Dzahn has submitted this change and it was merged. Change subject: Redirect https traffic from old metrics sites to wikimetrics ......................................................................
Redirect https traffic from old metrics sites to wikimetrics The used certificate is reused per https://rt.wikimedia.org/Ticket/Display.html?id=7352#txn-173783 Change-Id: Ic5c076e9e2bb2c65bb7e40ad03cb4ff93890ad57 RT: 7352 Bug: 64276 --- M manifests/misc/statistics.pp M templates/apache/sites/metrics.wikimedia.org.erb 2 files changed, 34 insertions(+), 1 deletion(-) Approvals: jenkins-bot: Verified Dzahn: Looks good to me, approved diff --git a/manifests/misc/statistics.pp b/manifests/misc/statistics.pp index 6ac4512..7c6b3dd 100644 --- a/manifests/misc/statistics.pp +++ b/manifests/misc/statistics.pp @@ -370,11 +370,15 @@ include webserver::apache webserver::apache::module { "alias": } + webserver::apache::module { "ssl": } + + # install metrics.wikimedia.org SSL certificate + install_certificate{ $site_name: } # Set up the VirtualHost file { "/etc/apache2/sites-available/$site_name": content => template("apache/sites/${site_name}.erb"), - require => [Class["webserver::apache"], Webserver::Apache::Module['alias']], + require => [Class["webserver::apache"], Webserver::Apache::Module['alias'], Webserver::Apache::Module['ssl']], notify => Class['webserver::apache::service'], } file { "/etc/apache2/sites-enabled/$site_name": diff --git a/templates/apache/sites/metrics.wikimedia.org.erb b/templates/apache/sites/metrics.wikimedia.org.erb index 9bac6be..5378633 100644 --- a/templates/apache/sites/metrics.wikimedia.org.erb +++ b/templates/apache/sites/metrics.wikimedia.org.erb @@ -25,3 +25,32 @@ LogLevel warn CustomLog /var/log/apache2/access.metrics.log combined </VirtualHost> + +<VirtualHost *:443> + # Same as above <VirtualHost *:80 />, but as we do not want to + # pollute puppet with a separate configuration that we can include + # both above and here, and until we can use Apache 2.4 to use + # <If />, we have to duplicate the above configuration verbatim. + + # Copied configuration from above <VirtualHost *:80 /> --------------- + + ServerName <%= @site_name %> + ServerAlias metrics-api.wikimedia.org + ServerAdmin [email protected] + + Redirect permanent / <%= @redirect_target %> + + ErrorLog /var/log/apache2/error.metrics.log + LogLevel warn + CustomLog /var/log/apache2/access.metrics.log combined + + # SSL configuration -------------------------------------------------- + + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLHonorCipherOrder on + SSLCertificateFile /etc/ssl/certs/<%= site_name %>.pem + SSLCertificateChainFile /etc/ssl/certs/<%= site_name %>.chained.pem + SSLCertificateKeyFile /etc/ssl/private/<%= site_name %>.key +</VirtualHost> -- To view, visit https://gerrit.wikimedia.org/r/133089 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic5c076e9e2bb2c65bb7e40ad03cb4ff93890ad57 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: QChris <[email protected]> Gerrit-Reviewer: Dzahn <[email protected]> Gerrit-Reviewer: Ottomata <[email protected]> Gerrit-Reviewer: QChris <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
