Rush has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/159961

Change subject: allow only for localssl protoproxy
......................................................................

allow only for localssl protoproxy

=> set for wmfusercontent.org

Change-Id: Icddf778d2c592a29caf0c1c3d9bff8b8bbbf2b16
---
M manifests/role/cache.pp
M modules/protoproxy/manifests/localssl.pp
M modules/protoproxy/templates/localssl.erb
3 files changed, 8 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/61/159961/1

diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp
index 9a9b987..48eae82 100644
--- a/manifests/role/cache.pp
+++ b/manifests/role/cache.pp
@@ -573,7 +573,7 @@
         }
     }
 
-    class ssl($sitename, $certname, $sni_default=false, $tld='') {
+    class ssl($sitename, $certname, $sni_default=false, $tld='', 
sslonly=false) {
         include certificates::wmf_ca, role::protoproxy::ssl::common
 
         # Assumes that LVS service IPs are setup elsewhere
@@ -615,6 +615,7 @@
             enabled                => true,
             server_name            => $full_site_name,
             sni_default            => $sni_default,
+            sslonly                => $sslonly,
         }
     }
 
@@ -624,6 +625,7 @@
             certname   => 'star.wmfusercontent.org',
             sni_defalt => false,
             tld        => 'org',
+            sslonly    => true,
         }
     }
 
diff --git a/modules/protoproxy/manifests/localssl.pp 
b/modules/protoproxy/manifests/localssl.pp
index 50fac6e..bb95920 100644
--- a/modules/protoproxy/manifests/localssl.pp
+++ b/modules/protoproxy/manifests/localssl.pp
@@ -21,6 +21,7 @@
     $upstream_port = '80',
     $server_name   = $::fqdn,
     $sni_default   = false,
+    $sslonly       = false,
 ) {
 
     nginx::site { 'localssl':
diff --git a/modules/protoproxy/templates/localssl.erb 
b/modules/protoproxy/templates/localssl.erb
index 52dd1c2..59b2d76 100644
--- a/modules/protoproxy/templates/localssl.erb
+++ b/modules/protoproxy/templates/localssl.erb
@@ -11,6 +11,10 @@
         <% end -%>
        ssl on;
        server_name  <%= @server_name %>;
+        <% if @sslonly == "true" -%>
+        return 301 https://$host$request_uri;
+        <% end -%>
+
        error_log   /var/log/nginx/<%= @name %>.error.log;
        access_log   off;
 

-- 
To view, visit https://gerrit.wikimedia.org/r/159961
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icddf778d2c592a29caf0c1c3d9bff8b8bbbf2b16
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Rush <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to