[MediaWiki-commits] [Gerrit] Restrict access to backend caches to Wikimedia IP ranges - change (operations/puppet)

Tue, 28 May 2013 07:29:41 -0700 

Mark Bergsma has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/65807


Change subject: Restrict access to backend caches to Wikimedia IP ranges
......................................................................

Restrict access to backend caches to Wikimedia IP ranges

Change-Id: I0499f47d90938538e03afb3aeaee23d0b666318b
---
M templates/varnish/text-backend.inc.vcl.erb
M templates/varnish/upload-backend.inc.vcl.erb
M templates/varnish/wikimedia.vcl.erb
3 files changed, 8 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/07/65807/1

diff --git a/templates/varnish/text-backend.inc.vcl.erb 
b/templates/varnish/text-backend.inc.vcl.erb
index 5ed6670..d735a6b 100644
--- a/templates/varnish/text-backend.inc.vcl.erb
+++ b/templates/varnish/text-backend.inc.vcl.erb
@@ -4,6 +4,7 @@
 
 sub vcl_recv {
        call vcl_recv_purge;
+       call restrict_access;
 <% if cluster_tier == 1 -%>
 
        if ( req.http.host ~ "^test\." ) {
diff --git a/templates/varnish/upload-backend.inc.vcl.erb 
b/templates/varnish/upload-backend.inc.vcl.erb
index 9a624d2..76646bd 100644
--- a/templates/varnish/upload-backend.inc.vcl.erb
+++ b/templates/varnish/upload-backend.inc.vcl.erb
@@ -78,10 +78,7 @@
 <% end -%>
 sub vcl_recv {
        call vcl_recv_purge;
-
-       if (client.ip !~ wikimedia_nets) {
-               error 403 "Access denied";
-       }
+       call restrict_access;
 
        if ( req.http.host != "upload.wikimedia.org") {
                error 403 "Requested target domain not allowed.";
diff --git a/templates/varnish/wikimedia.vcl.erb 
b/templates/varnish/wikimedia.vcl.erb
index 6556944..daa056a 100644
--- a/templates/varnish/wikimedia.vcl.erb
+++ b/templates/varnish/wikimedia.vcl.erb
@@ -191,6 +191,12 @@
        }
 }
 
+sub restrict_access {
+       if (client.ip !~ wikimedia_nets) {
+               error 403 "Access denied";
+       }
+}
+
 sub vcl_recv {
        if (req.request != "GET" && req.request != "HEAD" && req.request != 
"POST" && req.request != "PURGE") {
                /* We only deal with GET, HEAD and POST by default */

-- 
To view, visit https://gerrit.wikimedia.org/r/65807
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0499f47d90938538e03afb3aeaee23d0b666318b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Mark Bergsma <m...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to