Ema has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/358057 )
Change subject: [WIP] VCL: switch to resp.reason testing ...................................................................... [WIP] VCL: switch to resp.reason testing Change-Id: I4d38748d3a00fa4870d6ea7a2352c91fb9528ea5 --- M modules/varnish/templates/misc-frontend.inc.vcl.erb M modules/varnish/templates/text-frontend.inc.vcl.erb M modules/varnish/templates/upload-frontend.inc.vcl.erb M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 4 files changed, 17 insertions(+), 30 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/57/358057/1 diff --git a/modules/varnish/templates/misc-frontend.inc.vcl.erb b/modules/varnish/templates/misc-frontend.inc.vcl.erb index 7b98338..7b32a74 100644 --- a/modules/varnish/templates/misc-frontend.inc.vcl.erb +++ b/modules/varnish/templates/misc-frontend.inc.vcl.erb @@ -15,7 +15,7 @@ // re-use the TLS-redirector code and send them to the wikimedia site. if (req.http.Host == "wmfusercontent.org") { set req.http.Location = "https://www.wikimedia.org"; - return (synth(751, "TLS Redirect")); + return (synth(301, "TLS Redirect")); } call misc_recv_pass; diff --git a/modules/varnish/templates/text-frontend.inc.vcl.erb b/modules/varnish/templates/text-frontend.inc.vcl.erb index 6629921..b17414c 100644 --- a/modules/varnish/templates/text-frontend.inc.vcl.erb +++ b/modules/varnish/templates/text-frontend.inc.vcl.erb @@ -42,7 +42,7 @@ } else { set req.http.Location = "http://" + req.http.MobileHost + req.url; } - return (synth(666, "Found")); + return (synth(302, "Mobile Redirect")); } unset req.http.MobileHost; } @@ -147,7 +147,7 @@ sub cluster_fe_recv { // Experiment on dealing with a buggy UA that's spamming requests in T141786 if (req.http.User-Agent ~ "Windows NT .*Chrome/41\.0\.2272\.76" && req.url == "/" && req.http.X-Connection-Properties ~ "SSL=TLSv1.1; C=ECDHE-ECDSA-AES128-SHA;") { - return (synth(741, "Buggy request, please report at https://phabricator.wikimedia.org/T141786")); + return (synth(401, "Buggy request, please report at https://phabricator.wikimedia.org/T141786")); } call mobile_redirect; @@ -189,7 +189,7 @@ || (req.http.X-Connection-Properties ~ "C=DES-CBC3-SHA;" && req.url ~ "^/wiki/" && req.url !~ ":" && req.method == "GET" && std.random(0,100) < 1.0)) { - return (synth(787, "Browser Connection Security Warning")); + return (synth(418, "Browser Connection Security Warning")); } call text_common_recv; @@ -204,7 +204,7 @@ sub cluster_fe_ratelimit { if (req.http.User-Agent ~ "^wikiScrape/[0-9]+\.[0-9]+\.[0-9]+$") { if (vsthrottle.is_denied(req.http.X-Client-IP, 25, 5s)) { - return (synth(742, "Too Many Requests")); + return (synth(429, "Too Many Requests")); } } } @@ -298,24 +298,16 @@ sub cluster_fe_err_synth { // Support mobile redirects - if (resp.status == 666) { + if (resp.reason == "Mobile Redirect") { + set resp.reason = "Found"; set resp.http.Location = req.http.Location; - set resp.status = 302; set resp.http.Connection = "keep-alive"; set resp.http.Content-Length = "0"; // BZ #62245 - return (deliver); } // Chrome/41-on-Windows: T141786 - if (resp.status == 741) { - set resp.status = 401; + if (resp.reason == "Buggy request, please report at https://phabricator.wikimedia.org/T141786") { set resp.http.WWW-Authenticate = {"Basic realm="Buggy request, please report at https://phabricator.wikimedia.org/T141786""}; - return (deliver); - } - - // Clients performing too many requests - if (resp.status == 742) { - set resp.status = 429; return (deliver); } @@ -325,8 +317,7 @@ // confusing to extract from stats because they have other legitimate // causes. We could also invent a new unique from unused 4xx space, // but I don't think it would be any better than 418 in practice. - if (resp.status == 787) { - set resp.status = 418; + if (resp.reason == "Browser Connection Security Warning") { set resp.http.Connection = "keep-alive"; set resp.http.Cache-Control = "max-age=0, must-revalidate, no-cache, no-store"; set resp.http.Content-Type = "text/html; charset=utf-8"; diff --git a/modules/varnish/templates/upload-frontend.inc.vcl.erb b/modules/varnish/templates/upload-frontend.inc.vcl.erb index 80e3407..f973e3c 100644 --- a/modules/varnish/templates/upload-frontend.inc.vcl.erb +++ b/modules/varnish/templates/upload-frontend.inc.vcl.erb @@ -7,12 +7,12 @@ if (req.http.host == "<%= @vcl_config.fetch('upload_domain') %>") { // CORS preflight requests if (req.method == "OPTIONS" && req.http.Origin) { - return (synth(667, "OK")); + return (synth(200, "CORS Preflight")); } // Homepage redirect to commons if (req.url == "/") { - return (synth(666, "Moved Permanently")); + return (synth(301, "Commons Redirect")); } } @@ -147,8 +147,8 @@ sub cluster_fe_err_synth { if (req.http.host == "<%= @vcl_config.fetch('upload_domain') %>") { // Handle CORS preflight requests - if (resp.status == 667) { - set resp.status = 200; + if (resp.reason == "CORS Preflight") { + set resp.reason = "OK"; set resp.http.Connection = "keep-alive"; set resp.http.Content-Length = "0"; @@ -157,17 +157,14 @@ set resp.http.Access-Control-Allow-Headers = "Range"; set resp.http.Access-Control-Allow-Methods = "GET, HEAD, OPTIONS"; set resp.http.Access-Control-Max-Age = "86400"; - - return (deliver); } // Homepage redirect to commons - if (resp.status == 666) { - set resp.status = 301; + if (resp.reason == "Commons Redirect") { + set resp.reason = "Moved Permanently"; set resp.http.Location = "https://commons.wikimedia.org/"; set resp.http.Connection = "keep-alive"; set resp.http.Content-Length = "0"; - return (deliver); } } } diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb index c8f5a4f..a386448 100644 --- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb @@ -26,7 +26,7 @@ } else { set req.http.Location = "https://" + req.http.Host + req.url; - return (synth(751, "TLS Redirect")); + return (synth(301, "TLS Redirect")); } } } @@ -38,9 +38,8 @@ // *** HTTPS error code - implements 301 response for recv code sub https_error_redirect { - if (resp.status == 751) { + if (resp.reason == "TLS Redirect") { set resp.http.Location = req.http.Location; - set resp.status = 301; set resp.http.Content-Length = "0"; // T64245 return(deliver); } -- To view, visit https://gerrit.wikimedia.org/r/358057 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4d38748d3a00fa4870d6ea7a2352c91fb9528ea5 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ema <e...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits