BryanDavis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/293223
Change subject: role::toollabs::merlbot_proxy
......................................................................
role::toollabs::merlbot_proxy
Role to provision an nginx server acting as an HTTP -> HTTPS reverse
proxy. This is a temporary solution for issues with MerlBot and the
impending closure of the HTTP POST loophole.
Bug: T137235
Change-Id: Id49c79d524654b409cc991634effb473b38fb78b
---
A modules/role/manifests/toollabs/merlbot_proxy.pp
A modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb
2 files changed, 58 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/23/293223/1
diff --git a/modules/role/manifests/toollabs/merlbot_proxy.pp
b/modules/role/manifests/toollabs/merlbot_proxy.pp
new file mode 100644
index 0000000..ef34326
--- /dev/null
+++ b/modules/role/manifests/toollabs/merlbot_proxy.pp
@@ -0,0 +1,12 @@
+# Class: role::toollabs::merlbot_proxy
+#
+# Provision an nginx server acting as an HTTP -> HTTPS reverse proxy.
+#
+class role::toollabs::merlbot_proxy() {
+ class { '::nginx':
+ variant => 'light',
+ }
+ nginx::site { 'merlbot_proxy':
+ content => template('role/toollabs/merlbot_proxy/nginx.conf.erb'),
+ }
+}
diff --git a/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb
b/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb
new file mode 100644
index 0000000..6f55570
--- /dev/null
+++ b/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb
@@ -0,0 +1,46 @@
+# This file is managed by Puppet
+# See modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb
+##
+# HTTP to HTTPS reverse proxy
+#
+# Copyright (c) 2016 Bryan Davis and the Wikimedia Foundation
+# License: Apache-2.0
+##
+
+# Respect XFF headers set by the Labs proxy
+real_ip_header X-Forwarded-For;
+set_real_ip_from 10.68.21.68;
+
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name _;
+
+ location / {
+ # Access control
+ # We only want to allow requests from internal Labs hosts.
+ # Ideally we would only allow Tool Labs exec nodes, but there
+ # is no easy way to find those by IP.
+ deny 10.68.21.68; # IP we see if XFF unwrapping didn't work
+ allow 10.68.16.0/21; # All of Labs
+ allow 127.0.0.1;
+ deny all;
+
+ # Use these DNS servers to resolve proxied names
+ resolver <%= scope['::nameservers'].join(' ') %>;
+
+ # Act as a non-caching reverse proxy
+ proxy_http_version 1.1;
+ proxy_cache_bypass "1";
+ proxy_no_cache "1";
+ proxy_read_timeout 600s;
+ proxy_redirect off;
+
+ # Change the protocol to https when contacting upstream
+ proxy_pass https://$host$uri;
+
+ # Add a header just to remind folks that this is proxied
+ add_header Labs-TLS-Bandaid "on";
+ }
+}
+# vim:sw=4:ts=4:sts=4:et:ft=nginx:
--
To view, visit https://gerrit.wikimedia.org/r/293223
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id49c79d524654b409cc991634effb473b38fb78b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
