[MediaWiki-commits] [Gerrit] operations/puppet[production]: vcl: remove X-CP-Full-Cipher

Tue, 16 Jan 2018 01:01:16 -0800 

Ema has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/398314 )

Change subject: vcl: remove X-CP-Full-Cipher
......................................................................


vcl: remove X-CP-Full-Cipher

Change-Id: I056fb1a07dfbe9dea43c832dae795937e480c3dd
---
M modules/varnish/files/tests/upload/16-x-connection-properties.vtc
M modules/varnish/files/varnishmtail
M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
3 files changed, 2 insertions(+), 11 deletions(-)

Approvals:
  Ema: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc 
b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
index e100dec..0dfc2eb 100644
--- a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
+++ b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc
@@ -10,7 +10,6 @@
     expect req.http.X-CP-Key-Exchange == "prime256v1"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES256-GCM-SHA384"
-    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384"
 
     txresp
 
@@ -23,7 +22,6 @@
     expect req.http.X-CP-Key-Exchange == "prime256v1"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES128-SHA"
-    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES128-SHA"
 
     txresp
 
@@ -36,7 +34,6 @@
     expect req.http.X-CP-Key-Exchange == "X25519"
     expect req.http.X-CP-Auth == "ECDSA"
     expect req.http.X-CP-Cipher == "AES256-GCM-SHA384"
-    expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384"
 
     txresp
 
@@ -49,7 +46,6 @@
     expect req.http.X-CP-Key-Exchange == "RSA"
     expect req.http.X-CP-Auth == "RSA"
     expect req.http.X-CP-Cipher == "AES128-SHA"
-    expect req.http.X-CP-Full-Cipher == "AES128-SHA"
 
     txresp
 
diff --git a/modules/varnish/files/varnishmtail 
b/modules/varnish/files/varnishmtail
index 5ffe9cd..6e08dac 100644
--- a/modules/varnish/files/varnishmtail
+++ b/modules/varnish/files/varnishmtail
@@ -16,8 +16,7 @@
 fmt_key_exchange='key_exchange %{VCL_Log:CP-Key-Exchange}x'
 fmt_auth='auth %{VCL_Log:CP-Auth}x'
 fmt_cipher='cipher %{VCL_Log:CP-Cipher}x'
-fmt_full_cipher='full_cipher %{VCL_Log:CP-Full-Cipher}x'
 
-FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t${fmt_full_cipher}\t"
+FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t"
 
 /usr/bin/varnishncsa -n frontend -F "${FMT}" | mtail -progs "${PROGS}" -logfds 0
diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
index 65950d7..008c9b0 100644
--- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb
@@ -290,9 +290,7 @@
 
        set req.http.X-CP-Key-Exchange = 
regsub(req.http.X-Connection-Properties, ".* EC=([A-Za-z0-9]+);.*", "\1");
 
-       set req.http.X-CP-Full-Cipher = 
regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1");
-
-       set req.http.X-CP-Auth = req.http.X-CP-Full-Cipher;
+       set req.http.X-CP-Auth = regsub(req.http.X-Connection-Properties, ".* 
C=([A-Z0-9-]+);.*", "\1");
 
        if (req.http.X-CP-Auth ~ "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-") {
                set req.http.X-CP-Cipher = regsub(req.http.X-CP-Auth, 
"^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-", "");
@@ -327,7 +325,6 @@
        std.log("CP-Key-Exchange: " + req.http.X-CP-Key-Exchange);
        std.log("CP-Auth: " + req.http.X-CP-Auth);
        std.log("CP-Cipher: " + req.http.X-CP-Cipher);
-       std.log("CP-Full-Cipher: " + req.http.X-CP-Full-Cipher);
 
        <%- if !@varnish_testing -%>
        // Keep these in the test VCL version to ease testing
@@ -337,7 +334,6 @@
        unset req.http.X-CP-Key-Exchange;
        unset req.http.X-CP-Auth;
        unset req.http.X-CP-Cipher;
-       unset req.http.X-CP-Full-Cipher;
        <%- end -%>
 
        // The idea here is to block our worst clients (in TLS terms: those

-- 
To view, visit https://gerrit.wikimedia.org/r/398314
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I056fb1a07dfbe9dea43c832dae795937e480c3dd
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema <e...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Ema <e...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to