Ema has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/398314 )
Change subject: vcl: remove X-CP-Full-Cipher ...................................................................... vcl: remove X-CP-Full-Cipher Change-Id: I056fb1a07dfbe9dea43c832dae795937e480c3dd --- M modules/varnish/files/tests/upload/16-x-connection-properties.vtc M modules/varnish/files/varnishmtail M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 3 files changed, 2 insertions(+), 11 deletions(-) Approvals: Ema: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc index e100dec..0dfc2eb 100644 --- a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc +++ b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc @@ -10,7 +10,6 @@ expect req.http.X-CP-Key-Exchange == "prime256v1" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES256-GCM-SHA384" - expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384" txresp @@ -23,7 +22,6 @@ expect req.http.X-CP-Key-Exchange == "prime256v1" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES128-SHA" - expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES128-SHA" txresp @@ -36,7 +34,6 @@ expect req.http.X-CP-Key-Exchange == "X25519" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES256-GCM-SHA384" - expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384" txresp @@ -49,7 +46,6 @@ expect req.http.X-CP-Key-Exchange == "RSA" expect req.http.X-CP-Auth == "RSA" expect req.http.X-CP-Cipher == "AES128-SHA" - expect req.http.X-CP-Full-Cipher == "AES128-SHA" txresp diff --git a/modules/varnish/files/varnishmtail b/modules/varnish/files/varnishmtail index 5ffe9cd..6e08dac 100644 --- a/modules/varnish/files/varnishmtail +++ b/modules/varnish/files/varnishmtail @@ -16,8 +16,7 @@ fmt_key_exchange='key_exchange %{VCL_Log:CP-Key-Exchange}x' fmt_auth='auth %{VCL_Log:CP-Auth}x' fmt_cipher='cipher %{VCL_Log:CP-Cipher}x' -fmt_full_cipher='full_cipher %{VCL_Log:CP-Full-Cipher}x' -FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t${fmt_full_cipher}\t" +FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t" /usr/bin/varnishncsa -n frontend -F "${FMT}" | mtail -progs "${PROGS}" -logfds 0 diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb index 65950d7..008c9b0 100644 --- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb @@ -290,9 +290,7 @@ set req.http.X-CP-Key-Exchange = regsub(req.http.X-Connection-Properties, ".* EC=([A-Za-z0-9]+);.*", "\1"); - set req.http.X-CP-Full-Cipher = regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1"); - - set req.http.X-CP-Auth = req.http.X-CP-Full-Cipher; + set req.http.X-CP-Auth = regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1"); if (req.http.X-CP-Auth ~ "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-") { set req.http.X-CP-Cipher = regsub(req.http.X-CP-Auth, "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-", ""); @@ -327,7 +325,6 @@ std.log("CP-Key-Exchange: " + req.http.X-CP-Key-Exchange); std.log("CP-Auth: " + req.http.X-CP-Auth); std.log("CP-Cipher: " + req.http.X-CP-Cipher); - std.log("CP-Full-Cipher: " + req.http.X-CP-Full-Cipher); <%- if !@varnish_testing -%> // Keep these in the test VCL version to ease testing @@ -337,7 +334,6 @@ unset req.http.X-CP-Key-Exchange; unset req.http.X-CP-Auth; unset req.http.X-CP-Cipher; - unset req.http.X-CP-Full-Cipher; <%- end -%> // The idea here is to block our worst clients (in TLS terms: those -- To view, visit https://gerrit.wikimedia.org/r/398314 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I056fb1a07dfbe9dea43c832dae795937e480c3dd Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ema <e...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits