Alexandros Kosiaris has submitted this change and it was merged.
Change subject: Add HTTPS support to parsoid varnishes
......................................................................
Add HTTPS support to parsoid varnishes
Parsoid varnishes never supported HTTPS. This was intentional but right
now parsoid services also host cxserver and very soon citoid (see
T76949). Those are public services that are fetched via XHR and browsers
at this point throw warnings about fetching resources insecurely. Chrome
38 and above however, block the request. As does Firefox 23 and above
Use role::cache::ssl::parsoid to terminate HTTPS on the parsoid varnishes
via nginx and pass the HTTP request to the varnish backend. The new
class role::cache::ssl::parsoid just adds the wikimedia and
m.wikimedia.org certificates and the unified to support older clients
Bug: T86847
Change-Id: I83574f6a92d28bcbc59d9fe412406516293782da
---
M manifests/role/cache.pp
1 file changed, 21 insertions(+), 0 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index a8291c0..b91cf1d 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -1419,9 +1419,30 @@
}
}
+ class ssl::parsoid {
+ # Explicitly not adding wmf CA since it is not needed for now
+ include role::protoproxy::ssl::common
+
+ localssl { 'unified':
+ certname => 'uni.wikimedia.org',
+ default_server => true,
+ }
+ localssl { 'wikimedia.org':
+ certname => 'sni.wikimedia.org',
+ server_name => 'wikimedia.org',
+ server_aliases => ['*.wikimedia.org'],
+ }
+ localssl { 'm.wikimedia.org':
+ certname => 'sni.m.wikimedia.org',
+ server_name => 'm.wikimedia.org',
+ server_aliases => ['*.m.wikimedia.org'],
+ }
+ }
+
class parsoid inherits role::cache::varnish::2layer {
if ( $::realm == 'production' ) {
+ include role::cache::ssl::parsoid
class { 'lvs::realserver':
realserver_ips =>
$lvs::configuration::lvs_service_ips[$::realm]['parsoidcache'][$::site],
}
--
To view, visit https://gerrit.wikimedia.org/r/185181
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I83574f6a92d28bcbc59d9fe412406516293782da
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
