BBlack has submitted this change and it was merged.
Change subject: HTTPS: Redirect all domains matching certs, with a few
exceptions
......................................................................
HTTPS: Redirect all domains matching certs, with a few exceptions
In load-testing terms, the only two-letter languages not already
redirecting were the ones in the large, long-tail list in
s3.dblist. This effectively adds all of those, as well as many
other misc wikis on the text/mobile/upload clusters that match
the cert wildcards.
Exceptions: upload excluded in general, and commons/meta excluded
for MediaWiki UAs.
Change-Id: Ibdc15dce6bc06d0213348f9ac759d1bc3274efc9
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 12 insertions(+), 12 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, but someone else must approve
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 17ee99e..f0ed99c 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -171,18 +171,18 @@
sub https_recv_redirect {
if (req.request == "GET" || req.request == "HEAD") {
if (req.http.X-Forwarded-Proto != "https") {
- if (req.http.Host ~
"(?i)^((www|ar|bg|ca|cs|de|el|es|eo|en|fa|fi|fr|he|hu|id|it|ja|ko|no|pl|pt|ru|sv|th|tr|uk|ug|vi|zh)\.)?((m|zero)\.)?(wikipedia|wikibooks|wikinews|wikiquote|wikisource|wikiversity|wikivoyage|wikidata|wikimedia|wikimediafoundation|wiktionary|mediawiki).org$")
{
- set req.http.Location = "https://"; +
req.http.Host + req.url;
- error 751 "TLS Redirect";
- }
-
- // Redirect Commons but make an exception for MediaWiki
User-Agents,
- // as these are usually the InstantCommons feature,
which is buggy with
- // redirects. See T102566 for context.
- if (req.http.Host ~ "(?i)^commons\.wikimedia\.org$" &&
- req.http.User-Agent !~ "^MediaWiki/" ) {
- set req.http.Location = "https://"; +
req.http.Host + req.url;
- error 751 "TLS Redirect";
+ // This filter should exactly match our set of SSL cert
wildcards
+ if (req.http.Host ~
"(?i)^([^.]+\.)?(zero\.wikipedia|(m\.)?(wikipedia|wikibooks|wikinews|wikiquote|wikisource|wikiversity|wikivoyage|wikidata|wikimedia|wikimediafoundation|wiktionary|mediawiki)).org$")
{
+ // For now, don't transition upload.wm.o yet...
+ if (req.http.Host !~
"(?i)^upload\.wikimedia\.org$") {
+ // For now, avoid matching these
"special" wikis for MW UAs
+ // Ref: T102566 +
https://gerrit.wikimedia.org/r/218539
+ if (req.http.Host !~
"(?i)^(commons|meta)\.wikimedia.org$" ||
+ req.http.User-Agent !~
"^MediaWiki/") {
+ set req.http.Location =
"https://"; + req.http.Host + req.url;
+ error 751 "TLS Redirect";
+ }
+ }
}
}
}
--
To view, visit https://gerrit.wikimedia.org/r/218622
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibdc15dce6bc06d0213348f9ac759d1bc3274efc9
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
