[MediaWiki-commits] [Gerrit] insecure post: 100% failure, loophole closed - change (operations/puppet)

BBlack (Code Review) Mon, 18 Jul 2016 05:46:30 -0700

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/299532


Change subject: insecure post: 100% failure, loophole closed
......................................................................

insecure post: 100% failure, loophole closed

Bug: T136674
Bug: T105794
Change-Id: Ie2db01e1c05dc793e3350ba1111bbd30c50edb35
---
M modules/role/manifests/cache/text.pp
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
2 files changed, 1 insertion(+), 13 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/32/299532/1

diff --git a/modules/role/manifests/cache/text.pp 
b/modules/role/manifests/cache/text.pp
index 3d8b8da..385cc25 100644
--- a/modules/role/manifests/cache/text.pp
+++ b/modules/role/manifests/cache/text.pp
@@ -109,7 +109,6 @@
 
     $fe_vcl_config = merge($common_vcl_config, {
         'enable_geoiplookup' => true,
-        'secure_post'        => false,
         'ttl_cap'            => '1d',
     })
 
diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index 6ec2065..813a87d 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -34,18 +34,7 @@
                        }
                }
                else if (req.http.Host !~ "\.beta\.wmflabs\.org$") {
-<% if @vcl_config.fetch("secure_post", true) -%>
-                       <%= error_synth(403, "Insecure Request Forbidden - use 
HTTPS") -%>
-<% else -%>
-                       // T105794 - "Insecure Post": Revised plan:
-                       // 2016-07-12 - 20% failure rate for labs hosts, 100% 
failure rate for outside world
-                       // 2016-07-19 - 100% failure rate for all
-                       if (req.http.X-Client-IP ~ "^10\.68\." && 
std.random(0,100) > 20.0) {
-                               // temporary hole-punch for labs, for one more 
week
-                       } else {
-                               <%= error_synth(403, "Insecure Request 
Forbidden - use HTTPS - 
https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-May/000110.html";)
 -%>
-                       }
-<% end -%>
+                       <%= error_synth(403, "Insecure Request Forbidden - use 
HTTPS - 
https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-May/000110.html";)
 -%>
                }
        }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/299532
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie2db01e1c05dc793e3350ba1111bbd30c50edb35
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] insecure post: 100% failure, loophole closed - change (operations/puppet)

Reply via email to