BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/218621
Change subject: HTTPS: keep new redirects code limited to text/mobile/upload
for now
......................................................................
HTTPS: keep new redirects code limited to text/mobile/upload for now
Hasn't matter much up until now, but will when we start expanding
the host regex more liberally.
Change-Id: Ie0962a1f3eb779e05aa757a764d54fb42a8a3c7f
---
M modules/role/manifests/cache/mobile.pp
M modules/role/manifests/cache/text.pp
M modules/role/manifests/cache/upload.pp
M modules/varnish/templates/vcl/wikimedia.vcl.erb
4 files changed, 11 insertions(+), 8 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/21/218621/1
diff --git a/modules/role/manifests/cache/mobile.pp
b/modules/role/manifests/cache/mobile.pp
index 9e64db9..df66ddd 100644
--- a/modules/role/manifests/cache/mobile.pp
+++ b/modules/role/manifests/cache/mobile.pp
@@ -44,6 +44,7 @@
$cluster_options = {
'enable_geoiplookup' => true,
'do_gzip' => true,
+ 'https_redirects' => true,
}
class { 'varnish::zero_update':
diff --git a/modules/role/manifests/cache/text.pp
b/modules/role/manifests/cache/text.pp
index cfe8fc5..5ccb6d1 100644
--- a/modules/role/manifests/cache/text.pp
+++ b/modules/role/manifests/cache/text.pp
@@ -128,6 +128,7 @@
cluster_options => {
'enable_geoiplookup' => true,
'do_gzip' => true,
+ 'https_redirects' => true,
},
}
diff --git a/modules/role/manifests/cache/upload.pp
b/modules/role/manifests/cache/upload.pp
index 39ce4d7..c3e39a4 100644
--- a/modules/role/manifests/cache/upload.pp
+++ b/modules/role/manifests/cache/upload.pp
@@ -39,9 +39,10 @@
}
$cluster_options = {
- 'upload_domain' => $upload_domain,
- 'top_domain' => $top_domain,
- 'do_gzip' => true,
+ 'upload_domain' => $upload_domain,
+ 'top_domain' => $top_domain,
+ 'do_gzip' => true,
+ 'https_redirects' => true,
}
$runtime_params = $::site ? {
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index b474b9f..17ee99e 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -163,7 +163,7 @@
# Functions
// start frontend-only block for HTTPS
-<% if @vcl_config.fetch("layer", "") == "frontend" -%>
+<% if @vcl_config.fetch("layer", "") == "frontend" &&
@cluster_options.fetch("https_redirects", false) -%>
// *** HTTPS recv code - domain-based 301/302->HTTPS decisions happen here
// if GET/HEAD filter is modified/removed later, keep in mind we need to not
affect
@@ -211,7 +211,7 @@
}
<% end -%>
-// ^ end frontend-only block for HTTPS
+// ^ end frontend + https_redirects block
// We shouldn't even legally be receiving proxy-style requests, as we're not a
// proxy from any client's point of view. Just in case, we support it anyways
@@ -366,7 +366,7 @@
call vcl_recv_append_xff;
-<% if @vcl_config.fetch("layer", "") == "frontend" -%>
+<% if @vcl_config.fetch("layer", "") == "frontend" &&
@cluster_options.fetch("https_redirects", false) -%>
call https_recv_redirect;
<% end -%>
@@ -458,7 +458,7 @@
}
}
-<% if @vcl_config.fetch("layer", "") == "frontend" -%>
+<% if @vcl_config.fetch("layer", "") == "frontend" &&
@cluster_options.fetch("https_redirects", false) -%>
call https_deliver_hsts;
<% end -%>
@@ -466,7 +466,7 @@
}
sub vcl_error {
-<% if @vcl_config.fetch("layer", "") == "frontend" -%>
+<% if @vcl_config.fetch("layer", "") == "frontend" &&
@cluster_options.fetch("https_redirects", false) -%>
call https_error_redirect;
<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/218621
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie0962a1f3eb779e05aa757a764d54fb42a8a3c7f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
