Hashar has uploaded a new change for review. https://gerrit.wikimedia.org/r/75085
Change subject: varnish: backends trust 127.0.0.1 for XFF ...................................................................... varnish: backends trust 127.0.0.1 for XFF On beta the X-Fowarded-For and X-Fowarded-Proto fields are stripped by the Varnish backends in sub vcl_recv. Pseudocode: acl allow_xff { # list of wikimedia networks missing 127.0.0.0/128 } sub vcl_recv { if (client.ip ~ allow_xff ) { # Do nothing, aka keep X-Fowarded-Proto } else { set req.http.X-Fowarded-For = client.ip; unset req.http.X-Fowarded-Proto; } } When a query is made on https://login.wikimedia.beta.wmflabs.org/ it hits the nginx proxy which does a HTTP query on the varnish frontend with 'X-Fowarded-For: https'. The varnish backend strips out the X-Forwarded-Proto field and does a HTTP query to the Apache backend. MediaWiki would then emit a redirect to the HTTPS. That cause a redirect loop :( On beta the varnishes communicates on 127.0.0.1, adding the local networks to the list of trusted XFF sources, will let us keep the X-Fowarded-Proto header and send it to MediaWiki. That should prevent it from attempting to redirect the HTTP request to HTTPS. The two local networks are made available as $wikimedia_networks. Result: varnish::instance { "text-backend": xff_sources => $wikimedia_networks, varnish::instance { "text-frontend": xff_sources => $network::constants::all_networks, varnish::instance { "upload-backend": xff_sources => $wikimedia_networks, varnish::instance { "upload-frontend": xff_sources => $network::constants::all_networks, varnish::instance { "bits": xff_sources => $network::constants::all_networks varnish::instance { "mobile-backend": xff_sources => $wikimedia_networks, varnish::instance { "mobile-frontend": xff_sources => $network::constants::all_networks, varnish::instance { "parsoid-backend": xff_sources => $wikimedia_networks, varnish::instance { "parsoid-frontend": xff_sources => $network::constants::all_networks, bug: 51700 Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884 --- M manifests/role/cache.pp 1 file changed, 4 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/85/75085/1 diff --git a/manifests/role/cache.pp b/manifests/role/cache.pp index ac4c82a..1668c44 100644 --- a/manifests/role/cache.pp +++ b/manifests/role/cache.pp @@ -582,7 +582,7 @@ 'weight' => $backend_weight, }], wikimedia_networks => $wikimedia_networks, - xff_sources => $network::constants::all_networks + xff_sources => $wikimedia_networks, } varnish::instance { "text-frontend": @@ -729,7 +729,7 @@ }], cluster_options => $cluster_options, wikimedia_networks => $wikimedia_networks, - xff_sources => $network::constants::all_networks + xff_sources => $wikimedia_networks, } varnish::instance { "upload-frontend": @@ -961,7 +961,7 @@ 'max_connections' => 600, }], wikimedia_networks => $wikimedia_networks, - xff_sources => $network::constants::all_networks + xff_sources => $wikimedia_networks, } varnish::instance { "mobile-frontend": @@ -1052,7 +1052,7 @@ 'between_bytes_timeout' => "20s", 'max_connections' => 600, }], - xff_sources => $network::constants::all_networks + xff_sources => $wikimedia_networks, } varnish::instance { "parsoid-frontend": -- To view, visit https://gerrit.wikimedia.org/r/75085 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I19a8f98e172aa3c9a0149de1c9b6f60271f34884 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits