Rush has submitted this change and it was merged.
Change subject: phabricator: start using x-client-ip
......................................................................
phabricator: start using x-client-ip
As of 400e9873dfc8fc3728227cc30643833525eae914 we
are now limiting logs held about user activity
to 30 days. Upstream also agreed to stop storing
IP information in the long lived transaction tables.
Bug: T114014
Change-Id: I44fd3b63178bff07300ad2d2e7d86ffd6ad686c5
---
M manifests/role/phabricator.pp
M modules/phabricator/manifests/init.pp
M modules/phabricator/templates/phabricator-default.conf.erb
3 files changed, 11 insertions(+), 0 deletions(-)
Approvals:
Chad: Looks good to me, but someone else must approve
Rush: Verified; Looks good to me, approved
diff --git a/manifests/role/phabricator.pp b/manifests/role/phabricator.pp
index de400ee..7181b5e 100644
--- a/manifests/role/phabricator.pp
+++ b/manifests/role/phabricator.pp
@@ -36,7 +36,10 @@
include phabricator::mpm
include lvs::realserver
include base::firewall
+ include ::apache::mod::remoteip
+ # this site's misc-lb caching proxies hostnames
+ $cache_misc_nodes = hiera('cache::misc::nodes', [])
$current_tag = 'release/2015-07-08/1'
$domain = 'phabricator.wikimedia.org'
$altdom = 'phab.wmfusercontent.org'
@@ -45,6 +48,7 @@
class { '::phabricator':
serveralias => $altdom,
+ trusted_proxies => $cache_misc_nodes[$::site],
git_tag => $current_tag,
lock_file => '/var/run/phab_repo_lock',
mysql_admin_user => $role::phabricator::config::mysql_adminuser,
diff --git a/modules/phabricator/manifests/init.pp
b/modules/phabricator/manifests/init.pp
index 3f3b21a..183cea8 100644
--- a/modules/phabricator/manifests/init.pp
+++ b/modules/phabricator/manifests/init.pp
@@ -71,6 +71,7 @@
class phabricator (
$phabdir = '/srv/phab',
$timezone = 'UTC',
+ $trusted_proxies = [],
$lock_file = '',
$git_tag = 'HEAD',
$sprint_tag = '',
@@ -85,6 +86,7 @@
$serveralias = '',
) {
+
#A combination of static and dynamic conf parameters must be merged
$module_path = get_module_path($module_name)
$fixed_settings = loadyaml("${module_path}/data/fixed_settings.yaml")
diff --git a/modules/phabricator/templates/phabricator-default.conf.erb
b/modules/phabricator/templates/phabricator-default.conf.erb
index d256d22..892a3dd 100644
--- a/modules/phabricator/templates/phabricator-default.conf.erb
+++ b/modules/phabricator/templates/phabricator-default.conf.erb
@@ -11,6 +11,11 @@
<%- end %>
DocumentRoot <%= @docroot %>
+ <IfModule mod_remoteip.c>
+ RemoteIPHeader X-Client-IP
+ RemoteIPInternalProxy <%= @trusted_proxies.join(' ') %>
+ </IfModule>
+
# redirect/enforce http->https
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
--
To view, visit https://gerrit.wikimedia.org/r/259709
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I44fd3b63178bff07300ad2d2e7d86ffd6ad686c5
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
Gerrit-Reviewer: Rush <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
