BryanDavis has uploaded a new change for review. https://gerrit.wikimedia.org/r/293223
Change subject: role::toollabs::merlbot_proxy ...................................................................... role::toollabs::merlbot_proxy Role to provision an nginx server acting as an HTTP -> HTTPS reverse proxy. This is a temporary solution for issues with MerlBot and the impending closure of the HTTP POST loophole. Bug: T137235 Change-Id: Id49c79d524654b409cc991634effb473b38fb78b --- A modules/role/manifests/toollabs/merlbot_proxy.pp A modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb 2 files changed, 58 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/23/293223/1 diff --git a/modules/role/manifests/toollabs/merlbot_proxy.pp b/modules/role/manifests/toollabs/merlbot_proxy.pp new file mode 100644 index 0000000..ef34326 --- /dev/null +++ b/modules/role/manifests/toollabs/merlbot_proxy.pp @@ -0,0 +1,12 @@ +# Class: role::toollabs::merlbot_proxy +# +# Provision an nginx server acting as an HTTP -> HTTPS reverse proxy. +# +class role::toollabs::merlbot_proxy() { + class { '::nginx': + variant => 'light', + } + nginx::site { 'merlbot_proxy': + content => template('role/toollabs/merlbot_proxy/nginx.conf.erb'), + } +} diff --git a/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb b/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb new file mode 100644 index 0000000..6f55570 --- /dev/null +++ b/modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb @@ -0,0 +1,46 @@ +# This file is managed by Puppet +# See modules/role/templates/toollabs/merlbot_proxy/nginx.conf.erb +## +# HTTP to HTTPS reverse proxy +# +# Copyright (c) 2016 Bryan Davis and the Wikimedia Foundation +# License: Apache-2.0 +## + +# Respect XFF headers set by the Labs proxy +real_ip_header X-Forwarded-For; +set_real_ip_from 10.68.21.68; + +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + location / { + # Access control + # We only want to allow requests from internal Labs hosts. + # Ideally we would only allow Tool Labs exec nodes, but there + # is no easy way to find those by IP. + deny 10.68.21.68; # IP we see if XFF unwrapping didn't work + allow 10.68.16.0/21; # All of Labs + allow 127.0.0.1; + deny all; + + # Use these DNS servers to resolve proxied names + resolver <%= scope['::nameservers'].join(' ') %>; + + # Act as a non-caching reverse proxy + proxy_http_version 1.1; + proxy_cache_bypass "1"; + proxy_no_cache "1"; + proxy_read_timeout 600s; + proxy_redirect off; + + # Change the protocol to https when contacting upstream + proxy_pass https://$host$uri; + + # Add a header just to remind folks that this is proxied + add_header Labs-TLS-Bandaid "on"; + } +} +# vim:sw=4:ts=4:sts=4:et:ft=nginx: -- To view, visit https://gerrit.wikimedia.org/r/293223 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id49c79d524654b409cc991634effb473b38fb78b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BryanDavis <bda...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits