BBlack has submitted this change and it was merged.
Change subject: Insecure POST: 20% fail for labs, 100% for external
......................................................................
Insecure POST: 20% fail for labs, 100% for external
Previously, all insecure traffic was failing for 10% of requests
randomly, with an exception for Merlbot, which runs in labs. The
announced plan was to break 100% of insecure traffic on
2016-07-12.
This change instead raises the failure rate to 20% for all of labs
(including Merlbot) on 2016-07-12, and completely breaks only
external insecure traffic. The plan from here is to finish
breaking all the insecure traffic a week later on 2016-07-19.
This will give us a final week (assuming the bots retry failed
requests!) to try to work with bot owners and authors whose code
is running in our labs infrastructure before pulling the plug on
insecure access completely.
Bug: T136674
Bug: T105794
Change-Id: Id7024101cfa3e4268d0ee9c97719538f3c931a09
---
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
1 file changed, 7 insertions(+), 10 deletions(-)
Approvals:
BryanDavis: Looks good to me, but someone else must approve
BBlack: Verified; Looks good to me, approved
Dzahn: Looks good to me, but someone else must approve
diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index 0bf0947..6878d6a 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -37,16 +37,13 @@
<% if @vcl_config.fetch("secure_post", true) -%>
<%= error_synth(403, "Insecure Request Forbidden - use
HTTPS") -%>
<% else -%>
- // T105794 - "Insecure Post":
- // 2016-06-12 - 10% failure for non-"secure_post"
clusters (this code)
- // 2016-07-12 - "secure_post" behavior as default,
remove option and 10% code
- if (std.random(0,100) < 10.0) {
- if(req.http.X-Client-IP ~ "^10\.68\." &&
req.http.user-agent ~ "w:de:MerlBot") {
- // T121279#2374119
- // Merlbot is *temporarily*
special-cased due to exceptional circumstances...
- } else {
- <%= error_synth(403, "Insecure Request
Forbidden - use HTTPS") -%>
- }
+ // T105794 - "Insecure Post": Revised plan:
+ // 2016-07-12 - 20% failure rate for labs hosts, 100%
failure rate for outside world
+ // 2016-07-19 - 100% failure rate for all
+ if (req.http.X-Client-IP ~ "^10\.68\." &&
std.random(0,100) > 20.0) {
+ // temporary hole-punch for labs, for one more
week
+ } else {
+ <%= error_synth(403, "Insecure Request
Forbidden - use HTTPS") -%>
}
<% end -%>
}
--
To view, visit https://gerrit.wikimedia.org/r/298336
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Id7024101cfa3e4268d0ee9c97719538f3c931a09
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Ema <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
