Nikerabbit has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/312079

Change subject: Update ssl configuration
......................................................................

Update ssl configuration

* Used certbot to get cert for all subdomains
* Main site still using the existing cert
* Fixed lists.translatewiki.net which was not updated for new location
* Use more strict ssl config for the subdomains

Change-Id: If96014d7e5ea6a8ddd9427f4d7743759bc57ff57
---
M puppet/modules/awstats/files/stats.translatewiki.net
M puppet/modules/mailmanconf/files/nginx/lists.translatewiki.net
M puppet/modules/mailmanconf/manifests/init.pp
A puppet/modules/nginx/files/dev.translatewiki.net
A puppet/modules/nginx/files/ssl-certbot.conf
M puppet/modules/nginx/files/translatewiki.net
M puppet/modules/nginx/manifests/sites.pp
M puppet/modules/nginx/manifests/ssl.pp
8 files changed, 107 insertions(+), 17 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/translatewiki 
refs/changes/79/312079/1

diff --git a/puppet/modules/awstats/files/stats.translatewiki.net 
b/puppet/modules/awstats/files/stats.translatewiki.net
index 60cfd0e..aa5b40e 100644
--- a/puppet/modules/awstats/files/stats.translatewiki.net
+++ b/puppet/modules/awstats/files/stats.translatewiki.net
@@ -4,7 +4,7 @@
        listen 443 ssl http2;
        listen [2a03:4000:6:b01e::1]:443 ssl http2;
 
-       include includes/ssl.conf;
+       include includes/ssl-certbot.conf;
 
        server_name stats.translatewiki.net;
        root /www/stats.translatewiki.net;
@@ -27,4 +27,9 @@
        location ~ ^/awstatsicons/(.*)$ {
                alias /usr/share/awstats/icon/$1;
        }
+
+       # Exclude let's encrypt
+       location /.well-known {
+               auth_basic off;
+       }
 }
diff --git a/puppet/modules/mailmanconf/files/nginx/lists.translatewiki.net 
b/puppet/modules/mailmanconf/files/nginx/lists.translatewiki.net
index bd6320d..20008aa 100644
--- a/puppet/modules/mailmanconf/files/nginx/lists.translatewiki.net
+++ b/puppet/modules/mailmanconf/files/nginx/lists.translatewiki.net
@@ -7,7 +7,7 @@
        listen 443 ssl http2;
        listen [2a03:4000:6:b01e::2]:443 ssl http2;
 
-       include includes/ssl.conf;
+       include includes/ssl-certbot.conf;
 
        server_name lists.translatewiki.net;
        root /usr/lib/cgi-bin/mailman;
@@ -27,4 +27,7 @@
                include fastcgi_params;
                fastcgi_pass unix:/var/run/fcgiwrap.socket;
        }
+
+       # Exclude let's encrypt
+       location /.well-known {}
 }
diff --git a/puppet/modules/mailmanconf/manifests/init.pp 
b/puppet/modules/mailmanconf/manifests/init.pp
index c94f622..ec447ba 100644
--- a/puppet/modules/mailmanconf/manifests/init.pp
+++ b/puppet/modules/mailmanconf/manifests/init.pp
@@ -26,14 +26,8 @@
     allowdupe => true,
   }
 
-  file { '/etc/nginx/sites-available/lists.translatewiki.net':
+  file { '/etc/nginx/sites/lists.translatewiki.net':
     source  => 'puppet:///modules/mailmanconf/nginx/lists.translatewiki.net',
-  }
-
-  file { '/etc/nginx/sites-enabled/lists.translatewiki.net':
-    ensure => 'link',
-    target => '../sites-available/lists.translatewiki.net',
-    notify => Service['nginx'],
   }
 
   file { '/etc/exim4/conf.d/main/04_mailman_options':
diff --git a/puppet/modules/nginx/files/dev.translatewiki.net 
b/puppet/modules/nginx/files/dev.translatewiki.net
new file mode 100644
index 0000000..95f0884
--- /dev/null
+++ b/puppet/modules/nginx/files/dev.translatewiki.net
@@ -0,0 +1,62 @@
+# file managed by puppet
+
+server {
+       listen 80;
+       listen [2a03:4000:6:b01e::1]:80;
+       server_name dev.translatewiki.net;
+       return 301 https://$host$request_uri;
+}
+
+server {
+       listen 443 ssl http2;
+       listen [2a03:4000:6:b01e::1]:443 ssl http2;
+
+       include includes/ssl-certbot.conf;
+
+       server_name dev.translatewiki.net;
+       root /www/$host/docroot;
+
+       location = / {
+               rewrite ^ /w/index.php;
+       }
+
+       location ~ ^/wiki/(.*)$ {
+               rewrite ^/wiki/(.*)$ /w/index.php/$1;
+       }
+
+       location = /sitemap {
+               rewrite ^ 
"/w/index.php?title=Special:RecentChanges&translations=&feed=atom";
+       }
+
+       location ~ ^/w/(cache|mw-config|includes|maintenance|languages|docs)/ {
+               deny all;
+       }
+
+       # Allowed php files, case sensitive
+       location ~ 
^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php {
+               fastcgi_pass hhvm-dev;
+               fastcgi_buffering off;
+               fastcgi_buffers 16 16k;
+               fastcgi_connect_timeout 1s;
+               fastcgi_send_timeout 2s;
+               fastcgi_read_timeout 15s;
+               include fastcgi.conf;
+       }
+
+       # Deny access to all php files except those above
+       location ~* \.php$ {
+               deny all;
+       }
+
+       location ~* ^/static/mainpage/.*\.jpg$ {
+               expires 2M;
+               if ($http_accept ~ "image/webp") {
+                       add_header Vary Accept;
+                       rewrite ^ $uri.webp;
+               }
+       }
+
+       location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|eot|ttf|webp)$ {
+               expires 2M;
+       }
+}
diff --git a/puppet/modules/nginx/files/ssl-certbot.conf 
b/puppet/modules/nginx/files/ssl-certbot.conf
new file mode 100644
index 0000000..c5eaa30
--- /dev/null
+++ b/puppet/modules/nginx/files/ssl-certbot.conf
@@ -0,0 +1,23 @@
+# file managed by puppet
+
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
+ssl_certificate     /etc/letsencrypt/live/translatewiki.net/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/translatewiki.net/privkey.pem;
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:5m;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+# Modern configuration.
+ssl_protocols TLSv1.2;
+ssl_ciphers 
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+ssl_prefer_server_ciphers on;
+
+add_header Strict-Transport-Security "max-age=31536000";
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/letsencrypt/live/translatewiki.net/cert.pem;
+resolver 8.8.8.8 8.8.4.4;
+
+ssl_buffer_size 4k;
diff --git a/puppet/modules/nginx/files/translatewiki.net 
b/puppet/modules/nginx/files/translatewiki.net
index 13ea191..4b3f16b 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -3,7 +3,7 @@
 server {
        listen 80 default_server;
        listen [2a03:4000:6:b01e::1]:80;
-       server_name translatewiki.net dev.translatewiki.net;
+       server_name translatewiki.net;
        return 301 https://$host$request_uri;
 }
 
@@ -13,7 +13,7 @@
 
        include includes/ssl.conf;
 
-       server_name translatewiki.net dev.translatewiki.net;
+       server_name translatewiki.net;
        root /www/$host/docroot;
 
        location = / {
@@ -34,12 +34,7 @@
 
        # Allowed php files, case sensitive
        location ~ 
^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php {
-               set $upstream hhvm-dev;
-               if ($host = 'translatewiki.net') {
-                       set $upstream hhvm;
-               }
-
-               fastcgi_pass $upstream;
+               fastcgi_pass hhvm;
                fastcgi_buffering off;
                fastcgi_buffers 16 16k;
                fastcgi_connect_timeout 1s;
diff --git a/puppet/modules/nginx/manifests/sites.pp 
b/puppet/modules/nginx/manifests/sites.pp
index 6def7d5..ee39748 100644
--- a/puppet/modules/nginx/manifests/sites.pp
+++ b/puppet/modules/nginx/manifests/sites.pp
@@ -12,4 +12,8 @@
   file { '/etc/nginx/sites/translatewiki.org':
     source  => 'puppet:///modules/nginx/translatewiki.org',
   }
+
+  file { '/etc/nginx/sites/dev.translatewiki.net':
+    source  => 'puppet:///modules/nginx/dev.translatewiki.net',
+  }
 }
diff --git a/puppet/modules/nginx/manifests/ssl.pp 
b/puppet/modules/nginx/manifests/ssl.pp
index eebbeab..332321e 100644
--- a/puppet/modules/nginx/manifests/ssl.pp
+++ b/puppet/modules/nginx/manifests/ssl.pp
@@ -21,4 +21,8 @@
   file { '/etc/nginx/includes/ssl.conf':
     source  => 'puppet:///modules/nginx/ssl.conf',
   }
+
+  file { '/etc/nginx/includes/ssl-certbot.conf':
+    source  => 'puppet:///modules/nginx/ssl-certbot.conf',
+  }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/312079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If96014d7e5ea6a8ddd9427f4d7743759bc57ff57
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit <niklas.laxst...@gmail.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to