BBlack has uploaded a new change for review. https://gerrit.wikimedia.org/r/218621
Change subject: HTTPS: keep new redirects code limited to text/mobile/upload for now ...................................................................... HTTPS: keep new redirects code limited to text/mobile/upload for now Hasn't matter much up until now, but will when we start expanding the host regex more liberally. Change-Id: Ie0962a1f3eb779e05aa757a764d54fb42a8a3c7f --- M modules/role/manifests/cache/mobile.pp M modules/role/manifests/cache/text.pp M modules/role/manifests/cache/upload.pp M modules/varnish/templates/vcl/wikimedia.vcl.erb 4 files changed, 11 insertions(+), 8 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/21/218621/1 diff --git a/modules/role/manifests/cache/mobile.pp b/modules/role/manifests/cache/mobile.pp index 9e64db9..df66ddd 100644 --- a/modules/role/manifests/cache/mobile.pp +++ b/modules/role/manifests/cache/mobile.pp @@ -44,6 +44,7 @@ $cluster_options = { 'enable_geoiplookup' => true, 'do_gzip' => true, + 'https_redirects' => true, } class { 'varnish::zero_update': diff --git a/modules/role/manifests/cache/text.pp b/modules/role/manifests/cache/text.pp index cfe8fc5..5ccb6d1 100644 --- a/modules/role/manifests/cache/text.pp +++ b/modules/role/manifests/cache/text.pp @@ -128,6 +128,7 @@ cluster_options => { 'enable_geoiplookup' => true, 'do_gzip' => true, + 'https_redirects' => true, }, } diff --git a/modules/role/manifests/cache/upload.pp b/modules/role/manifests/cache/upload.pp index 39ce4d7..c3e39a4 100644 --- a/modules/role/manifests/cache/upload.pp +++ b/modules/role/manifests/cache/upload.pp @@ -39,9 +39,10 @@ } $cluster_options = { - 'upload_domain' => $upload_domain, - 'top_domain' => $top_domain, - 'do_gzip' => true, + 'upload_domain' => $upload_domain, + 'top_domain' => $top_domain, + 'do_gzip' => true, + 'https_redirects' => true, } $runtime_params = $::site ? { diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb b/modules/varnish/templates/vcl/wikimedia.vcl.erb index b474b9f..17ee99e 100644 --- a/modules/varnish/templates/vcl/wikimedia.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb @@ -163,7 +163,7 @@ # Functions // start frontend-only block for HTTPS -<% if @vcl_config.fetch("layer", "") == "frontend" -%> +<% if @vcl_config.fetch("layer", "") == "frontend" && @cluster_options.fetch("https_redirects", false) -%> // *** HTTPS recv code - domain-based 301/302->HTTPS decisions happen here // if GET/HEAD filter is modified/removed later, keep in mind we need to not affect @@ -211,7 +211,7 @@ } <% end -%> -// ^ end frontend-only block for HTTPS +// ^ end frontend + https_redirects block // We shouldn't even legally be receiving proxy-style requests, as we're not a // proxy from any client's point of view. Just in case, we support it anyways @@ -366,7 +366,7 @@ call vcl_recv_append_xff; -<% if @vcl_config.fetch("layer", "") == "frontend" -%> +<% if @vcl_config.fetch("layer", "") == "frontend" && @cluster_options.fetch("https_redirects", false) -%> call https_recv_redirect; <% end -%> @@ -458,7 +458,7 @@ } } -<% if @vcl_config.fetch("layer", "") == "frontend" -%> +<% if @vcl_config.fetch("layer", "") == "frontend" && @cluster_options.fetch("https_redirects", false) -%> call https_deliver_hsts; <% end -%> @@ -466,7 +466,7 @@ } sub vcl_error { -<% if @vcl_config.fetch("layer", "") == "frontend" -%> +<% if @vcl_config.fetch("layer", "") == "frontend" && @cluster_options.fetch("https_redirects", false) -%> call https_error_redirect; <% end -%> -- To view, visit https://gerrit.wikimedia.org/r/218621 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie0962a1f3eb779e05aa757a764d54fb42a8a3c7f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits