from:"Chmarkine \(Code Review\)"

[MediaWiki-commits] [Gerrit] Rewrite sitemap.wikimedia.org to dumps.wikimedia.org - change (operations/puppet)

2015-08-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/234256

Change subject: Rewrite sitemap.wikimedia.org to dumps.wikimedia.org
..

Rewrite sitemap.wikimedia.org to dumps.wikimedia.org

The DNS change is in I086cf78.
Bug: T110511

Change-Id: I6e2436428be403e8f73ea22ef0ce13759c3ab74e
---
M modules/mediawiki/files/apache/sites/redirects.conf
M modules/mediawiki/files/apache/sites/redirects/redirects.dat
2 files changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/56/234256/1

diff --git a/modules/mediawiki/files/apache/sites/redirects.conf 
b/modules/mediawiki/files/apache/sites/redirects.conf
index 5a6a2fb..de8cd15 100644
--- a/modules/mediawiki/files/apache/sites/redirects.conf
+++ b/modules/mediawiki/files/apache/sites/redirects.conf
@@ -369,6 +369,7 @@
ServerAlias svn.mediawiki.org
ServerAlias download.wikimedia.org
ServerAlias download.wikipedia.org
+   ServerAlias sitemap.wikimedia.org
 
# allow caching for redirects
IfModule mod_headers.c
@@ -935,6 +936,9 @@
# rewrite   download.wikipedia.org  https://dumps.wikimedia.org
RewriteCond %{HTTP_HOST} =download.wikipedia.org
RewriteRule ^[^\x00-\x1F]* https://dumps.wikimedia.org$0 [R=301,L,NE]
+   # rewrite   sitemap.wikimedia.org   https://dumps.wikimedia.org
+   RewriteCond %{HTTP_HOST} =sitemap.wikimedia.org
+   RewriteRule ^[^\x00-\x1F]* https://dumps.wikimedia.org$0 [R=301,L,NE]
 
# Type: wildcard
# funnel*wikijunior.com //en.wikibooks.org/wiki/Wikijunior
diff --git a/modules/mediawiki/files/apache/sites/redirects/redirects.dat 
b/modules/mediawiki/files/apache/sites/redirects/redirects.dat
index ec68022..9f7d064 100644
--- a/modules/mediawiki/files/apache/sites/redirects/redirects.dat
+++ b/modules/mediawiki/files/apache/sites/redirects/redirects.dat
@@ -515,3 +515,6 @@
 # rewrite download.wiki(m|p)edia to dumps.wikimedia - T107575
 rewritedownload.wikimedia.org  https://dumps.wikimedia.org
 rewritedownload.wikipedia.org  https://dumps.wikimedia.org
+
+# rewrite sitemap.wikimedia.org to dumps.wikimedia - T110511
+rewritesitemap.wikimedia.org   https://dumps.wikimedia.org
\ No newline at end of file

-- 
To view, visit https://gerrit.wikimedia.org/r/234256
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6e2436428be403e8f73ea22ef0ce13759c3ab74e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Point sitemap.wikimedia.org to text-lb. - change (operations/dns)

2015-08-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/234257

Change subject: Point sitemap.wikimedia.org to text-lb.
..

Point sitemap.wikimedia.org to text-lb.

The redirect config in puppet is I6e24364.
Bug: T110511

Change-Id: I086cf78f3006f6b94773871996e0295f5b15aca0
---
M templates/wikimedia.org
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/57/234257/1

diff --git a/templates/wikimedia.org b/templates/wikimedia.org
index 03b4f93..8c4ba0e 100644
--- a/templates/wikimedia.org
+++ b/templates/wikimedia.org
@@ -59,7 +59,7 @@
 scs-ext 1H  IN A84.40.25.238
 
 dumps   1H  IN CNAME dataset1001
-sitemap 1H  IN CNAME dumps
+sitemap 600 IN DYNA  geoip!text-addrs
 
 lists   1H  IN A208.80.154.4
 1H  IN  2620:0:861:1::2

-- 
To view, visit https://gerrit.wikimedia.org/r/234257
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I086cf78f3006f6b94773871996e0295f5b15aca0
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Change protocol relative to https - change (operations/puppet)

2015-07-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/226731

Change subject: Change protocol relative to https
..

Change protocol relative to https

Most domains are HTTPS-only (the only exception
is tools.wmflabs.org), so I suggest to change
all the %{ENV:RW_PROTO} to https.

For example, currently http://wikimedia.com redirects
to http://www.wikimedia.org first, and then redirects
to https://www.wikimedia.org. After this patch is merged,
only one redirect is needed.

Change-Id: I5fb23b5f896063e0f8e35cad31786bdc3a6d07e7
---
M modules/mediawiki/files/apache/sites/redirects.conf
1 file changed, 382 insertions(+), 382 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/31/226731/1

diff --git a/modules/mediawiki/files/apache/sites/redirects.conf 
b/modules/mediawiki/files/apache/sites/redirects.conf
index fc0858b..d30d2f2 100644
--- a/modules/mediawiki/files/apache/sites/redirects.conf
+++ b/modules/mediawiki/files/apache/sites/redirects.conf
@@ -405,64 +405,64 @@
# Type: plainOverride
# override  education.wikimedia.org/evaluating  
//commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/evaluating$ 
%{ENV:RW_PROTO}://commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf
 [R=301,L,NE]
+   RewriteRule ^/evaluating$ 
https://commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf 
[R=301,L,NE]
# override  education.wikimedia.org/illustrating
//commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/illustrating$ 
%{ENV:RW_PROTO}://commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf
 [R=301,L,NE]
+   RewriteRule ^/illustrating$ 
https://commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf 
[R=301,L,NE]
# override  education.wikimedia.org/casestudies 
//outreach.wikimedia.org/wiki/Education/Case_Studies
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/casestudies$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies 
[R=301,L,NE]
+   RewriteRule ^/casestudies$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies [R=301,L,NE]
# override  education.wikimedia.org/content 
//outreach.wikimedia.org/wiki/Education/Case_Studies/content
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/content$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/content 
[R=301,L,NE]
+   RewriteRule ^/content$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies/content [R=301,L,NE]
# override  education.wikimedia.org/copyediting 
//outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/copyediting$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting
 [R=301,L,NE]
+   RewriteRule ^/copyediting$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting 
[R=301,L,NE]
# override  education.wikimedia.org/definitions 
//outreach.wikimedia.org/wiki/Education/Case_Studies/definitions
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/definitions$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/definitions
 [R=301,L,NE]
+   RewriteRule ^/definitions$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies/definitions 
[R=301,L,NE]
# override  education.wikimedia.org/featuredarticle 
//outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/featuredarticle$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle
 [R=301,L,NE]
+   RewriteRule ^/featuredarticle$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle 
[R=301,L,NE]
# override  education.wikimedia.org/fivecriteria
//outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/fivecriteria$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria
 [R=301,L,NE]
+   RewriteRule ^/fivecriteria$ 
https://outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria 
[R=301,L,NE]
# override  education.wikimedia.org/illustrations   
//outreach.wikimedia.org/wiki/Education/Case_Studies/illustrations
RewriteCond %{HTTP_HOST} =education.wikimedia.org
-   RewriteRule ^/illustrations$ 
%{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/illustrations
 [R=301,L,NE]
+   RewriteRule

[MediaWiki-commits] [Gerrit] Update links on dumps.wm.org to HTTPS - change (operations/puppet)

2015-07-15 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224750

Change subject: Update links on dumps.wm.org to HTTPS
..

Update links on dumps.wm.org to HTTPS

Some links on https://dumps.wikimedia.org/ are hard-coded
http:. I changed them to either https: or relative links.

Change-Id: Ic8abfffa607dbe19106a5b9cf927a38d788cf234
---
M modules/dataset/files/html/legal.html
M modules/dataset/files/html/pagecounts-ez_index.html
M modules/dataset/files/html/poty_index.html
M modules/dataset/files/html/public_index.html
4 files changed, 17 insertions(+), 17 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/50/224750/1

diff --git a/modules/dataset/files/html/legal.html 
b/modules/dataset/files/html/legal.html
index fc98664..07b4451 100644
--- a/modules/dataset/files/html/legal.html
+++ b/modules/dataset/files/html/legal.html
@@ -108,22 +108,22 @@
 div id=globalWrapper
 div id=content
 h1License information/h1
-pWikimedia’s a 
href=https://wikimediafoundation.org/wiki/Mission;mission/a is to create 
educational content that is freely available to all people. In keeping with 
that goal, all information on Wikimedia projects may be freely shared, copied, 
remixed, and used for any purpose (including commercial purposes!) in 
perpetuity. To help guide users of a 
href=http://dumps.wikimedia.org/;dumps.wikimedia.org/a, this page contains 
more detailed information about Wikimedia’s licensing and licensing policies as 
they may apply to our dumps./p
+pWikimedia’s a 
href=https://wikimediafoundation.org/wiki/Mission;mission/a is to create 
educational content that is freely available to all people. In keeping with 
that goal, all information on Wikimedia projects may be freely shared, copied, 
remixed, and used for any purpose (including commercial purposes!) in 
perpetuity. To help guide users of a 
href=https://dumps.wikimedia.org/;dumps.wikimedia.org/a, this page contains 
more detailed information about Wikimedia’s licensing and licensing policies as 
they may apply to our dumps./p
 div 
style=background:#ff;border-width:1px;border-style:solid;border-color:red;padding:1em;font-size:large;This
 is a high-level guide only. Where this information conflicts with specific 
information in the a 
href=https://wikimediafoundation.org/wiki/Terms_of_Use;Wikimedia Foundation 
Terms of Use/a, or with other information contained inside the dumps 
themselves, this description should be ignored. Those terms are 
controlling./div
 h2Text/h2
 
-pExcept as discussed below, all original textual content is licensed under 
the a href=http://www.wikipedia.org/wiki/Wikipedia:Copyrights; 
title=Wikipedia Copyrights
-GNU Free Documentation License/a (GFDL) and the a 
href=http://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons 
Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 
3.0 License/a.  Some text may be available only under the Creative Commons 
license; see our a 
href=http://wikimediafoundation.org/wiki/Terms_of_use;Terms of Use/a for 
details. Text written by some authors may be released under additional licenses 
or into the public domain./p
+pExcept as discussed below, all original textual content is licensed under 
the a href=https://www.wikipedia.org/wiki/Wikipedia:Copyrights; 
title=Wikipedia Copyrights
+GNU Free Documentation License/a (GFDL) and the a 
href=https://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons 
Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 
3.0 License/a.  Some text may be available only under the Creative Commons 
license; see our a 
href=https://wikimediafoundation.org/wiki/Terms_of_use;Terms of Use/a for 
details. Text written by some authors may be released under additional licenses 
or into the public domain./p
 h2Images/h2
-pBy default, images uploaded to our services are under the a 
href=http://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons 
Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 
3.0 License/a. However, many images are NOT released under Creative Commons. 
Image copyright information is contained in the image description page inside 
the text dumps.p
+pBy default, images uploaded to our services are under the a 
href=https://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons 
Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 
3.0 License/a. However, many images are NOT released under Creative Commons. 
Image copyright information is contained in the image description page inside 
the text dumps.p
 h2Exceptions/h2
 h3Wikinews/h3
-pAs of 2005-09-25 all Wikinews textual content is licensed under 
the a

[MediaWiki-commits] [Gerrit] Remove old double-subdomain aliases - change (operations/dns)

2015-07-12 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224309

Change subject: Remove old double-subdomain aliases
..

Remove old double-subdomain aliases

wikipedia.org can be preloaded after this and
Iac4deed5 are merged.

Bug: T102814
Change-Id: I91cbc925e14f60a1cfb0ae16eb0dc3c8de44fa6e
---
M templates/wikipedia.org
1 file changed, 0 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/09/224309/1

diff --git a/templates/wikipedia.org b/templates/wikipedia.org
index 60d4767..1a61d36 100644
--- a/templates/wikipedia.org
+++ b/templates/wikipedia.org
@@ -56,14 +56,6 @@
 www 600 IN DYNA geoip!text-addrs
 zh-tw   600 IN DYNA geoip!text-addrs
 
-; Old double-subdomain aliases (bug 31335)
-arbcom.de   600 IN DYNA geoip!text-addrs
-arbcom.en   600 IN DYNA geoip!text-addrs
-arbcom.fi   600 IN DYNA geoip!text-addrs
-arbcom.nl   600 IN DYNA geoip!text-addrs
-wg.en   600 IN DYNA geoip!text-addrs
-
-
 ; All languages will automatically be included here.
 {{ geolanglist('text-addrs') }}
 

-- 
To view, visit https://gerrit.wikimedia.org/r/224309
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I91cbc925e14f60a1cfb0ae16eb0dc3c8de44fa6e
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Rank all ECDHE all DHE all RSA - change (operations/puppet)

2015-07-11 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224232

Change subject: Rank all ECDHE  all DHE  all RSA
..

Rank all ECDHE  all DHE  all RSA

Some clients support both ECDHE and DHE  1024-bit.
The current cipher suite breaks them, since we use
DHE 2048-bit. ECDHE is also better in performance.
So I suggest we prefer ECDHE+non-AEAD over DHE+AEAD.
Only IE 11 on Win 7, 8.1, WP8.1 are negatively affected,
which only support DHE-GCM, not ECDHE-GCM.

Bug: T105455
Change-Id: Ie9f36e47a0bc03660703e2a64de39042cfe87691
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 11 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/32/224232/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index f85788f..16774ea 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -14,12 +14,12 @@
 #   Note that due to POODLE, SSLv3 is universally disabled and none of these
 #   options are compatible with SSLv3-only clients such as IE6/XP.
 #   Current options are:
-#   - strong: Only TLSv1.2 with PFS+AEAD ciphers.  In practice this is a
+#   - strong: Only TLSv1.2 with ECDHE+AEAD ciphers.  In practice this is a
 # very short list, and requires a very modern client.  No
 # tradeoff is made for compatibility.  Known to work with:
-# New FF/Chrome, IE11, Java8, Android 4.4+, OpenSSL 1.0.x
+# New FF/Chrome, Java8, Android 4.4+, OpenSSL 1.0.x
 # Definitely broken with: All Safari (OSX/iOS).
-# IE11 support requires either DHE support or an ECDSA key.
+# IE11 support requires an ECDSA key.
 #   - mid:Supports TLSv1.0 and higher, and adds several forward-secret
 # options which are not AEAD.  This is compatible with many
 # more clients than strong.  With a DHE-capable server,
@@ -75,30 +75,30 @@
   # 4) Auth: ECDSA  RSA  (Server Performance)
   # 5) Kx:   ECDHE  DHE  (Server Performance)
   basic = {
-# Forward-Secret + AEAD
+# ECHDE + AEAD
 'strong' = [
   '-ALL',
   'ECDHE-ECDSA-AES128-GCM-SHA256',
   'ECDHE-RSA-AES128-GCM-SHA256',
-  'DHE-RSA-AES128-GCM-SHA256',
   'ECDHE-ECDSA-AES256-GCM-SHA384',
   'ECDHE-RSA-AES256-GCM-SHA384',
-  'DHE-RSA-AES256-GCM-SHA384',
 ],
-# Forward-Secret, but not AEAD
+# ECDHE + non-AEAD, and DHE
 'mid' = [
   'ECDHE-ECDSA-AES128-SHA256',
   'ECDHE-RSA-AES128-SHA256',
-  'DHE-RSA-AES128-SHA256',
   'ECDHE-ECDSA-AES128-SHA',
   'ECDHE-RSA-AES128-SHA',
-  'DHE-RSA-AES128-SHA',
   'ECDHE-ECDSA-AES256-SHA384',
   'ECDHE-RSA-AES256-SHA384',
-  'DHE-RSA-AES256-SHA256',
   'ECDHE-ECDSA-AES256-SHA',
   'ECDHE-RSA-AES256-SHA',
-  'DHE-RSA-AES256-SHA',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ 'DHE-RSA-AES128-SHA256',
+ 'DHE-RSA-AES128-SHA',
+ 'DHE-RSA-AES256-SHA256',
+ 'DHE-RSA-AES256-SHA',
   'DHE-RSA-CAMELLIA128-SHA',
   'DHE-RSA-CAMELLIA256-SHA',
 ],

-- 
To view, visit https://gerrit.wikimedia.org/r/224232
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie9f36e47a0bc03660703e2a64de39042cfe87691
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Secure GeoIP and WMF-Last-Access cookies - change (operations/puppet)

2015-07-10 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/224029

Change subject: Secure GeoIP and WMF-Last-Access cookies
..

Secure GeoIP and WMF-Last-Access cookies

Since all Wikimedia projects have moved to HTTPS only,
there is no need to send GeoIP and WMF-Last-Access
cookies if the connection is over HTTP.

Bug: T105451
Change-Id: I6478e55f7a7f3d24f179b45cb178d2d77db12a31
---
M templates/varnish/geoip.inc.vcl.erb
M templates/varnish/last-access.inc.vcl.erb
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/29/224029/1

diff --git a/templates/varnish/geoip.inc.vcl.erb 
b/templates/varnish/geoip.inc.vcl.erb
index 5314e09..b7b30c5 100644
--- a/templates/varnish/geoip.inc.vcl.erb
+++ b/templates/varnish/geoip.inc.vcl.erb
@@ -228,7 +228,7 @@
// Use libvmod-header to ensure the Set-Cookie header 
we are adding does not
// clobber or manipulate existing cookie headers (if 
any).
Vmod_Func_header.append(sp, HDR_RESP, 
\013Set-Cookie:, cookie_buf, ; Path=/; Domain=.,
-   host_safe, vrt_magic_string_end);
+   host_safe, ; Secure, vrt_magic_string_end);
}
}C
 }
diff --git a/templates/varnish/last-access.inc.vcl.erb 
b/templates/varnish/last-access.inc.vcl.erb
index 71ecfbf..e548288 100644
--- a/templates/varnish/last-access.inc.vcl.erb
+++ b/templates/varnish/last-access.inc.vcl.erb
@@ -55,7 +55,7 @@
Vmod_Func_header.append(sp, HDR_RESP, \013Set-Cookie:,
WMF-Last-Access=,
VRT_GetHdr(sp, HDR_REQ, \011X-NowDay:),
-   ;Path=/;HttpOnly;Expires=,
+   ;Path=/;HttpOnly;Secure;Expires=,
VRT_time_string(sp, (double)(
((time_t)VRT_r_now(sp) + 2764800) / 43200 * 43200
)),

-- 
To view, visit https://gerrit.wikimedia.org/r/224029
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6478e55f7a7f3d24f179b45cb178d2d77db12a31
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] HSTS preload for Mediawiki and Wikimediafoundation - change (operations/puppet)

2015-07-06 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/223054

Change subject: HSTS preload for Mediawiki and Wikimediafoundation
..

HSTS preload for Mediawiki and Wikimediafoundation

All subdomains of mediawiki.org and wikimediafoundation.org
are covered by the TLS certificate now (If010437c).
So they are ready to be preloaded.

Bug: T104244
Change-Id: Icb98ddb75a46b7c6d170ec5c4e6eb0c1032d22db
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/54/223054/1

diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 886a8b5..c497e2d 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -223,7 +223,7 @@
// HSTS to reach a client, the client implicitly has to have already
// successfully reached us over HTTPS for the given domainname.
if (req.http.X-Forwarded-Proto == https) {
-   if (req.http.Host ~ (?i)(^|\.)wikidata\.org$) {
+   if (req.http.Host ~ 
(?i)(^|\.)(wikidata|mediawiki|wikimediafoundation)\.org$) {
set resp.http.Strict-Transport-Security = 
max-age=31536000; includeSubDomains; preload;
}
else {

-- 
To view, visit https://gerrit.wikimedia.org/r/223054
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icb98ddb75a46b7c6d170ec5c4e6eb0c1032d22db
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Remove www.email.donate.wikimedia.org from DNS - change (operations/dns)

2015-07-06 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/223245

Change subject: Remove www.email.donate.wikimedia.org from DNS
..

Remove www.email.donate.wikimedia.org from DNS

It seems OK to remove http://www.email.donate.wikimedia.org/

Bug: T102827
Change-Id: I13c519fe57287e5450fc6b84507e7356dea944e4
---
M templates/wikimedia.org
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/45/223245/1

diff --git a/templates/wikimedia.org b/templates/wikimedia.org
index c13d562..aa4d54e 100644
--- a/templates/wikimedia.org
+++ b/templates/wikimedia.org
@@ -692,7 +692,6 @@
 
 links.email.donate  1H  IN CNAME recp.mkt41.net.
 open.email.donate   1H  IN CNAME open.mkt41.net.
-www.email.donate1H  IN CNAME wikimedia.org.
 
 
 ; Corp glue records

-- 
To view, visit https://gerrit.wikimedia.org/r/223245
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I13c519fe57287e5450fc6b84507e7356dea944e4
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Remove www.donate.mediawiki.org from DNS - change (operations/dns)

2015-07-05 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/222877

Change subject: Remove www.donate.mediawiki.org from DNS
..

Remove www.donate.mediawiki.org from DNS

http://www.donate.mediawiki.org is an Unconfigured domain.
After this domain is removed, mediawiki.org can be submitted
to HSTS preload list.

Bug: T102827
Change-Id: I0940f278af2ec2cdd6be0317b3bb444fdc760362
---
M templates/mediawiki.org
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/77/222877/1

diff --git a/templates/mediawiki.org b/templates/mediawiki.org
index 33bdce1..09fb984 100644
--- a/templates/mediawiki.org
+++ b/templates/mediawiki.org
@@ -44,7 +44,6 @@
 donate  600 IN DYNA geoip!text-addrs
 download600 IN DYNA geoip!text-addrs
 integration 600 IN DYNA geoip!text-addrs
-www.donate  600 IN DYNA geoip!text-addrs
 svn 600 IN DYNA geoip!text-addrs
 
 ; Mobile

-- 
To view, visit https://gerrit.wikimedia.org/r/222877
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0940f278af2ec2cdd6be0317b3bb444fdc760362
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Remove www.donate.wikimediafoundation.org from DNS - change (operations/dns)

2015-07-05 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/222876

Change subject: Remove www.donate.wikimediafoundation.org from DNS
..

Remove www.donate.wikimediafoundation.org from DNS

http://www.donate.wikimediafoundation.org redirects to
https://wikimediafoundation.org/wiki/Home, which is not
so useful anyway. After this domain is removed,
wikimediafoundation.org can be submitted to HSTS preload
list.

Bug: T102827
Change-Id: I8e27563a458203c5e6cef24e8253afbfd35746bf
---
M templates/wikimediafoundation.org
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/76/222876/1

diff --git a/templates/wikimediafoundation.org 
b/templates/wikimediafoundation.org
index 902842b..a1d1266 100644
--- a/templates/wikimediafoundation.org
+++ b/templates/wikimediafoundation.org
@@ -40,6 +40,5 @@
 www 600 IN DYNA geoip!text-addrs
 
 ; Other websites
-www.donate  600 IN DYNA geoip!text-addrs
 donate  600 IN DYNA geoip!text-addrs
 m   600 IN DYNA geoip!mobile-addrs

-- 
To view, visit https://gerrit.wikimedia.org/r/222876
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I8e27563a458203c5e6cef24e8253afbfd35746bf
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Remove www.donate.wikipedia.org from DNS - change (operations/dns)

2015-07-05 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/222883

Change subject: Remove www.donate.wikipedia.org from DNS
..

Remove www.donate.wikipedia.org from DNS

http://www.donate.wikipedia.org/ redirects to
http://donate.wikipedia.org/w/index.php, which redirects to
https://donate.wikipedia.org/w/index.php, which redirects to
https://wikimediafoundation.org/wiki/Home, which is
not related to donation.

Bug: T102827
Change-Id: Iacc184b672eaac819ab8732adb5d7616966940a6
---
M templates/wikipedia.org
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/83/222883/1

diff --git a/templates/wikipedia.org b/templates/wikipedia.org
index 4e5f636..60d4767 100644
--- a/templates/wikipedia.org
+++ b/templates/wikipedia.org
@@ -80,7 +80,6 @@
 shop600 IN DYNA geoip!text-addrs
 stats   1H  IN CNAMEstats.wikimedia.org.
 store   600 IN DYNA geoip!text-addrs
-www.donate  600 IN DYNA geoip!text-addrs
 www.m   600 IN DYNA geoip!mobile-addrs
 zero600 IN DYNA geoip!mobile-addrs
 

-- 
To view, visit https://gerrit.wikimedia.org/r/222883
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iacc184b672eaac819ab8732adb5d7616966940a6
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Remove www.donate.wiktionary.org from DNS - change (operations/dns)

2015-07-05 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/222880

Change subject: Remove www.donate.wiktionary.org from DNS
..

Remove www.donate.wiktionary.org from DNS

http://www.donate.wiktionary.org/ returns 404.

Bug: T102827
Change-Id: I1c8903ba09c28ee5371bfdc2164538f5ee7cd5d5
---
M templates/wiktionary.org
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/dns 
refs/changes/80/222880/1

diff --git a/templates/wiktionary.org b/templates/wiktionary.org
index 5098727..bad136e 100644
--- a/templates/wiktionary.org
+++ b/templates/wiktionary.org
@@ -40,7 +40,6 @@
 {{ geolanglist('text-addrs') }}
 
 ; Other websites
-www.donate  600 IN DYNA geoip!text-addrs
 donate  600 IN DYNA geoip!text-addrs
 
 ; Mobile

-- 
To view, visit https://gerrit.wikimedia.org/r/222880
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1c8903ba09c28ee5371bfdc2164538f5ee7cd5d5
Gerrit-PatchSet: 1
Gerrit-Project: operations/dns
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Wikidata - HSTS include subdomains and preload - change (operations/puppet)

2015-07-02 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/70

Change subject: Wikidata - HSTS include subdomains and preload
..

Wikidata - HSTS include subdomains and preload

wikidata.org only has four subdomains, all of which don't have
certificate issues. So I believe it's safe to add includeSubDomains
and preload tokens so that it can be preloaded.

Bug: T104244
Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 6 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/70/70/1

diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb 
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 859828f..cd804ec 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -224,7 +224,12 @@
// successfully reached us over HTTPS for the given domainname.
if (req.http.X-Forwarded-Proto == https) {
if (!resp.http.Strict-Transport-Security) {
-   set resp.http.Strict-Transport-Security = 
max-age=15768000;
+   if (req.http.Host ~ (?i)(^|\.)wikidata\.org$) {
+   set resp.http.Strict-Transport-Security = 
max-age=15768000; includeSubDomains; preload;
+   }
+   else {
+   set resp.http.Strict-Transport-Security = 
max-age=15768000;
+   }
}
}
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/70
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] people - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-06-11 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/217557

Change subject: people - Raise HSTS max-age to 1 year
..

people - Raise HSTS max-age to 1 year

I2577bd04 enabled HSTS with max-age=7 days.

Bug: T40516
Change-Id: I64ee4d25d70569e8c7bfaccfb08d0d814754150f
---
M modules/publichtml/templates/apacheconfig.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/57/217557/1

diff --git a/modules/publichtml/templates/apacheconfig.erb 
b/modules/publichtml/templates/apacheconfig.erb
index 4fc6917..9d44194 100644
--- a/modules/publichtml/templates/apacheconfig.erb
+++ b/modules/publichtml/templates/apacheconfig.erb
@@ -13,7 +13,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 DocumentRoot %= @docroot %
 

-- 
To view, visit https://gerrit.wikimedia.org/r/217557
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I64ee4d25d70569e8c7bfaccfb08d0d814754150f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] noc - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-05-26 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/213976

Change subject: noc - Raise HSTS max-age to 1 year
..

noc - Raise HSTS max-age to 1 year

If nothing went wrong after Ie3706dd8 was merged, let's
raise the HSTS max-age to 1 year.

Bug: T40516
Change-Id: I4459049b3c7719fddfa144312a9743e8911f8453
---
M modules/noc/templates/noc.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/76/213976/1

diff --git a/modules/noc/templates/noc.wikimedia.org.erb 
b/modules/noc/templates/noc.wikimedia.org.erb
index 5120070..cb442e1 100644
--- a/modules/noc/templates/noc.wikimedia.org.erb
+++ b/modules/noc/templates/noc.wikimedia.org.erb
@@ -18,7 +18,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 ErrorLog /var/log/apache2/error.log
 

-- 
To view, visit https://gerrit.wikimedia.org/r/213976
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4459049b3c7719fddfa144312a9743e8911f8453
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] transparency - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-05-16 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/211394

Change subject: transparency - Raise HSTS max-age to 1 year
..

transparency - Raise HSTS max-age to 1 year

I14f5cf35 enabled HSTS with max-age=7 days.

Bug: T40516
Change-Id: Ie61e3df798c13babdc3543f2bf4accd6c8275dc7
---
M templates/apache/sites/transparency.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/94/211394/1

diff --git a/templates/apache/sites/transparency.wikimedia.org.erb 
b/templates/apache/sites/transparency.wikimedia.org.erb
index 44abf7c..55ee919 100644
--- a/templates/apache/sites/transparency.wikimedia.org.erb
+++ b/templates/apache/sites/transparency.wikimedia.org.erb
@@ -19,5 +19,5 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 /VirtualHost

-- 
To view, visit https://gerrit.wikimedia.org/r/211394
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie61e3df798c13babdc3543f2bf4accd6c8275dc7
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] RT - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206977

Change subject: RT - Raise HSTS max-age to 1 year
..

RT - Raise HSTS max-age to 1 year

I0d4d0afe enabled HSTS, which was merged one
week ago.

Bug: T40516
Change-Id: I120aed9fc9bd9decaa9de5fff90bff0b7cee432c
---
M manifests/role/requesttracker.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/77/206977/1

diff --git a/manifests/role/requesttracker.pp b/manifests/role/requesttracker.pp
index 7dafbb8..7e7388f 100644
--- a/manifests/role/requesttracker.pp
+++ b/manifests/role/requesttracker.pp
@@ -6,7 +6,7 @@
 
 install_certificate { 'rt.wikimedia.org': }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
 
 class { '::requesttracker':
 apache_site = 'rt.wikimedia.org',

-- 
To view, visit https://gerrit.wikimedia.org/r/206977
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I120aed9fc9bd9decaa9de5fff90bff0b7cee432c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] integration - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206981

Change subject: integration - Raise HSTS max-age to 1 year
..

integration - Raise HSTS max-age to 1 year

I09341edb enabled HSTS with max-age=7 days

Bug: T40516
Change-Id: I0a79ddb89c0c27eb51da3d75619bb8c644bf4b29
---
M modules/contint/templates/apache/integration.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/81/206981/1

diff --git a/modules/contint/templates/apache/integration.wikimedia.org.erb 
b/modules/contint/templates/apache/integration.wikimedia.org.erb
index 3de7005..fe20e6c 100644
--- a/modules/contint/templates/apache/integration.wikimedia.org.erb
+++ b/modules/contint/templates/apache/integration.wikimedia.org.erb
@@ -22,7 +22,7 @@
 Redirect 301 /monitoring/ 
https://tools.wmflabs.org/nagf/?project=integration
 
 Header always merge Vary X-Forwarded-Proto
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 Include *_proxy
 

-- 
To view, visit https://gerrit.wikimedia.org/r/206981
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0a79ddb89c0c27eb51da3d75619bb8c644bf4b29
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] annual - Raise HSTS max-age to 1 year and add always - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206984

Change subject: annual - Raise HSTS max-age to 1 year and add always
..

annual - Raise HSTS max-age to 1 year and add always

I34d3b071 enabled HSTS with max-age=7 days. This patch also
adds the always flag.

Bug: T599
Bug: T40516
Change-Id: I33c370bc6a9b5572eeb69f6c106a63011e456f3b
---
M modules/annualreport/files/annual.wikimedia.org
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/84/206984/1

diff --git a/modules/annualreport/files/annual.wikimedia.org 
b/modules/annualreport/files/annual.wikimedia.org
index 19d030d..e3e5642 100644
--- a/modules/annualreport/files/annual.wikimedia.org
+++ b/modules/annualreport/files/annual.wikimedia.org
@@ -15,7 +15,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto
-Header set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/206984
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I33c370bc6a9b5572eeb69f6c106a63011e456f3b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] ishmael - Raise HSTS max-age to 1 year and add always - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206992

Change subject: ishmael - Raise HSTS max-age to 1 year and add always
..

ishmael - Raise HSTS max-age to 1 year and add always

I832e85fe enabled HSTS with max-age=7 days.

Bug: T40516
Change-Id: I0656409e2f73ac6e90440f67e4debe796a79a6e8
---
M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/92/206992/1

diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 
b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
index 78e3383..b9ed142 100644
--- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
+++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
@@ -11,7 +11,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 Directory %= @docroot %
 Options FollowSymLinks

-- 
To view, visit https://gerrit.wikimedia.org/r/206992
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0656409e2f73ac6e90440f67e4debe796a79a6e8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] doc - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206980

Change subject: doc - Raise HSTS max-age to 1 year
..

doc - Raise HSTS max-age to 1 year

If7a5670b enabled HSTS with max-age=7 days.

