As discussed in {T278495}, we should put lists.wikimedia.org's web interface behind LVS. Exim/mail is excluded since we might go a different route for that: T232343#7059925.
Currently, we get a TLS cert from acme-chief and Apache redirects nearly all HTTP traffic over to HTTPS, where we have a bunch of routing and redirects
We probably want to end up with Apache just serving over HTTP, and envoy doing HTTPS in between Apache<-->LVS/caches.
---
[x] Adapt Django configuration to accept traffic from Envoy https://gerrit.wikimedia.org/r/c/operations/puppet/+/1219770
[] Adapt the existing record to tie lists.wm.o to the hosting server https://gerrit.wikimedia.org/r/c/operations/dns/+/1219061
[] Create a new conftool entry https://gerrit.wikimedia.org/r/c/operations/puppet/+/1219151
[] Create a new service catalog entry using LVS class `low-traffic?` https://gerrit.wikimedia.org/r/c/operations/puppet/+/1219151
[] Add lists to ATS cache_text as a backend https://gerrit.wikimedia.org/r/c/operations/puppet/+/1219062
[] Ensure Varnish VCL includes lists.wm.o in any relevant instances of its many hostname regex patterns ...?
[] Ensure all headers ( `X-Forwarded-Proto`, `X-Forwarded-For`, etc.) and logging are still up to production standards
[] // First, try in only one CDN site: magru or drmrs perhaps?//
[] Opt-in SRE & developer testing
[] //Write instructions and/or ship tunnelencabulator feature: modify /etc/hosts to point lists.wikimedia.org to the new, CDN-fronted public IP//
[] One full business day of testing with several volunteers?
---