BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/294083
Change subject: VCL: do not include labs instances in wikimedia_nets
......................................................................
VCL: do not include labs instances in wikimedia_nets
We should fix this later with better sets from network::constants,
but this works for now...
Change-Id: I25a3366b1ec713dd5ef11193124b7d702c6d050c
---
M modules/varnish/templates/vcl/wikimedia-common.inc.vcl.erb
1 file changed, 5 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/83/294083/1
diff --git a/modules/varnish/templates/vcl/wikimedia-common.inc.vcl.erb
b/modules/varnish/templates/vcl/wikimedia-common.inc.vcl.erb
index 9ee13de..ee8f81b 100644
--- a/modules/varnish/templates/vcl/wikimedia-common.inc.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-common.inc.vcl.erb
@@ -52,12 +52,17 @@
"<%= @ipaddress %>"; // note this matches nginx proxy_pass for TLS
}
+// This is currently used in 3 places:
+// 1) frontends: only wikimedia_nets can fake X-F-P
+// 2) frontends: external trusted proxies aren't allowed to set XCIP to
wikimedia_nets
+// 3) backends: port 3128 can only connect from wikimedia_nets
acl wikimedia_nets {
<% scope.lookupvar('::network::constants::all_networks_lo').each do |entry|
subnet, mask = entry.split("/", 2)
-%>
"<%= subnet %>"/<%= mask %>;
<% end -%>
+ ! "10.68.0.0/16"; # temporary hack, do not treat labs like production
}
# Backend probes
--
To view, visit https://gerrit.wikimedia.org/r/294083
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I25a3366b1ec713dd5ef11193124b7d702c6d050c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
