Ema has submitted this change and it was merged. Change subject: tlsproxy: document safe/unsafe TFO usage ......................................................................
tlsproxy: document safe/unsafe TFO usage Mention that using TFO is not necessarily always safe, with references to the relevant RFC section. Bug: T108827 Change-Id: I7309033da3c2673985940b716e5f8133be7f3617 --- M modules/tlsproxy/templates/localssl.erb 1 file changed, 7 insertions(+), 0 deletions(-) Approvals: Ema: Verified; Looks good to me, approved diff --git a/modules/tlsproxy/templates/localssl.erb b/modules/tlsproxy/templates/localssl.erb index 553c7eb..9c6dd3f 100644 --- a/modules/tlsproxy/templates/localssl.erb +++ b/modules/tlsproxy/templates/localssl.erb @@ -9,6 +9,9 @@ # SSL proxying server { + # Enabling TCP Fast Open is safe for HTTP over TLS. There is no idempotency + # concern replaying TLS Client Hello. + # https://tools.ietf.org/html/rfc7413#section-6.3.2 listen [::]:443 <%= @default_server ? "default_server deferred backlog=16384 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " : "" %>ssl http2; listen 443 <%= @default_server ? "default_server deferred backlog=16384 reuseport fastopen=#{fastopen_pending_max} " : "" %>ssl http2; ssl on; @@ -62,6 +65,10 @@ } <% if @redir_port -%> server { + # Enable TCP Fast Open for http -> https redirects since there are no + # idempotency concerns with HTTPS. + # Note that TFO is *not* safe in general for non-TLS HTTP. See + # https://tools.ietf.org/html/rfc7413#section-6.3.1 listen [::]:<%= @redir_port %> <%= @default_server ? "default_server deferred backlog=4096 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " : "" %>; listen <%= @redir_port %> <%= @default_server ? "default_server deferred backlog=4096 reuseport fastopen=#{fastopen_pending_max} " : "" %>; server_name <%= ([@server_name] + @server_aliases).join(" ") %>; -- To view, visit https://gerrit.wikimedia.org/r/295925 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7309033da3c2673985940b716e5f8133be7f3617 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ema <e...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits