Chmarkine has uploaded a new change for review.
https://gerrit.wikimedia.org/r/222270
Change subject: Wikidata - HSTS include subdomains and preload
......................................................................
Wikidata - HSTS include subdomains and preload
wikidata.org only has four subdomains, all of which don't have
certificate issues. So I believe it's safe to add "includeSubDomains"
and "preload" tokens so that it can be preloaded.
Bug: T104244
Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 6 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/70/222270/1
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 859828f..cd804ec 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -224,7 +224,12 @@
// successfully reached us over HTTPS for the given domainname.
if (req.http.X-Forwarded-Proto == "https") {
if (!resp.http.Strict-Transport-Security) {
- set resp.http.Strict-Transport-Security =
"max-age=15768000";
+ if (req.http.Host ~ "(?i)(^|\.)wikidata\.org$") {
+ set resp.http.Strict-Transport-Security =
"max-age=15768000; includeSubDomains; preload";
+ }
+ else {
+ set resp.http.Strict-Transport-Security =
"max-age=15768000";
+ }
}
}
}
--
To view, visit https://gerrit.wikimedia.org/r/222270
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine <chmark...@hotmail.com>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
