[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "vcl: remove X-CP-Full-Cipher"

Ema (Code Review) Tue, 16 Jan 2018 01:38:43 -0800

Hello BBlack, jenkins-bot,

I'd like you to do a code review.  Please visit


    https://gerrit.wikimedia.org/r/404426

to review the following change.


Change subject: Revert "vcl: remove X-CP-Full-Cipher"
......................................................................

Revert "vcl: remove X-CP-Full-Cipher"

The commit messed up stats.

This reverts commit 75a508b3197d4bf8da047b661ee25d3151a1e6ac.

Change-Id: I121990115fafafe875a21358f781ea7abcdd3353
---
M modules/varnish/files/tests/upload/16-x-connection-properties.vtc
M modules/varnish/files/varnishmtail
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
3 files changed, 11 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/26/404426/1

diff --git a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc 
b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
index 0dfc2eb..e100dec 100644
--- a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
+++ b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
@@ -10,6 +10,7 @@
     expect req.http.X-CP-Key-Exchange == "prime256v1"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES256-GCM-SHA384"
+    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384"
 
     txresp
 
@@ -22,6 +23,7 @@
     expect req.http.X-CP-Key-Exchange == "prime256v1"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES128-SHA"
+    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES128-SHA"
 
     txresp
 
@@ -34,6 +36,7 @@
     expect req.http.X-CP-Key-Exchange == "X25519"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES256-GCM-SHA384"
+    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384"
 
     txresp
 
@@ -46,6 +49,7 @@
     expect req.http.X-CP-Key-Exchange == "RSA"
     expect req.http.X-CP-Auth == "RSA"
     expect req.http.X-CP-Cipher == "AES128-SHA"
+    expect req.http.X-CP-Full-Cipher == "AES128-SHA"
 
     txresp
 
diff --git a/modules/varnish/files/varnishmtail 
b/modules/varnish/files/varnishmtail
index 6e08dac..5ffe9cd 100644
--- a/modules/varnish/files/varnishmtail
+++ b/modules/varnish/files/varnishmtail
@@ -16,7 +16,8 @@
 fmt_key_exchange='key_exchange %{VCL_Log:CP-Key-Exchange}x'
 fmt_auth='auth %{VCL_Log:CP-Auth}x'
 fmt_cipher='cipher %{VCL_Log:CP-Cipher}x'
+fmt_full_cipher='full_cipher %{VCL_Log:CP-Full-Cipher}x'
 
-FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t"
+FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t${fmt_full_cipher}\t"
 
 /usr/bin/varnishncsa -n frontend -F "${FMT}" | mtail -progs "${PROGS}" -logfds 0
diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index 008c9b0..65950d7 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -290,7 +290,9 @@
 
        set req.http.X-CP-Key-Exchange = 
regsub(req.http.X-Connection-Properties, ".* EC=([A-Za-z0-9]+);.*", "\1");
 
-       set req.http.X-CP-Auth = regsub(req.http.X-Connection-Properties, ".* 
C=([A-Z0-9-]+);.*", "\1");
+       set req.http.X-CP-Full-Cipher = 
regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1");
+
+       set req.http.X-CP-Auth = req.http.X-CP-Full-Cipher;
 
        if (req.http.X-CP-Auth ~ "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-") {
                set req.http.X-CP-Cipher = regsub(req.http.X-CP-Auth, 
"^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-", "");
@@ -325,6 +327,7 @@
        std.log("CP-Key-Exchange: " + req.http.X-CP-Key-Exchange);
        std.log("CP-Auth: " + req.http.X-CP-Auth);
        std.log("CP-Cipher: " + req.http.X-CP-Cipher);
+       std.log("CP-Full-Cipher: " + req.http.X-CP-Full-Cipher);
 
        <%- if !@varnish_testing -%>
        // Keep these in the test VCL version to ease testing
@@ -334,6 +337,7 @@
        unset req.http.X-CP-Key-Exchange;
        unset req.http.X-CP-Auth;
        unset req.http.X-CP-Cipher;
+       unset req.http.X-CP-Full-Cipher;
        <%- end -%>
 
        // The idea here is to block our worst clients (in TLS terms: those

-- 
To view, visit https://gerrit.wikimedia.org/r/404426
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I121990115fafafe875a21358f781ea7abcdd3353
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "vcl: remove X-CP-Full-Cipher"

Reply via email to