May 13 2016, 1:52 PM
mobrovac added a project: User-mobrovac.
mobrovac updated the task description. (Show Details)
Restricted Application added a project: VisualEditor. · View Herald TranscriptMay 13 2016, 1:52 PM
mobrovac mentioned this in T134241: graphoid should not use the http proxy to connect to the mediawiki api and other internal services.May 13 2016, 1:52 PM
Jdforrester-WMF moved this task from To Triage to TR0: Interrupt on the VisualEditor board.May 16 2016, 9:27 AM
mobrovac removed a parent task: T134241: graphoid should not use the http proxy to connect to the mediawiki api and other internal services.May 16 2016, 11:04 AM
Jdforrester-WMF set the point value for this task to 0.May 19 2016, 10:03 PM
GWicke subscribed.Jun 7 2016, 5:49 AM

@mobrovac, is there still anything left to be done here?

Jdforrester-WMF moved this task from TR0: Interrupt to External and Administrivia on the VisualEditor board.Aug 9 2016, 7:34 PM
GWicke edited projects, added Services (next); removed Services.Oct 12 2016, 3:31 PM
GWicke closed this task as Resolved.Oct 12 2016, 10:59 PM

Closing due to inactivity.

mobrovac reopened this task as Open.Oct 13 2016, 7:08 PM

Nope nope, we still need to do this one. Sorry for dropping the ball on this one!

Joe subscribed.Mar 27 2017, 12:58 PM

This is now a blocker (sort-of) for the current work on using DNS for discovery: in fact as soon as I switched the parameter for the restbase url to the discovery one (so restbase.svc.codfw.wmnet to restbase.discovery.wmnet, both resolving to the same IP) cxserver and mobileapps started complaining and investigation showed me the issue were the requests that were being directed to the proxy instead of being direct.

It is interesting to note that other apps behaved correctly instead.

gerritbot added a comment.Mar 27 2017, 3:29 PM

Change 344957 had a related patch set uploaded (by Mobrovac):
[mediawiki/services/cxserver/deploy@master] Config: Add discovery.wmnet to no_proxy_list

https://gerrit.wikimedia.org/r/344957

gerritbot added a project: Patch-For-Review.Mar 27 2017, 3:29 PM
gerritbot added a comment.Mar 27 2017, 3:33 PM

Change 344957 merged by Mobrovac:
[mediawiki/services/cxserver/deploy@master] Config: Add discovery.wmnet to no_proxy_list

https://gerrit.wikimedia.org/r/344957

gerritbot added a comment.Mar 27 2017, 3:34 PM

Change 344958 had a related patch set uploaded (by Mobrovac):
[mediawiki/services/mobileapps/deploy@master] Config: Add discovery.wmnet to no_proxy_list

https://gerrit.wikimedia.org/r/344958

gerritbot added a comment.Mar 27 2017, 3:41 PM

Change 344958 merged by Mobrovac:
[mediawiki/services/mobileapps/deploy@master] Config: Add discovery.wmnet to no_proxy_list

https://gerrit.wikimedia.org/r/344958

mobrovac added a comment.Mar 27 2017, 3:51 PM

After switching to Scap3 config deploys only the services that need the proxy to contact outside services use it. The exceptions are graphoid and mobileapps which still have the lists in their configs. I will verify whether they actually need them.

gerritbot added a comment.Mar 27 2017, 5:59 PM

Change 344975 had a related patch set uploaded (by Mobrovac):
[mediawiki/services/mobileapps/deploy@master] Config: Do not use the proxy at all

https://gerrit.wikimedia.org/r/344975

gerritbot added a comment.Mar 27 2017, 6:00 PM

Change 344975 merged by Mobrovac:
[mediawiki/services/mobileapps/deploy@master] Config: Do not use the proxy at all

https://gerrit.wikimedia.org/r/344975

gerritbot added a comment.Mar 27 2017, 7:43 PM

Change 344996 had a related patch set uploaded (by Mobrovac):
[operations/puppet@production] service::node: Do not use the proxy by default

https://gerrit.wikimedia.org/r/344996

gerritbot added a comment.Mar 28 2017, 3:25 PM

Change 344996 merged by Giuseppe Lavagetto:
[operations/puppet@production] service::node: Do not use the proxy by default

https://gerrit.wikimedia.org/r/344996

mobrovac closed this task as Resolved.Mar 28 2017, 4:46 PM
mobrovac edited projects, added Services (done); removed Patch-For-Review, Services (next).

All of the services that do not need the proxy, don't use it. Moreover, with the switch to Scap3 config deploys, each service controls if the proxy will be active or not, so I'm declaring this task done (finally).

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptMar 28 2017, 4:46 PM
Ryasmeen moved this task from To be Verified to Verified on the User-Ryasmeen board.Mar 28 2017, 11:55 PM
Ryasmeen moved this task from Verified to Non verifiable/Task on the User-Ryasmeen board.Apr 13 2017, 9:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL