[MediaWiki-commits] [Gerrit] operations/puppet[production]: Dynamicproxy: Set up a GET-only frontend

Thu, 20 Apr 2017 13:25:39 -0700 

Andrew Bogott has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/349287 )

Change subject: Dynamicproxy:  Set up a GET-only frontend
......................................................................

Dynamicproxy:  Set up a GET-only frontend

The normal API ('Invisible Unicorn') doesn't provide any security at all.
Still, it would be nice for external users to get info about what proxies
are setup.  This patch adds an additional service on 8089 that forwards
GETS to the API but refuses other requests.

Bug: T115752
Change-Id: I515154d9103c4a395c6f0723cebfadf8a7f67da3
---
A modules/dynamicproxy/files/proxygetter.conf
M modules/dynamicproxy/manifests/api.pp
2 files changed, 19 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/87/349287/1

diff --git a/modules/dynamicproxy/files/proxygetter.conf 
b/modules/dynamicproxy/files/proxygetter.conf
new file mode 100644
index 0000000..64d2327
--- /dev/null
+++ b/modules/dynamicproxy/files/proxygetter.conf
@@ -0,0 +1,12 @@
+server {
+    listen 8089;
+
+    # Wrap the normal API but only allow GETs.
+    location = / {
+        proxy_pass http://127.0.0.1:5668
+
+        limit_except GET {
+            deny all;
+        }
+    }
+}
diff --git a/modules/dynamicproxy/manifests/api.pp 
b/modules/dynamicproxy/manifests/api.pp
index 4b669f1..c4e4ec1 100644
--- a/modules/dynamicproxy/manifests/api.pp
+++ b/modules/dynamicproxy/manifests/api.pp
@@ -71,4 +71,11 @@
         owner   => 'www-data',
         group   => 'www-data',
     }
+
+    # This is a GET-only front end that sits on port 8089.  We can
+    #  open this up to the public even though the actual API has no
+    #  auth protections.
+    nginx::site { 'proxygetter':
+        source => 'puppet:///modules/dynamicproxy/proxygetter.conf',
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/349287
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I515154d9103c4a395c6f0723cebfadf8a7f67da3
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to