Bug: T40516
Change-Id: Ic67a34079aab4a8c763b1b05364b09f29f93b014
---
M modules/contint/templates/apache/doc.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/80/206980/1

diff --git a/modules/contint/templates/apache/doc.wikimedia.org.erb 
b/modules/contint/templates/apache/doc.wikimedia.org.erb
index 3233c92..ac2cb0f 100644
--- a/modules/contint/templates/apache/doc.wikimedia.org.erb
+++ b/modules/contint/templates/apache/doc.wikimedia.org.erb
@@ -30,7 +30,7 @@
 Header always merge Vary X-Forwarded-Proto
 
 # Enable HTTP Strict Transport Security
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 DocumentRoot /srv/org/wikimedia/doc
 

-- 
To view, visit https://gerrit.wikimedia.org/r/206980
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic67a34079aab4a8c763b1b05364b09f29f93b014
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] donate - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206979

Change subject: donate - Raise HSTS max-age to 1 year
..

donate - Raise HSTS max-age to 1 year

If5c93760 enabled HSTS one week ago.

Bug: T40516
Change-Id: I1419a428e4079a05ee5b526bc05540405eb2ee08
---
M modules/mediawiki/files/apache/sites/main.conf
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/79/206979/1

diff --git a/modules/mediawiki/files/apache/sites/main.conf 
b/modules/mediawiki/files/apache/sites/main.conf
index 8765af2..a6fd708 100644
--- a/modules/mediawiki/files/apache/sites/main.conf
+++ b/modules/mediawiki/files/apache/sites/main.conf
@@ -325,7 +325,7 @@
 RewriteRule (.) https://donate.wikimedia.org%{REQUEST_URI} [R=301]
 
 # Enable HTTP Strict Transport Security (HSTS)
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 RewriteRule ^/$ 
https://donate.wikimedia.org/wiki/Special:FundraiserRedirector [R=302,L]
 

-- 
To view, visit https://gerrit.wikimedia.org/r/206979
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1419a428e4079a05ee5b526bc05540405eb2ee08
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] servermon - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206982

Change subject: servermon - Raise HSTS max-age to 1 year
..

servermon - Raise HSTS max-age to 1 year

I9e2d7a00 enabled HSTS with max-age=7 days

Bug: T40516
Change-Id: I3969d41b12f215efe92587fb2b46074c97931ada
---
M templates/apache/sites/servermon.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/82/206982/1

diff --git a/templates/apache/sites/servermon.wikimedia.org.erb 
b/templates/apache/sites/servermon.wikimedia.org.erb
index 8548bbe..1cf03c0 100644
--- a/templates/apache/sites/servermon.wikimedia.org.erb
+++ b/templates/apache/sites/servermon.wikimedia.org.erb
@@ -11,7 +11,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header always set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 DocumentRoot /srv/nonexistent
 Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/206982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3969d41b12f215efe92587fb2b46074c97931ada
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] iegreview - Raise HSTS max-age to 1 year - change (operations/puppet)

2015-04-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/206983

Change subject: iegreview - Raise HSTS max-age to 1 year
..

iegreview - Raise HSTS max-age to 1 year

Ie59668d1 enabled HSTS with max-age=7 days.

Bug: T40516
Change-Id: I2742bcd02e8ecb0e07bfe22e1f9b3fd792a04dbb
---
M modules/iegreview/templates/apache.conf.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/83/206983/1

diff --git a/modules/iegreview/templates/apache.conf.erb 
b/modules/iegreview/templates/apache.conf.erb
index e27a31a..4dfdc93 100644
--- a/modules/iegreview/templates/apache.conf.erb
+++ b/modules/iegreview/templates/apache.conf.erb
@@ -12,7 +12,7 @@
   RewriteCond %{HTTP:X-Forwarded-Proto} !https
   RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-  Header set Strict-Transport-Security max-age=604800
+  Header set Strict-Transport-Security max-age=31536000
 %- end -%
 
   Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/206983
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2742bcd02e8ecb0e07bfe22e1f9b3fd792a04dbb
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] dbtree - Raise HSTS max-age to 1 year and add always flag - change (operations/puppet)

2015-04-06 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/202267

Change subject: dbtree - Raise HSTS max-age to 1 year and add always flag
..

dbtree - Raise HSTS max-age to 1 year and add always flag

I898aef75 enabled HSTS with a 7 days max-age.

Bug: T40516
Change-Id: Iaedc362df270468fcfa9c23d4b0f748dee5e502d
---
M modules/noc/templates/dbtree.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/67/202267/1

diff --git a/modules/noc/templates/dbtree.wikimedia.org.erb 
b/modules/noc/templates/dbtree.wikimedia.org.erb
index 05a6654..d209570 100644
--- a/modules/noc/templates/dbtree.wikimedia.org.erb
+++ b/modules/noc/templates/dbtree.wikimedia.org.erb
@@ -24,7 +24,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=31536000
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/202267
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iaedc362df270468fcfa9c23d4b0f748dee5e502d
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] transparency: make it HTTPS only and enable HSTS - change (operations/puppet)

2015-03-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199517

Change subject: transparency: make it HTTPS only and enable HSTS
..

transparency: make it HTTPS only and enable HSTS

Make https://transparency.wikimedia.org/ HTTPS only, and enable
HSTS with max-age=7 days. I also deleted the unused 404 code.

Bug: T40516
Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
---
M manifests/role/transparency.pp
M templates/apache/sites/transparency.wikimedia.org.erb
2 files changed, 6 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/17/199517/1

diff --git a/manifests/role/transparency.pp b/manifests/role/transparency.pp
index 77dd7f3..9b177b9 100644
--- a/manifests/role/transparency.pp
+++ b/manifests/role/transparency.pp
@@ -6,6 +6,7 @@
 class role::transparency {
 include ::apache
 include ::apache::mod::rewrite
+include ::apache::mod::headers
 
 $repo_dir = '/srv/org/wikimedia/TransparencyReport'
 $docroot  = ${repo_dir}/build
diff --git a/templates/apache/sites/transparency.wikimedia.org.erb 
b/templates/apache/sites/transparency.wikimedia.org.erb
index 82f9393..44abf7c 100644
--- a/templates/apache/sites/transparency.wikimedia.org.erb
+++ b/templates/apache/sites/transparency.wikimedia.org.erb
@@ -1,5 +1,5 @@
 # vim:ft=apache: ts=4 sw=4
-# Apache configuration for http://transparency.wikimedia.org
+# Apache configuration for https://transparency.wikimedia.org
 # This file is managed by Puppet.
 VirtualHost *:80
 ServerName transparency.wikimedia.org
@@ -15,10 +15,9 @@
 allow from all
 /Directory
 
-# Serve 404s for all requests until the launch, at 2014-Aug-06 08:30 UTC.
-# This code can be removed any time after that. --OL
 RewriteEngine on
-RewriteCond %{ENV:REDIRECT_STATUS} !=404
-RewriteCond %{TIME} %= Time.utc(2014, 'Aug', 6, 8, 
30).strftime('%Y%m%d%H%M%S') %
-RewriteRule .* - [L,R=404]
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
+Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header always set Strict-Transport-Security max-age=604800
 /VirtualHost

-- 
To view, visit https://gerrit.wikimedia.org/r/199517
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] noc - redirect HTTP to HTTPS; enable HSTS 7 days - change (operations/puppet)

2015-03-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199515

Change subject: noc - redirect HTTP to HTTPS; enable HSTS 7 days
..

noc - redirect HTTP to HTTPS; enable HSTS 7 days

Make https://noc.wikimedia.org HTTPS only, and enable HSTS
with max-age=7 days.

Change-Id: Ie3706dd85c6f796f8ff55c3ea95461c963cc2f26
---
M modules/noc/templates/noc.wikimedia.org.erb
1 file changed, 5 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/15/199515/1

diff --git a/modules/noc/templates/noc.wikimedia.org.erb 
b/modules/noc/templates/noc.wikimedia.org.erb
index a2abe28..5120070 100644
--- a/modules/noc/templates/noc.wikimedia.org.erb
+++ b/modules/noc/templates/noc.wikimedia.org.erb
@@ -15,6 +15,11 @@
 RewriteRule   ^/~(.+) https://people.wikimedia.org/~$1  [R=301,L]
 RewriteRule   ^/dbtree(.*)$ https://dbtree.wikimedia.org [R=301,L]
 
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
+Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header always set Strict-Transport-Security max-age=604800
+
 ErrorLog /var/log/apache2/error.log
 
 # Possible values include: debug, info, notice, warn, error, crit,

-- 
To view, visit https://gerrit.wikimedia.org/r/199515
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie3706dd85c6f796f8ff55c3ea95461c963cc2f26
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] donate - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199200

Change subject: donate - Enable HSTS max-age=7 days
..

donate - Enable HSTS max-age=7 days

https://donate.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: If5c937602ad3ed8e5bed06b875ce994c0b4848f2
---
M modules/mediawiki/files/apache/sites/main.conf
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/00/199200/1

diff --git a/modules/mediawiki/files/apache/sites/main.conf 
b/modules/mediawiki/files/apache/sites/main.conf
index df1f752..6d13608 100644
--- a/modules/mediawiki/files/apache/sites/main.conf
+++ b/modules/mediawiki/files/apache/sites/main.conf
@@ -324,6 +324,9 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule (.) https://donate.wikimedia.org%{REQUEST_URI} [R=301]
 
+# Enable HTTP Strict Transport Security (HSTS)
+Header set Strict-Transport-Security max-age=604800
+
 RewriteRule ^/$ 
https://donate.wikimedia.org/wiki/Special:FundraiserRedirector [R=302,L]
 
 # Don't allow rewriting robots.txt

-- 
To view, visit https://gerrit.wikimedia.org/r/199200
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If5c937602ad3ed8e5bed06b875ce994c0b4848f2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add always flag when add HSTS header in Apache - change (operations/puppet)

2015-03-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199319

Change subject: Add always flag when add HSTS header in Apache
..

Add always flag when add HSTS header in Apache

Without the always flag, HSTS headers are only set for 2xx
responses.

'Always' in this context refers to whether headers you add
will be sent during both a successful and unsucessful response
https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header

Change-Id: I5189b9f208e1dda7e7844171df1e7a87d5e5a03b
---
M modules/devportal/templates/dev.wikimedia.org.erb
M modules/phabricator/templates/phabricator-default.conf.erb
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
M templates/apache/sites/servermon.wikimedia.org.erb
4 files changed, 4 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/19/199319/1

diff --git a/modules/devportal/templates/dev.wikimedia.org.erb 
b/modules/devportal/templates/dev.wikimedia.org.erb
index ead8d9f..ea26f43 100644
--- a/modules/devportal/templates/dev.wikimedia.org.erb
+++ b/modules/devportal/templates/dev.wikimedia.org.erb
@@ -15,7 +15,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto
-Header set Strict-Transport-Security max-age=31536000
+Header always set Strict-Transport-Security max-age=31536000
 
 Directory /
 Order Deny,Allow
diff --git a/modules/phabricator/templates/phabricator-default.conf.erb 
b/modules/phabricator/templates/phabricator-default.conf.erb
index 87d5375..be1197e 100644
--- a/modules/phabricator/templates/phabricator-default.conf.erb
+++ b/modules/phabricator/templates/phabricator-default.conf.erb
@@ -17,7 +17,7 @@
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
 
   # enable HTTP Strict Transport Security
-  Header set Strict-Transport-Security max-age=31536000
+  Header always set Strict-Transport-Security max-age=31536000
 
   Directory %= @docroot %
 Options Indexes FollowSymLinks MultiViews
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 3a7ca11..fbd9346 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -117,7 +117,7 @@
   output.push('SSLHonorCipherOrder On')
   unless hsts_days.nil?
 hsts_seconds = hsts_days * 86400
-output.push(Header set Strict-Transport-Security 
\max-age=#{hsts_seconds}\)
+output.push(Header always set Strict-Transport-Security 
\max-age=#{hsts_seconds}\)
   end
 else
   # nginx
diff --git a/templates/apache/sites/servermon.wikimedia.org.erb 
b/templates/apache/sites/servermon.wikimedia.org.erb
index 35e1905..ab45e58 100644
--- a/templates/apache/sites/servermon.wikimedia.org.erb
+++ b/templates/apache/sites/servermon.wikimedia.org.erb
@@ -11,7 +11,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-Header set Strict-Transport-Security max-age=604800
+Header always set Strict-Transport-Security max-age=604800
 
 DocumentRoot /srv/nonexistent
 Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/199319
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5189b9f208e1dda7e7844171df1e7a87d5e5a03b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] doc - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/198819

Change subject: doc - Enable HSTS max-age=7 days
..

doc - Enable HSTS max-age=7 days

https://doc.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: If7a5670bfd0e7eb01a4d0136e7c5b948f0592826
---
M modules/contint/templates/apache/doc.wikimedia.org.erb
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/19/198819/1

diff --git a/modules/contint/templates/apache/doc.wikimedia.org.erb 
b/modules/contint/templates/apache/doc.wikimedia.org.erb
index 11666ee..8fef0e3 100644
--- a/modules/contint/templates/apache/doc.wikimedia.org.erb
+++ b/modules/contint/templates/apache/doc.wikimedia.org.erb
@@ -29,6 +29,9 @@
 
 Header always merge Vary X-Forwarded-Proto
 
+# Enable HTTP Strict Transport Security
+Header set Strict-Transport-Security max-age=604800
+
 DocumentRoot /srv/org/wikimedia/doc
 
 # Favicon proxy

-- 
To view, visit https://gerrit.wikimedia.org/r/198819
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If7a5670bfd0e7eb01a4d0136e7c5b948f0592826
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] scholarships - Increase HSTS max-age to 1 year - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199126

Change subject: scholarships - Increase HSTS max-age to 1 year
..

scholarships - Increase HSTS max-age to 1 year

The current HSTS max-age for https://scholarships.wikimedia.org
is 7 days.

Bug: T40516
Change-Id: Ibfbf321533f7c030e7aea75a9e48234f4fb17c3e
---
M modules/wikimania_scholarships/templates/apache.conf.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/26/199126/1

diff --git a/modules/wikimania_scholarships/templates/apache.conf.erb 
b/modules/wikimania_scholarships/templates/apache.conf.erb
index 612fd8d..3cbacc9 100644
--- a/modules/wikimania_scholarships/templates/apache.conf.erb
+++ b/modules/wikimania_scholarships/templates/apache.conf.erb
@@ -11,7 +11,7 @@
   RewriteCond %{REQUEST_URI} !^/status$
   RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
-  Header set Strict-Transport-Security max-age=604800
+  Header set Strict-Transport-Security max-age=31536000
 
   DocumentRoot %= @deploy_dir %/public
 

-- 
To view, visit https://gerrit.wikimedia.org/r/199126
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibfbf321533f7c030e7aea75a9e48234f4fb17c3e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] servermon - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199134

Change subject: servermon - Enable HSTS max-age=7 days
..

servermon - Enable HSTS max-age=7 days

https://servermon.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: I9e2d7a00d76991805ddc456c1a3d6a4874615ca2
---
M templates/apache/sites/servermon.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/34/199134/1

diff --git a/templates/apache/sites/servermon.wikimedia.org.erb 
b/templates/apache/sites/servermon.wikimedia.org.erb
index 12b3ae6..35e1905 100644
--- a/templates/apache/sites/servermon.wikimedia.org.erb
+++ b/templates/apache/sites/servermon.wikimedia.org.erb
@@ -11,6 +11,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header set Strict-Transport-Security max-age=604800
 
 DocumentRoot /srv/nonexistent
 Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/199134
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9e2d7a00d76991805ddc456c1a3d6a4874615ca2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] dbtree - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199139

Change subject: dbtree - Enable HSTS max-age=7 days
..

dbtree - Enable HSTS max-age=7 days

https://dbtree.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: I898aef758979748aabd75e956be40924d8e1a851
---
M modules/noc/templates/dbtree.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/39/199139/1

diff --git a/modules/noc/templates/dbtree.wikimedia.org.erb 
b/modules/noc/templates/dbtree.wikimedia.org.erb
index 7a472cb..05a6654 100644
--- a/modules/noc/templates/dbtree.wikimedia.org.erb
+++ b/modules/noc/templates/dbtree.wikimedia.org.erb
@@ -24,6 +24,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header set Strict-Transport-Security max-age=604800
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/199139
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I898aef758979748aabd75e956be40924d8e1a851
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] iegreview - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199142

Change subject: iegreview - Enable HSTS max-age=7 days
..

iegreview - Enable HSTS max-age=7 days

https://iegreview.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: Ie59668d1246e862a84d20d7e9926c5ef5d548291
---
M modules/iegreview/templates/apache.conf.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/42/199142/1

diff --git a/modules/iegreview/templates/apache.conf.erb 
b/modules/iegreview/templates/apache.conf.erb
index 711631e..e27a31a 100644
--- a/modules/iegreview/templates/apache.conf.erb
+++ b/modules/iegreview/templates/apache.conf.erb
@@ -12,6 +12,7 @@
   RewriteCond %{HTTP:X-Forwarded-Proto} !https
   RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+  Header set Strict-Transport-Security max-age=604800
 %- end -%
 
   Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/199142
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie59668d1246e862a84d20d7e9926c5ef5d548291
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] annual - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/199087

Change subject: annual - Enable HSTS max-age=7 days
..

annual - Enable HSTS max-age=7 days

https://annual.wikimedia.org is HTTPS only.

Bug: T599
Bug: T40516
Change-Id: I34d3b0719f09991c7c55de025046462bfeee483f
---
M modules/annualreport/files/annual.wikimedia.org
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/87/199087/1

diff --git a/modules/annualreport/files/annual.wikimedia.org 
b/modules/annualreport/files/annual.wikimedia.org
index 33d3b50..19d030d 100644
--- a/modules/annualreport/files/annual.wikimedia.org
+++ b/modules/annualreport/files/annual.wikimedia.org
@@ -15,6 +15,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto
+Header set Strict-Transport-Security max-age=604800
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/199087
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I34d3b0719f09991c7c55de025046462bfeee483f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] RT - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-20 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/198455

Change subject: RT - Enable HSTS max-age=7 days
..

RT - Enable HSTS max-age=7 days

https://rt.wikimedia.org/ is HTTPS only.

Change-Id: I0d4d0afe4033a7583a5f8a8042c5a0c28bf84eed
---
M manifests/role/requesttracker.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/55/198455/1

diff --git a/manifests/role/requesttracker.pp b/manifests/role/requesttracker.pp
index 48036ae..aa77fa2 100644
--- a/manifests/role/requesttracker.pp
+++ b/manifests/role/requesttracker.pp
@@ -6,7 +6,7 @@
 
 install_certificate { 'rt.wikimedia.org': }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7')
 
 class { '::requesttracker':
 apache_site   = 'rt.wikimedia.org',

-- 
To view, visit https://gerrit.wikimedia.org/r/198455
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0d4d0afe4033a7583a5f8a8042c5a0c28bf84eed
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] ishmael - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-20 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/198457

Change subject: ishmael - Enable HSTS max-age=7 days
..

ishmael - Enable HSTS max-age=7 days

https://ishmael.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: I832e85fe0b94c3fb610785e71d7a96144833ac7f
---
M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/57/198457/1

diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 
b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
index 60b5ed3..78e3383 100644
--- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
+++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
@@ -11,6 +11,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header set Strict-Transport-Security max-age=604800
 
 Directory %= @docroot %
 Options FollowSymLinks

-- 
To view, visit https://gerrit.wikimedia.org/r/198457
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I832e85fe0b94c3fb610785e71d7a96144833ac7f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] integration - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-20 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/198458

Change subject: integration - Enable HSTS max-age=7 days
..

integration - Enable HSTS max-age=7 days

https://integration.wikimedia.org is HTTPS only.

Bug: T40516
Change-Id: I09341edb1ad33556acccfb9bfa747308b273aa2c
---
M modules/contint/templates/apache/integration.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/58/198458/1

diff --git a/modules/contint/templates/apache/integration.wikimedia.org.erb 
b/modules/contint/templates/apache/integration.wikimedia.org.erb
index 3f52e57..4496d52 100644
--- a/modules/contint/templates/apache/integration.wikimedia.org.erb
+++ b/modules/contint/templates/apache/integration.wikimedia.org.erb
@@ -20,6 +20,7 @@
 RewriteRule (.) https://integration.wikimedia.org%{REQUEST_URI} [R=301]
 
 Header always merge Vary X-Forwarded-Proto
+Header set Strict-Transport-Security max-age=604800
 
 Include *_proxy
 

-- 
To view, visit https://gerrit.wikimedia.org/r/198458
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I09341edb1ad33556acccfb9bfa747308b273aa2c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] gdash - Enable HSTS max-age=7 days - change (operations/puppet)

2015-03-20 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/198469

Change subject: gdash - Enable HSTS max-age=7 days
..

gdash - Enable HSTS max-age=7 days

I29515ddd redirects http://gdash.wikimedia.org to
https://gdash.wikimedia.org. So enable HSTS on this
domain.

Bug: T40516
Change-Id: Ibcc91ae7ed79900cc59cfb04b9c20f5f4f8e9789
---
M templates/apache/sites/gdash.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/69/198469/1

diff --git a/templates/apache/sites/gdash.wikimedia.org.erb 
b/templates/apache/sites/gdash.wikimedia.org.erb
index 1468928..6daf441 100644
--- a/templates/apache/sites/gdash.wikimedia.org.erb
+++ b/templates/apache/sites/gdash.wikimedia.org.erb
@@ -9,6 +9,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header set Strict-Transport-Security max-age=604800
 
 Location /
 SetHandler uwsgi-handler

-- 
To view, visit https://gerrit.wikimedia.org/r/198469
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibcc91ae7ed79900cc59cfb04b9c20f5f4f8e9789
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] dev.wm.org - Increase HSTS max-age to 1 year - change (operations/puppet)

2015-03-16 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/197272

Change subject: dev.wm.org - Increase HSTS max-age to 1 year
..

dev.wm.org - Increase HSTS max-age to 1 year

It has been one week after I3c5a250f was merged, so if there
is nothing wrong, let's increase the HSTS max-age to 1 year,
i.e. 31536000 seconds.

Change-Id: I2b5f9d979c52bf458686967c20d31971ba1c1308
---
M modules/devportal/templates/dev.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/72/197272/1

diff --git a/modules/devportal/templates/dev.wikimedia.org.erb 
b/modules/devportal/templates/dev.wikimedia.org.erb
index 106293c..ead8d9f 100644
--- a/modules/devportal/templates/dev.wikimedia.org.erb
+++ b/modules/devportal/templates/dev.wikimedia.org.erb
@@ -15,7 +15,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto
-Header set Strict-Transport-Security max-age=604800
+Header set Strict-Transport-Security max-age=31536000
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/197272
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2b5f9d979c52bf458686967c20d31971ba1c1308
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Enable HSTS on racktables with max-age=7days - change (operations/puppet)

2015-03-09 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/195444

Change subject: Enable HSTS on racktables with max-age=7days
..

Enable HSTS on racktables with max-age=7days

https://racktables.wikimedia.org is HTTPS only,
so let's enable HSTS.

Bug: T40516
Change-Id: I62dc0268105b371bbcb256bb44bfbe029f86185c
---
M modules/racktables/templates/racktables.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/44/195444/1

diff --git a/modules/racktables/templates/racktables.wikimedia.org.erb 
b/modules/racktables/templates/racktables.wikimedia.org.erb
index 757bf6b..dfe506e 100644
--- a/modules/racktables/templates/racktables.wikimedia.org.erb
+++ b/modules/racktables/templates/racktables.wikimedia.org.erb
@@ -13,6 +13,7 @@
 RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header set Strict-Transport-Security max-age=604800
 
 DocumentRoot /srv/org/wikimedia/racktables/wwwroot
 Directory /

-- 
To view, visit https://gerrit.wikimedia.org/r/195444
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I62dc0268105b371bbcb256bb44bfbe029f86185c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Enable HSTS on tendril with max-age=7days - change (operations/puppet)

2015-03-09 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/195346

Change subject: Enable HSTS on tendril with max-age=7days
..

Enable HSTS on tendril with max-age=7days

https://tendril.wikimedia.org is HTTPS only,
so let's enable HSTS on tendril.

Bug: T40516

Change-Id: If4f89e34e2a7dd2b4141194e675a085c73d8de66
---
M manifests/role/tendril.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/46/195346/1

diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp
index a6d..8c9886d 100644
--- a/manifests/role/tendril.pp
+++ b/manifests/role/tendril.pp
@@ -6,7 +6,7 @@
 system::role { 'role::tendril': description = 'tendril server' }
 
 install_certificate{ 'tendril.wikimedia.org': }
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7')
 
 class { '::tendril':
 site_name= 'tendril.wikimedia.org',

-- 
To view, visit https://gerrit.wikimedia.org/r/195346
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If4f89e34e2a7dd2b4141194e675a085c73d8de66
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Enable HSTS on dev.wm.org max-age=7 days - change (operations/puppet)

2015-03-09 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/195338

Change subject: Enable HSTS on dev.wm.org max-age=7 days
..

