BBlack has uploaded a new change for review. https://gerrit.wikimedia.org/r/218622
Change subject: HTTPS: Redirect all domains matching certs, with a few exceptions ...................................................................... HTTPS: Redirect all domains matching certs, with a few exceptions In load-testing terms, the only two-letter languages not already redirecting were the ones in the large, long-tail list in s3.dblist. This effectively adds all of those, as well as many other misc wikis on the text/mobile/upload clusters that match the cert wildcards. Exceptions: upload excluded in general, and commons/meta excluded for MediaWiki UAs. Change-Id: Ibdc15dce6bc06d0213348f9ac759d1bc3274efc9 --- M modules/varnish/templates/vcl/wikimedia.vcl.erb 1 file changed, 12 insertions(+), 12 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/22/218622/1 diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb b/modules/varnish/templates/vcl/wikimedia.vcl.erb index 17ee99e..bdc6367 100644 --- a/modules/varnish/templates/vcl/wikimedia.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb @@ -171,18 +171,18 @@ sub https_recv_redirect { if (req.request == "GET" || req.request == "HEAD") { if (req.http.X-Forwarded-Proto != "https") { - if (req.http.Host ~ "(?i)^((www|ar|bg|ca|cs|de|el|es|eo|en|fa|fi|fr|he|hu|id|it|ja|ko|no|pl|pt|ru|sv|th|tr|uk|ug|vi|zh)\.)?((m|zero)\.)?(wikipedia|wikibooks|wikinews|wikiquote|wikisource|wikiversity|wikivoyage|wikidata|wikimedia|wikimediafoundation|wiktionary|mediawiki).org$") { - set req.http.Location = "https://" + req.http.Host + req.url; - error 751 "TLS Redirect"; - } - - // Redirect Commons but make an exception for MediaWiki User-Agents, - // as these are usually the InstantCommons feature, which is buggy with - // redirects. See T102566 for context. - if (req.http.Host ~ "(?i)^commons\.wikimedia\.org$" && - req.http.User-Agent !~ "^MediaWiki/" ) { - set req.http.Location = "https://" + req.http.Host + req.url; - error 751 "TLS Redirect"; + // This filter should exactly match our set of SSL cert wildcards + if (req.http.Host ~ "(?i)^([^.]+\.)?(zero\.wikipedia|(m\.)?(wikipedia|wikibooks|wikinews|wikiquote|wikisource|wikiversity|wikivoyage|wikidata|wikimedia|wikimediafoundation|wiktionary|mediawiki)).org$") { + // For now, don't transition upload.wm.o yet... + if (req.http.Host != 'upload.wikimedia.org') { + // For now, avoid matching these "special" wikis for MW UAs + // Ref: T102566 + https://gerrit.wikimedia.org/r/218539 + if (req.http.Host !~ "^(commons|meta)\.wikimedia.org$" || + req.http.User-Agent !~ "^MediaWiki/") { + set req.http.Location = "https://" + req.http.Host + req.url; + error 751 "TLS Redirect"; + } + } } } } -- To view, visit https://gerrit.wikimedia.org/r/218622 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibdc15dce6bc06d0213348f9ac759d1bc3274efc9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits