[MediaWiki-commits] [Gerrit] Disable HTTPS on etherpad.wikimedia.org - change (operations/puppet)

Wed, 18 Sep 2013 14:55:51 -0700 

Akosiaris has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/84873


Change subject: Disable HTTPS on etherpad.wikimedia.org
......................................................................

Disable HTTPS on etherpad.wikimedia.org

It makes no sense to have HTTPS for this for the following reasons:

1) HTTPS does not provides authentication (obviously). It actually is
possible to impersonate anyone at anytime due to the nature of the
software and the specific installation
2) HTTPS does not provide non-repudation (as above)
3) Integrity while data is transported is completely irrelevant in this
case since any data can be changed by anyone in the world at anytime in
this installation
4) Confidentiality of the data is also completely irrelevant since any
data can be read by anyone at anytime in this installation

In the sake of consistency and not providing a false sense of
security this patch disables HTTPS on etherpad.wikimedia.org

Change-Id: Ida97e1c3bf632bad6d7a7a99e4f90440b8ea4b51
---
M templates/apache/sites/etherpad_lite.wikimedia.org.erb
1 file changed, 4 insertions(+), 56 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/73/84873/1

diff --git a/templates/apache/sites/etherpad_lite.wikimedia.org.erb 
b/templates/apache/sites/etherpad_lite.wikimedia.org.erb
index 5976897..d6a3bcb 100644
--- a/templates/apache/sites/etherpad_lite.wikimedia.org.erb
+++ b/templates/apache/sites/etherpad_lite.wikimedia.org.erb
@@ -7,9 +7,9 @@
 <VirtualHost *:80>
 
        ServerName <%= etherpad_host %>
-<% if etherpad_serveraliases -%>
+       <%- if etherpad_serveraliases -%>
        ServerAlias <%= etherpad_serveraliases %>
-<% end -%>
+       <%- end -%>
 
        RewriteEngine on
        ProxyVia On
@@ -17,7 +17,7 @@
        ProxyPass / http://<%= etherpad_ip %>:<%= etherpad_port %>/
        ProxyPassReverse / http://<%= etherpad_ip %>:<%= etherpad_port %>/
        ProxyPreserveHost On
-       RewriteRule /p/*$ https://etherpad.wikimedia.org/ [NC,L]
+       RewriteRule /p/*$ http://etherpad.wikimedia.org/ [NC,L]
        RewriteCond %{REQUEST_URI} !^/locales/
        RewriteCond %{REQUEST_URI} !^/locales.json
        RewriteCond %{REQUEST_URI} !^/admin
@@ -37,58 +37,7 @@
        RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/p/$1 [L]
 
        RewriteCond %{HTTP_HOST} !etherpad.wikimedia.org
-       RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/$1 [R=301,L]
-
-       <Proxy *>
-               Options FollowSymLinks MultiViews
-               AllowOverride All
-               Order allow,deny
-               Allow from all
-    </Proxy>
-
-</VirtualHost>
-
-<VirtualHost *:443>
-
-       ServerName <%= etherpad_host %>
-<% if etherpad_serveraliases -%>
-       ServerAlias <%= etherpad_serveraliases %>
-<% end -%>
-
-       SSLEngine on
-       SSLProtocol -ALL +SSLv3 +TLSv1
-       SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
-       SSLHonorCipherOrder on
-       SSLCertificateFile <%= etherpad_ssl_cert %>
-       SSLCertificateKeyFile <%= etherpad_ssl_key %>
-
-       RewriteEngine on
-       ProxyVia On
-       ProxyRequests Off
-       ProxyPass / http://<%= etherpad_ip %>:<%= etherpad_port %>/
-       ProxyPassReverse / http://<%= etherpad_ip %>:<%= etherpad_port %>/
-       ProxyPreserveHost On
-       RewriteRule /p/*$ https://etherpad.wikimedia.org/ [NC,L]
-       RewriteCond %{REQUEST_URI} !^/locales/
-       RewriteCond %{REQUEST_URI} !^/locales.json
-       RewriteCond %{REQUEST_URI} !^/admin
-       RewriteCond %{REQUEST_URI} !^/p/
-       RewriteCond %{REQUEST_URI} !^/static/
-       RewriteCond %{REQUEST_URI} !^/pluginfw/
-       RewriteCond %{REQUEST_URI} !^/javascripts/
-       RewriteCond %{REQUEST_URI} !^/socket.io/
-       RewriteCond %{REQUEST_URI} !^/ep/
-       RewriteCond %{REQUEST_URI} !^/minified/
-       RewriteCond %{REQUEST_URI} !^/api/
-       RewriteCond %{REQUEST_URI} !^/ro/
-       RewriteCond %{REQUEST_URI} !^/error/
-       RewriteCond %{REQUEST_URI} !^/jserror
-       RewriteCond %{REQUEST_URI} !/favicon.ico
-       RewriteCond %{REQUEST_URI} !/robots.txt
-       RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/p/$1 [L]
-
-       RewriteCond %{HTTP_HOST} !etherpad.wikimedia.org
-       RewriteRule ^/+(.+)$ https://etherpad.wikimedia.org/$1 [R=301,L]
+       RewriteRule ^/+(.+)$ http://etherpad.wikimedia.org/$1 [R=301,L]
 
        <Proxy *>
                Options FollowSymLinks MultiViews
@@ -96,5 +45,4 @@
                Order allow,deny
                Allow from all
        </Proxy>
-
 </VirtualHost>

-- 
To view, visit https://gerrit.wikimedia.org/r/84873
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ida97e1c3bf632bad6d7a7a99e4f90440b8ea4b51
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Akosiaris <akosia...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to