BBlack has submitted this change and it was merged.
Change subject: tlsproxy: redirect-only service on 8080
......................................................................
tlsproxy: redirect-only service on 8080
Bug: T107236
Change-Id: Ieb8d43bf7edc7f068f76aa08fa5c3a070b79e3ba
---
M modules/role/manifests/cache/ssl/misc.pp
M modules/role/manifests/cache/ssl/unified.pp
M modules/tlsproxy/manifests/localssl.pp
M modules/tlsproxy/templates/localssl.erb
4 files changed, 28 insertions(+), 0 deletions(-)
Approvals:
BBlack: Verified; Looks good to me, approved
diff --git a/modules/role/manifests/cache/ssl/misc.pp
b/modules/role/manifests/cache/ssl/misc.pp
index c6c4803..80104c4 100644
--- a/modules/role/manifests/cache/ssl/misc.pp
+++ b/modules/role/manifests/cache/ssl/misc.pp
@@ -10,6 +10,7 @@
server_name => 'wmfusercontent.org',
server_aliases => ['*.wmfusercontent.org'],
upstream_port => 3127,
+ redir_port => 8080,
}
tlsproxy::localssl { 'planet.wikimedia.org':
@@ -17,5 +18,6 @@
server_name => 'planet.wikimedia.org',
server_aliases => ['*.planet.wikimedia.org'],
upstream_port => 3127,
+ redir_port => 8080,
}
}
diff --git a/modules/role/manifests/cache/ssl/unified.pp
b/modules/role/manifests/cache/ssl/unified.pp
index 5886d5a..e026702 100644
--- a/modules/role/manifests/cache/ssl/unified.pp
+++ b/modules/role/manifests/cache/ssl/unified.pp
@@ -11,6 +11,7 @@
default_server => true,
do_ocsp => true,
upstream_port => 3127,
+ redir_port => 8080,
}
}
else {
@@ -21,6 +22,7 @@
do_ocsp => false,
skip_private => true,
upstream_port => 3127,
+ redir_port => 8080,
}
}
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index 9781bae..b318e8e 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -18,6 +18,11 @@
# [*upstream_port*]
# TCP port to proxy to. Defaults to '80'
#
+# [*redir_port*]
+# TCP port to listen on as plain HTTP. This listener will redirect GET/HEAD
+# to HTTPS with 301 and deny all other methods with 403. It does not proxy
+# any traffic. Default is undefined.
+#
# [*default_server*]
# Boolean. Adds the 'default_server' option to the listen statement.
# Exactly one instance should have this set to true.
@@ -34,6 +39,7 @@
$server_aliases = [],
$default_server = false,
$upstream_port = '80',
+ $redir_port = undef,
$do_ocsp = false,
$skip_private = false,
) {
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index ef775dc..36bd037 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -60,3 +60,21 @@
<% end -%>
}
}
+<% if @redir_port -%>
+server {
+ listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %>;
+ listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %>;
+ server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
+
+ error_log /var/log/nginx/<%= @name %>.error.log;
+ access_log off;
+
+ if ($request_method = GET) {
+ return 301 https://$host$request_uri;
+ }
+ if ($request_method = HEAD) {
+ return 301 https://$host$request_uri;
+ }
+ return 403 "Insecure Request Forbidden - use HTTPS";
+}
+<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/294706
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ieb8d43bf7edc7f068f76aa08fa5c3a070b79e3ba
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
