BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/221670
Change subject: primary ssl services -> unified-only, not SNI
......................................................................
primary ssl services -> unified-only, not SNI
We've been reviewing this setup in light of cwnd/rwin sizes to
avoid excess RTT as well as eventual plans to switch to ECDSA and
manage OCSP better. Basically, it looks like switching back to
unified-only isn't going to gain us any additional RTTs, and it
makes everything simpler for ECDSA, OCSP, and cert management in
general.
This also has the potentially big upside that SPDY clients will be
able to coalesce on a single connection for domains they
previously considered unrelated due to SNI (e.g. *.wp.o + *.wm.o
in the general case, for all domains that map to text-lb).
Change-Id: I9a202167966d7242cf28fe86bcd997271fd53b65
---
M modules/role/manifests/cache/bits.pp
M modules/role/manifests/cache/mobile.pp
D modules/role/manifests/cache/ssl/sni.pp
A modules/role/manifests/cache/ssl/unified.pp
M modules/role/manifests/cache/text.pp
M modules/role/manifests/cache/upload.pp
6 files changed, 23 insertions(+), 61 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/70/221670/1
diff --git a/modules/role/manifests/cache/bits.pp
b/modules/role/manifests/cache/bits.pp
index 119ce51..86632a0 100644
--- a/modules/role/manifests/cache/bits.pp
+++ b/modules/role/manifests/cache/bits.pp
@@ -13,7 +13,7 @@
}
if $::realm == 'production' {
- include role::cache::ssl::sni
+ include role::cache::ssl::unified
}
$cluster_options = {
diff --git a/modules/role/manifests/cache/mobile.pp
b/modules/role/manifests/cache/mobile.pp
index 88b148e..6f24b15 100644
--- a/modules/role/manifests/cache/mobile.pp
+++ b/modules/role/manifests/cache/mobile.pp
@@ -20,7 +20,7 @@
$memory_storage_size = ceiling(0.125 * $::memorysize_mb / 1024.0)
if $::realm == 'production' {
- include role::cache::ssl::sni
+ include role::cache::ssl::unified
}
require geoip
diff --git a/modules/role/manifests/cache/ssl/sni.pp
b/modules/role/manifests/cache/ssl/sni.pp
deleted file mode 100644
index 7c24a6a..0000000
--- a/modules/role/manifests/cache/ssl/sni.pp
+++ /dev/null
@@ -1,57 +0,0 @@
-class role::cache::ssl::sni {
- include role::protoproxy::ssl::common
-
- role::cache::ssl::local { 'unified':
- certname => 'uni.wikimedia.org',
- default_server => true,
- do_ocsp => true,
- }
-
- # local shorthand for use below only
- define sni_cert() {
- role::cache::ssl::local { $name:
- certname => "sni.${name}",
- server_name => $name,
- server_aliases => ["*.${name}"],
- do_ocsp => true,
- }
- }
-
- sni_cert {
- 'zero.wikipedia.org':;
- 'm.wikipedia.org':;
- 'wikipedia.org':;
- 'm.wikimedia.org':;
- 'wikimedia.org':;
- 'm.wiktionary.org':;
- 'wiktionary.org':;
- 'm.wikiquote.org':;
- 'wikiquote.org':;
- 'm.wikibooks.org':;
- 'wikibooks.org':;
- 'm.wikisource.org':;
- 'wikisource.org':;
- 'm.wikinews.org':;
- 'wikinews.org':;
- 'm.wikiversity.org':;
- 'wikiversity.org':;
- 'm.wikidata.org':;
- 'wikidata.org':;
- 'm.wikivoyage.org':;
- 'wikivoyage.org':;
- 'm.wikimediafoundation.org':;
- 'wikimediafoundation.org':;
- 'm.mediawiki.org':;
- 'mediawiki.org':;
- }
-
- monitoring::service { 'https':
- description => 'HTTPS',
- check_command => 'check_sslxNN',
- }
-
- # ordering ensures nginx/varnish config/service-start are
- # not intermingled during initial install where they could
- # have temporary conflicts on binding port 80
- Service['nginx'] -> Service<| tag == 'varnish_instance' |>
-}
diff --git a/modules/role/manifests/cache/ssl/unified.pp
b/modules/role/manifests/cache/ssl/unified.pp
new file mode 100644
index 0000000..548f304
--- /dev/null
+++ b/modules/role/manifests/cache/ssl/unified.pp
@@ -0,0 +1,19 @@
+class role::cache::ssl::unified {
+ include role::protoproxy::ssl::common
+
+ role::cache::ssl::local { 'unified':
+ certname => 'uni.wikimedia.org',
+ default_server => true,
+ do_ocsp => true,
+ }
+
+ monitoring::service { 'https':
+ description => 'HTTPS',
+ check_command => 'check_sslxNN',
+ }
+
+ # ordering ensures nginx/varnish config/service-start are
+ # not intermingled during initial install where they could
+ # have temporary conflicts on binding port 80
+ Service['nginx'] -> Service<| tag == 'varnish_instance' |>
+}
diff --git a/modules/role/manifests/cache/text.pp
b/modules/role/manifests/cache/text.pp
index 856ff99..2fbca93 100644
--- a/modules/role/manifests/cache/text.pp
+++ b/modules/role/manifests/cache/text.pp
@@ -18,7 +18,7 @@
$memory_storage_size = ceiling(0.125 * $::memorysize_mb / 1024.0)
if $::realm == 'production' {
- include role::cache::ssl::sni
+ include role::cache::ssl::unified
}
require geoip
diff --git a/modules/role/manifests/cache/upload.pp
b/modules/role/manifests/cache/upload.pp
index 8d82bf1..d85e8d8 100644
--- a/modules/role/manifests/cache/upload.pp
+++ b/modules/role/manifests/cache/upload.pp
@@ -21,7 +21,7 @@
$memory_storage_size = ceiling(0.08333 * $::memorysize_mb / 1024.0)
if $::realm == 'production' {
- include role::cache::ssl::sni
+ include role::cache::ssl::unified
}
$varnish_be_directors = {
--
To view, visit https://gerrit.wikimedia.org/r/221670
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9a202167966d7242cf28fe86bcd997271fd53b65
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
