Hashar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/75085
Change subject: varnish: backends trust 127.0.0.1 for XFF
......................................................................
varnish: backends trust 127.0.0.1 for XFF
On beta the X-Fowarded-For and X-Fowarded-Proto fields are stripped by
the Varnish backends in sub vcl_recv. Pseudocode:
acl allow_xff {
# list of wikimedia networks missing 127.0.0.0/128
}
sub vcl_recv {
if (client.ip ~ allow_xff ) {
# Do nothing, aka keep X-Fowarded-Proto
} else {
set req.http.X-Fowarded-For = client.ip;
unset req.http.X-Fowarded-Proto;
}
}
When a query is made on https://login.wikimedia.beta.wmflabs.org/ it
hits the nginx proxy which does a HTTP query on the varnish frontend
with 'X-Fowarded-For: https'. The varnish backend strips out the
X-Forwarded-Proto field and does a HTTP query to the Apache backend.
MediaWiki would then emit a redirect to the HTTPS. That cause a
redirect loop :(
On beta the varnishes communicates on 127.0.0.1, adding the local
networks to the list of trusted XFF sources, will let us keep the
X-Fowarded-Proto header and send it to MediaWiki. That should prevent it
from attempting to redirect the HTTP request to HTTPS.
The two local networks are made available as $wikimedia_networks.
Result:
varnish::instance { "text-backend":
xff_sources => $wikimedia_networks,
varnish::instance { "text-frontend":
xff_sources => $network::constants::all_networks,
varnish::instance { "upload-backend":
xff_sources => $wikimedia_networks,
varnish::instance { "upload-frontend":
xff_sources => $network::constants::all_networks,
varnish::instance { "bits":
xff_sources => $network::constants::all_networks
varnish::instance { "mobile-backend":
xff_sources => $wikimedia_networks,
varnish::instance { "mobile-frontend":
xff_sources => $network::constants::all_networks,
varnish::instance { "parsoid-backend":
xff_sources => $wikimedia_networks,
varnish::instance { "parsoid-frontend":
xff_sources => $network::constants::all_networks,
bug: 51700
Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884
---
M manifests/role/cache.pp
1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/85/75085/1
diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index ac4c82a..1668c44 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -582,7 +582,7 @@
'weight' => $backend_weight,
}],
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "text-frontend":
@@ -729,7 +729,7 @@
}],
cluster_options => $cluster_options,
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "upload-frontend":
@@ -961,7 +961,7 @@
'max_connections' => 600,
}],
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "mobile-frontend":
@@ -1052,7 +1052,7 @@
'between_bytes_timeout' => "20s",
'max_connections' => 600,
}],
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "parsoid-frontend":
--
To view, visit https://gerrit.wikimedia.org/r/75085
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
