BBlack has submitted this change and it was merged. Change subject: tlsproxy: redirect-only service on 8080 ......................................................................
tlsproxy: redirect-only service on 8080 Bug: T107236 Change-Id: Ieb8d43bf7edc7f068f76aa08fa5c3a070b79e3ba --- M modules/role/manifests/cache/ssl/misc.pp M modules/role/manifests/cache/ssl/unified.pp M modules/tlsproxy/manifests/localssl.pp M modules/tlsproxy/templates/localssl.erb 4 files changed, 28 insertions(+), 0 deletions(-) Approvals: BBlack: Verified; Looks good to me, approved diff --git a/modules/role/manifests/cache/ssl/misc.pp b/modules/role/manifests/cache/ssl/misc.pp index c6c4803..80104c4 100644 --- a/modules/role/manifests/cache/ssl/misc.pp +++ b/modules/role/manifests/cache/ssl/misc.pp @@ -10,6 +10,7 @@ server_name => 'wmfusercontent.org', server_aliases => ['*.wmfusercontent.org'], upstream_port => 3127, + redir_port => 8080, } tlsproxy::localssl { 'planet.wikimedia.org': @@ -17,5 +18,6 @@ server_name => 'planet.wikimedia.org', server_aliases => ['*.planet.wikimedia.org'], upstream_port => 3127, + redir_port => 8080, } } diff --git a/modules/role/manifests/cache/ssl/unified.pp b/modules/role/manifests/cache/ssl/unified.pp index 5886d5a..e026702 100644 --- a/modules/role/manifests/cache/ssl/unified.pp +++ b/modules/role/manifests/cache/ssl/unified.pp @@ -11,6 +11,7 @@ default_server => true, do_ocsp => true, upstream_port => 3127, + redir_port => 8080, } } else { @@ -21,6 +22,7 @@ do_ocsp => false, skip_private => true, upstream_port => 3127, + redir_port => 8080, } } diff --git a/modules/tlsproxy/manifests/localssl.pp b/modules/tlsproxy/manifests/localssl.pp index 9781bae..b318e8e 100644 --- a/modules/tlsproxy/manifests/localssl.pp +++ b/modules/tlsproxy/manifests/localssl.pp @@ -18,6 +18,11 @@ # [*upstream_port*] # TCP port to proxy to. Defaults to '80' # +# [*redir_port*] +# TCP port to listen on as plain HTTP. This listener will redirect GET/HEAD +# to HTTPS with 301 and deny all other methods with 403. It does not proxy +# any traffic. Default is undefined. +# # [*default_server*] # Boolean. Adds the 'default_server' option to the listen statement. # Exactly one instance should have this set to true. @@ -34,6 +39,7 @@ $server_aliases = [], $default_server = false, $upstream_port = '80', + $redir_port = undef, $do_ocsp = false, $skip_private = false, ) { diff --git a/modules/tlsproxy/templates/localssl.erb b/modules/tlsproxy/templates/localssl.erb index ef775dc..36bd037 100644 --- a/modules/tlsproxy/templates/localssl.erb +++ b/modules/tlsproxy/templates/localssl.erb @@ -60,3 +60,21 @@ <% end -%> } } +<% if @redir_port -%> +server { + listen [::]:<%= @redir_port %> <%= @default_server ? "default_server deferred backlog=4096 reuseport ipv6only=on " : "" %>; + listen <%= @redir_port %> <%= @default_server ? "default_server deferred backlog=4096 reuseport " : "" %>; + server_name <%= ([@server_name] + @server_aliases).join(" ") %>; + + error_log /var/log/nginx/<%= @name %>.error.log; + access_log off; + + if ($request_method = GET) { + return 301 https://$host$request_uri; + } + if ($request_method = HEAD) { + return 301 https://$host$request_uri; + } + return 403 "Insecure Request Forbidden - use HTTPS"; +} +<% end -%> -- To view, visit https://gerrit.wikimedia.org/r/294706 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ieb8d43bf7edc7f068f76aa08fa5c3a070b79e3ba Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits