[MediaWiki-commits] [Gerrit] operations/puppet[production]: tlsproxy: experimental support for internal ocsp

Mon, 17 Oct 2016 06:50:55 -0700 

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316352

Change subject: tlsproxy: experimental support for internal ocsp
......................................................................

tlsproxy: experimental support for internal ocsp

Bug: T93927
Change-Id: I7a666aafbfaceae7bbdf180e8ac179a6b30c946a
---
M hieradata/hosts/cp1008.yaml
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
3 files changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/52/316352/1

diff --git a/hieradata/hosts/cp1008.yaml b/hieradata/hosts/cp1008.yaml
index afee624..c03cee7 100644
--- a/hieradata/hosts/cp1008.yaml
+++ b/hieradata/hosts/cp1008.yaml
@@ -8,3 +8,4 @@
       - 'cp1008.wikimedia.org'
     codfw:
       - 'cp1008.wikimedia.org'
+do_ocsp_int: true
diff --git a/modules/tlsproxy/manifests/localssl.pp 
b/modules/tlsproxy/manifests/localssl.pp
index 3048b97..71ca4c5 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -85,6 +85,7 @@
         }
     }
 
+    $do_ocsp_int = hiera('do_ocsp_int', false);
     if $do_ocsp {
         include tlsproxy::ocsp
 
diff --git a/modules/tlsproxy/templates/localssl.erb 
b/modules/tlsproxy/templates/localssl.erb
index 9ffc3a2..4cbdf1b 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -30,8 +30,13 @@
        <%- end -%>
        <%- if @do_ocsp -%>
        ssl_stapling on;
+       <%- if @do_ocsp_int -%>
+       resolver <%= @nameservers.join(' ') %>;
+       ssl_stapling_proxy http://webproxy.<%= @site %>.wmnet:8080/;
+       <%- else -%>
        ssl_stapling_file /var/cache/ocsp/<%= @name %>.ocsp;
        <%- end -%>
+       <%- end -%>
 
        keepalive_timeout 60;
 

-- 
To view, visit https://gerrit.wikimedia.org/r/316352
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7a666aafbfaceae7bbdf180e8ac179a6b30c946a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to