Ema has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/404426 )
Change subject: Revert "vcl: remove X-CP-Full-Cipher" ...................................................................... Revert "vcl: remove X-CP-Full-Cipher" The commit messed up stats. This reverts commit 75a508b3197d4bf8da047b661ee25d3151a1e6ac. Change-Id: I121990115fafafe875a21358f781ea7abcdd3353 --- M modules/varnish/files/tests/upload/16-x-connection-properties.vtc M modules/varnish/files/varnishmtail M modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb 3 files changed, 11 insertions(+), 2 deletions(-) Approvals: Ema: Verified; Looks good to me, approved diff --git a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc index 0dfc2eb..e100dec 100644 --- a/modules/varnish/files/tests/upload/16-x-connection-properties.vtc +++ b/modules/varnish/files/tests/upload/16-x-connection-properties.vtc @@ -10,6 +10,7 @@ expect req.http.X-CP-Key-Exchange == "prime256v1" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES256-GCM-SHA384" + expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384" txresp @@ -22,6 +23,7 @@ expect req.http.X-CP-Key-Exchange == "prime256v1" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES128-SHA" + expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES128-SHA" txresp @@ -34,6 +36,7 @@ expect req.http.X-CP-Key-Exchange == "X25519" expect req.http.X-CP-Auth == "ECDSA" expect req.http.X-CP-Cipher == "AES256-GCM-SHA384" + expect req.http.X-CP-Full-Cipher == "ECDHE-ECDSA-AES256-GCM-SHA384" txresp @@ -46,6 +49,7 @@ expect req.http.X-CP-Key-Exchange == "RSA" expect req.http.X-CP-Auth == "RSA" expect req.http.X-CP-Cipher == "AES128-SHA" + expect req.http.X-CP-Full-Cipher == "AES128-SHA" txresp diff --git a/modules/varnish/files/varnishmtail b/modules/varnish/files/varnishmtail index 6e08dac..5ffe9cd 100644 --- a/modules/varnish/files/varnishmtail +++ b/modules/varnish/files/varnishmtail @@ -16,7 +16,8 @@ fmt_key_exchange='key_exchange %{VCL_Log:CP-Key-Exchange}x' fmt_auth='auth %{VCL_Log:CP-Auth}x' fmt_cipher='cipher %{VCL_Log:CP-Cipher}x' +fmt_full_cipher='full_cipher %{VCL_Log:CP-Full-Cipher}x' -FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t" +FMT="${fmt_url}\t${fmt_cache_status}\t${fmt_http_status}\t${fmt_http_method}\t${fmt_cache_control}\t${fmt_inm}\t${fmt_h2}\t${fmt_tls_version}\t${fmt_session_reused}\t${fmt_key_exchange}\t${fmt_auth}\t${fmt_cipher}\t${fmt_full_cipher}\t" /usr/bin/varnishncsa -n frontend -F "${FMT}" | mtail -progs "${PROGS}" -logfds 0 diff --git a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb index 008c9b0..65950d7 100644 --- a/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb @@ -290,7 +290,9 @@ set req.http.X-CP-Key-Exchange = regsub(req.http.X-Connection-Properties, ".* EC=([A-Za-z0-9]+);.*", "\1"); - set req.http.X-CP-Auth = regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1"); + set req.http.X-CP-Full-Cipher = regsub(req.http.X-Connection-Properties, ".* C=([A-Z0-9-]+);.*", "\1"); + + set req.http.X-CP-Auth = req.http.X-CP-Full-Cipher; if (req.http.X-CP-Auth ~ "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-") { set req.http.X-CP-Cipher = regsub(req.http.X-CP-Auth, "^(ECDHE-(ECDSA|RSA)|DHE-RSA|TLS13)-", ""); @@ -325,6 +327,7 @@ std.log("CP-Key-Exchange: " + req.http.X-CP-Key-Exchange); std.log("CP-Auth: " + req.http.X-CP-Auth); std.log("CP-Cipher: " + req.http.X-CP-Cipher); + std.log("CP-Full-Cipher: " + req.http.X-CP-Full-Cipher); <%- if !@varnish_testing -%> // Keep these in the test VCL version to ease testing @@ -334,6 +337,7 @@ unset req.http.X-CP-Key-Exchange; unset req.http.X-CP-Auth; unset req.http.X-CP-Cipher; + unset req.http.X-CP-Full-Cipher; <%- end -%> // The idea here is to block our worst clients (in TLS terms: those -- To view, visit https://gerrit.wikimedia.org/r/404426 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I121990115fafafe875a21358f781ea7abcdd3353 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Ema <e...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Ema <e...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits