Last modified: 2013-05-21 08:31:51 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T38648, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 36648 - replicate HTTPS architecture
replicate HTTPS architecture
Status: RESOLVED FIXED
Product: Wikimedia Labs
Classification: Unclassified
deployment-prep (beta) (Other open bugs)
unspecified
All All
: Normal enhancement
: ---
Assigned To: Antoine "hashar" Musso (WMF)
:
: 34367 (view as bug list)
Depends on: 48501 48210
Blocks: 37079
  Show dependency treegraph
 
Reported: 2012-05-08 16:54 UTC by Antoine "hashar" Musso (WMF)
Modified: 2013-05-21 08:31 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Antoine "hashar" Musso (WMF) 2012-05-08 16:54:14 UTC
It would be great to have access to the labs using HTTPS. Some tests might require us to have access to a wiki using both HTTP and HTTPS, login tests come to mind.

Following a discussion with ops, it would be possible to use a NGINX proxy as a frontend to split HTTP and HTTPS requests. HTTPS would be terminated on a second NGINX proxy just like in production.
Comment 1 Antoine "hashar" Musso (WMF) 2012-05-08 16:54:37 UTC
Moving to very low priority, we do not need HTTPS right now.
Comment 2 Antoine "hashar" Musso (WMF) 2012-05-15 18:20:51 UTC
*** Bug 34367 has been marked as a duplicate of this bug. ***
Comment 3 Antoine "hashar" Musso (WMF) 2013-03-18 21:58:56 UTC
Chris Steipp could use HTTPS for several features that are pending on the production cluster.

We need to sort out the protoproxy puppet class to make it fit the beta environment.
Comment 4 Antoine "hashar" Musso (WMF) 2013-03-18 22:02:47 UTC
Puppet:
Most settings are in manifests/protoproxy.pp
Nginx configuration is at templates/nginx/sites/proxy.erb
Comment 5 spage 2013-04-12 01:08:26 UTC
Enabling this would also help to test changes to login and create account forms, which display links to secure login and are affected by $wgSecureLoginDefaultHTTPS.
Comment 6 Rob Lanphier 2013-04-29 20:34:12 UTC
This is needed pretty badly for the work we're doing on auth systems.  Setting to high priority.
Comment 7 Antoine "hashar" Musso (WMF) 2013-05-06 19:09:07 UTC
[ccing Ariel]

Ariel and I did a brainstorming this afternoon. We now have an overall idea of the HTTPS infrastructure and Ariel about the beta setup.

Beta does not have any support for LVS right now so we can not replicate production exactly. For example, the connections are sent directly to the caches instead of through a frontend LVS server, that means we cannot catch all the HTTPS connections and direct them at a pool of nginx proxies.

Instead, the rough plan is to have a nginx proxy on each of the beta cache. It will listen on port 443, terminate the SSL connection and use the localhost cache as an upstream peer.

The SSL certificates will be problematic since we have a lot of subdomains, as a first step we will use self signed certificates.
Comment 8 Antoine "hashar" Musso (WMF) 2013-05-07 15:31:35 UTC
The deployment-nginx-test instance has Gerrit change #62582 (patchset 8) applied. I have manually tweaked the configuration in the following way:

/etc/hosts makes bits.beta.wmflabs.org to 127.0.0.1

Upstream cache is set to the bits cache since my instance does not run a bits cache locally. Hence the conf shows up as:

 upstream bits {
   server 10.4.0.51:80;
   server 10.4.0.51:80;
 }


Doing a local curl such as: curl https://bits.beta.wmflabs.org/  does give me some valid content.  So I guess we have a first pass working.
Comment 9 Antoine "hashar" Musso (WMF) 2013-05-14 11:46:38 UTC
With the help of Ariel, we got HTTPS on beta now! https://en.wikipedia.beta.wmflabs.org/wiki/Main_Page and for bits as well. The certificate names are not matching though.
Comment 10 Antoine "hashar" Musso (WMF) 2013-05-21 08:31:51 UTC
This is overall fixed, we still have to generate the SSL certificates which is bug 48501.  To reduce a bit the number of bugs, I hereby declare we have HTTPS architecture on beta.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links