BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/217046

Change subject: Move HTTPS code into wikimedia.vcl
......................................................................

Move HTTPS code into wikimedia.vcl

Change-Id: I85bee5eab2bcb96ce791410d5d23b31f91eb17d3
---
M modules/varnish/manifests/instance.pp
M modules/varnish/templates/vcl/wikimedia.vcl.erb
2 files changed, 64 insertions(+), 16 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/46/217046/1

diff --git a/modules/varnish/manifests/instance.pp 
b/modules/varnish/manifests/instance.pp
index f529c7d..d9bde34 100644
--- a/modules/varnish/manifests/instance.pp
+++ b/modules/varnish/manifests/instance.pp
@@ -63,16 +63,6 @@
         notify  => Exec["load-new-vcl-file${instancesuffix}"],
     }
 
-    if has_key($vcl_config,'layer') and $vcl_config['layer'] == 'frontend' {
-        file { "/etc/varnish/frontend-hooks.inc.vcl":
-            owner   => 'root',
-            group   => 'root',
-            mode    => '0444',
-            source  => "puppet:///private/misc/frontend-hooks.inc.vcl",
-            notify  => Exec["load-new-vcl-file${instancesuffix}"],
-        }
-    }
-
     # The defaults file is also parsed by /usr/share/varnish/reload-vcl,
     #   even under systemd where the init part itself does not.  This
     #   situation should be cleaned up later after all varnishes are on
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 0da8e95..cd9daad 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -162,6 +162,66 @@
 
 # Functions
 
+// start frontend-only block for HTTPS
+<% if @vcl_config.fetch("layer", "") == "frontend" -%>
+
+// *** HTTPS recv code - domain-based 301/302->HTTPS decisions happen here
+// if GET/HEAD filter is modified/removed later, keep in mind we need to not 
affect
+//   the PURGE traffic here, as purge is called after this.
+sub https_recv_redirect {
+       if(req.request == "GET" || req.request == "HEAD") {
+               if(req.http.X-Forwarded-Proto != "https") {
+                       if(req.url ~ "(?i)^https?:") {
+                               if(req.url ~ "(?i)^https?://ru\.") {
+                                       set req.http.Location = regsub(req.url, 
"(?i)^http:", "https:");
+                                       error 751 "TLS Redirect";
+                               }
+                       }
+                       else {
+                               if(req.http.Host ~ "(?i)^ru\.") {
+                                       set req.http.Location = "https://"; + 
req.http.Host + req.url;
+                                       error 751 "TLS Redirect";
+                               }
+                       }
+               }
+       }
+}
+
+// *** HTTPS error code - implements 301/302 response for recv code
+sub https_error_redirect {
+       if (obj.status == 752) {
+               set obj.http.Location = req.http.Location;
+               set obj.status = 302;
+               set obj.http.Content-Length = "0"; // BZ #62245
+               return(deliver);
+       }
+       if (obj.status == 751) {
+               set obj.http.Location = req.http.Location;
+               set obj.status = 301;
+               set obj.http.Content-Length = "0"; // BZ #62245
+               return(deliver);
+       }
+}
+
+// *** HTTPS deliver code - domain-based HSTS headers
+sub https_deliver_hsts {
+       if(req.http.X-Forwarded-Proto == "https") {
+               if(req.url ~ "(?i)^https?:") {
+                       if(req.url ~ "(?i)^https?://ru\.") {
+                               set resp.http.Strict-Transport-Security = 
"max-age=15768000";
+                       }
+               }
+               else {
+                       if(req.http.Host ~ "(?i)^ru\.") {
+                               set resp.http.Strict-Transport-Security = 
"max-age=15768000";
+                       }
+               }
+       }
+}
+
+<% end -%>
+// ^ end frontend-only block for HTTPS
+
 sub rewrite_proxy_urls {
        set req.url = regsub(req.url, "^http://[^/]+";, "");
 }
@@ -303,8 +363,9 @@
        }
 <% end -%>
 <% if @vcl_config.fetch("layer", "") == "frontend" -%>
-       call frontend_recv_hook;
+       call https_recv_redirect;
 <% end -%>
+
        call vcl_recv_append_xff;
 
        if ( req.http.host ~ "^varnishcheck" ) {
@@ -396,7 +457,7 @@
        }
 
 <% if @vcl_config.fetch("layer", "") == "frontend" -%>
-       call frontend_deliver_hook;
+       call https_deliver_hsts;
 <% end -%>
 
        /* Function vcl_deliver in <%= @vcl %>.inc.vcl will be appended here */
@@ -404,7 +465,7 @@
 
 sub vcl_error {
 <% if @vcl_config.fetch("layer", "") == "frontend" -%>
-       call frontend_error_hook;
+       call https_error_redirect;
 <% end -%>
 
        if (obj.status == 400 || obj.status == 413) {
@@ -443,6 +504,3 @@
 
 /* Include the VCL file for this role */
 include "<%= @vcl %>.inc.vcl";
-<% if @vcl_config.fetch("layer", "") == "frontend" -%>
-include "frontend-hooks.inc.vcl";
-<% end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/217046
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I85bee5eab2bcb96ce791410d5d23b31f91eb17d3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to