Mark Bergsma has submitted this change and it was merged.
Change subject: varnish: backends trust 127.0.0.1 for XFF
......................................................................
varnish: backends trust 127.0.0.1 for XFF
On beta the X-Fowarded-For and X-Fowarded-Proto fields are stripped by
the Varnish caches in sub vcl_recv. Pseudocode:
acl allow_xff {
# list of wikimedia networks missing 127.0.0.0/128
}
sub vcl_recv {
if (client.ip ~ allow_xff ) {
# Do nothing, aka keep X-Fowarded-Proto
} else {
set req.http.X-Fowarded-For = client.ip;
unset req.http.X-Fowarded-Proto;
}
}
When a query is made on https://login.wikimedia.beta.wmflabs.org/ it
hits the nginx proxy which is local to the varnish frontend which itself
is local to the varnish backend. The 'X-Fowarded-For: https' header ends
up being stripped out and not passed to MediaWiki, the Apache backend
would thus redirect to the HTTPS url and ultimately cause a redirect
loop.
The two local networks are made available as $wikimedia_networks. Use it
to set the xff_source for all varnishes caches.
bug: 51700
Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884
---
M manifests/role/cache.pp
1 file changed, 9 insertions(+), 9 deletions(-)
Approvals:
Mark Bergsma: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index ac4c82a..f66e0a7 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -582,7 +582,7 @@
'weight' => $backend_weight,
}],
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "text-frontend":
@@ -612,7 +612,7 @@
'probe' => "varnish",
'weight' => $backend_weight,
}],
- xff_sources => $network::constants::all_networks,
+ xff_sources => $wikimedia_networks,
}
include role::cache::varnish::logging
@@ -729,7 +729,7 @@
}],
cluster_options => $cluster_options,
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "upload-frontend":
@@ -758,7 +758,7 @@
'weight' => $backend_weight,
}],
cluster_options => $cluster_options,
- xff_sources => $network::constants::all_networks,
+ xff_sources => $wikimedia_networks,
}
include role::cache::varnish::logging
@@ -871,7 +871,7 @@
'probe' => $probe,
},
cluster_options => $cluster_options,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
include role::cache::varnish::logging::eventlistener
@@ -961,7 +961,7 @@
'max_connections' => 600,
}],
wikimedia_networks => $wikimedia_networks,
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "mobile-frontend":
@@ -994,7 +994,7 @@
'max_connections' => 100000,
'probe' => "varnish",
}],
- xff_sources => $network::constants::all_networks,
+ xff_sources => $wikimedia_networks,
}
include role::cache::varnish::logging
@@ -1052,7 +1052,7 @@
'between_bytes_timeout' => "20s",
'max_connections' => 600,
}],
- xff_sources => $network::constants::all_networks
+ xff_sources => $wikimedia_networks,
}
varnish::instance { "parsoid-frontend":
@@ -1080,7 +1080,7 @@
'max_connections' => 100000,
'probe' => "varnish",
},
- xff_sources => $network::constants::all_networks,
+ xff_sources => $wikimedia_networks,
}
}
}
--
To view, visit https://gerrit.wikimedia.org/r/75085
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Hashar <[email protected]>
Gerrit-Reviewer: Hashar <[email protected]>
Gerrit-Reviewer: Mark Bergsma <[email protected]>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