Enable HSTS on dev.wm.org max-age=7 days

Bug: T40516
Bug: T67074
Change-Id: I3c5a250f34b24b07269b658106c86a9eba60c494
---
M modules/devportal/templates/dev.wikimedia.org.erb
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/38/195338/1

diff --git a/modules/devportal/templates/dev.wikimedia.org.erb 
b/modules/devportal/templates/dev.wikimedia.org.erb
index 8e06760..106293c 100644
--- a/modules/devportal/templates/dev.wikimedia.org.erb
+++ b/modules/devportal/templates/dev.wikimedia.org.erb
@@ -15,6 +15,7 @@
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto
+Header set Strict-Transport-Security max-age=604800
 
 Directory /
 Order Deny,Allow

-- 
To view, visit https://gerrit.wikimedia.org/r/195338
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3c5a250f34b24b07269b658106c86a9eba60c494
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks - change (mediawiki/core)

2015-02-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/193549

Change subject: Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks
..

Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks

Change-Id: I7e5ef1cfc6cb9896b8aaa999639eafb8188e76d9
---
M languages/classes/LanguageZh.php
1 file changed, 6 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/49/193549/1

diff --git a/languages/classes/LanguageZh.php b/languages/classes/LanguageZh.php
index 4271ed3..4eef3c6 100644
--- a/languages/classes/LanguageZh.php
+++ b/languages/classes/LanguageZh.php
@@ -134,7 +134,13 @@
$variantfallbacks = array(
'zh' = array( 'zh-hans', 'zh-hant', 'zh-cn', 'zh-tw', 
'zh-hk', 'zh-sg', 'zh-mo', 'zh-my' ),
'zh-hans' = array( 'zh-cn', 'zh-sg', 'zh-my' ),
+   'zh-hans-cn' = array( 'zh-cn', 'zh-hans', 'zh-sg', 
'zh-my'),
+   'zh-hans-sg' = array( 'zh-sg', 'zh-hans', 'zh-cn', 
'zh-my'),
+   'zh-hans-my' = array( 'zh-my', 'zh-hans', 'zh-sg', 
'zh-cn'),
'zh-hant' = array( 'zh-tw', 'zh-hk', 'zh-mo' ),
+   'zh-hant-hk' = array( 'zh-hk', 'zh-hant', 'zh-mo', 
'zh-tw' ),
+   'zh-hant-mo' = array( 'zh-mo', 'zh-hant', 'zh-hk', 
'zh-tw' ),
+   'zh-hant-tw' = array( 'zh-tw', 'zh-hant', 'zh-hk', 
'zh-mo' ),
'zh-cn' = array( 'zh-hans', 'zh-sg', 'zh-my' ),
'zh-sg' = array( 'zh-hans', 'zh-cn', 'zh-my' ),
'zh-my' = array( 'zh-hans', 'zh-sg', 'zh-cn' ),

-- 
To view, visit https://gerrit.wikimedia.org/r/193549
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I7e5ef1cfc6cb9896b8aaa999639eafb8188e76d9
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] lists - disable SSLv3 - change (operations/puppet)

2014-10-29 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/169978

Change subject: lists - disable SSLv3
..

lists - disable SSLv3

This will not disable SSLv3 on lists.wikimedia.org for now, because
we are using lighttpd/1.4.26, but disabling SSLv3 was not supported
until 1.4.29. (http://www.lighttpd.net/2011/7/3/1-4-29/)

Nevertheless, I think it's a good idea to update the configuation,
so that when we update the server, it will take effect immediately.

Change-Id: I56282aa31b26f69350cf1743c5b46de3715e98a8
---
M files/lighttpd/50-mailman.conf
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/78/169978/1

diff --git a/files/lighttpd/50-mailman.conf b/files/lighttpd/50-mailman.conf
index 04785fa..64d4bf8 100644
--- a/files/lighttpd/50-mailman.conf
+++ b/files/lighttpd/50-mailman.conf
@@ -38,6 +38,7 @@
ssl.pemfile = /etc/ssl/private/lists.wikimedia.org.pem
ssl.ca-file = /etc/ssl/certs/RapidSSL_CA.pem
# TODO: with 1.4.30, set cipher lists, disable client renegotiation
+   ssl.use-sslv3 = disable
 
url.redirect = (
^/(index\.html?)?$ = 
https://lists.wikimedia.org/mailman/listinfo;,

-- 
To view, visit https://gerrit.wikimedia.org/r/169978
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I56282aa31b26f69350cf1743c5b46de3715e98a8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Wikitech - disable SSL3 - change (operations/puppet)

2014-10-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/167169

Change subject: Wikitech - disable SSL3
..

Wikitech - disable SSL3

Change-Id: I2a968d75cffacacc0d5ca14cfbb0f837e1b41745
---
M manifests/role/nova.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/69/167169/1

diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp
index df6fbaa..d167c75 100644
--- a/manifests/role/nova.pp
+++ b/manifests/role/nova.pp
@@ -194,7 +194,7 @@
 ca = $ca
 }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl', '365')
 
 class { 'openstack::openstack-manager':
 openstack_version = $openstack_version,

-- 
To view, visit https://gerrit.wikimedia.org/r/167169
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2a968d75cffacacc0d5ca14cfbb0f837e1b41745
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] OTRS - disable SSL3 - change (operations/puppet)

2014-10-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/167170

Change subject: OTRS - disable SSL3
..

OTRS - disable SSL3

Disable SSLv3 on https://ticket.wikimedia.org

Change-Id: I1f0e8703bb8c092521b7a0e50fe5c90f9b99e5f7
---
M manifests/role/nova.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/70/167170/1

diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp
index df6fbaa..d167c75 100644
--- a/manifests/role/nova.pp
+++ b/manifests/role/nova.pp
@@ -194,7 +194,7 @@
 ca = $ca
 }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl', '365')
 
 class { 'openstack::openstack-manager':
 openstack_version = $openstack_version,

-- 
To view, visit https://gerrit.wikimedia.org/r/167170
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1f0e8703bb8c092521b7a0e50fe5c90f9b99e5f7
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] RT - Disable SSL3 - change (operations/puppet)

2014-10-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/167171

Change subject: RT - Disable SSL3
..

RT - Disable SSL3

Change-Id: I52a0b68276cb5adeb68f72b002e0c7434a3bb19d
---
M manifests/role/rt.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/71/167171/1

diff --git a/manifests/role/rt.pp b/manifests/role/rt.pp
index 5bfd387..3031484 100644
--- a/manifests/role/rt.pp
+++ b/manifests/role/rt.pp
@@ -6,7 +6,7 @@
 
 install_certificate { 'rt.wikimedia.org': }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl')
 
 class { 'misc::rt':
 site   = 'rt.wikimedia.org',

-- 
To view, visit https://gerrit.wikimedia.org/r/167171
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I52a0b68276cb5adeb68f72b002e0c7434a3bb19d
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] tendril - Disable SSL3 - change (operations/puppet)

2014-10-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/167172

Change subject: tendril - Disable SSL3
..

tendril - Disable SSL3

This site works only in browsers with SNI support.

Change-Id: Id6f5df022ab4ece8748af2fff92b8ff88b8f3344
---
M manifests/role/tendril.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/72/167172/1

diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp
index 51572c6..53b5c27 100644
--- a/manifests/role/tendril.pp
+++ b/manifests/role/tendril.pp
@@ -6,7 +6,7 @@
 system::role { 'role::tendril': description = 'tendril server' }
 
 install_certificate{ 'tendril.wikimedia.org': }
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl')
 
 class { '::tendril':
 site_name = 'tendril.wikimedia.org',

-- 
To view, visit https://gerrit.wikimedia.org/r/167172
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id6f5df022ab4ece8748af2fff92b8ff88b8f3344
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] phabricator - raise HSTS max-age to 1 year - change (operations/puppet)

2014-10-05 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/164897

Change subject: phabricator - raise HSTS max-age to 1 year
..

phabricator - raise HSTS max-age to 1 year

Ide46c131 enabled HSTS one week ago with max-age
of 7 days. If there is nothing unexpected happened,
we can now raise the max-age to 1 year.

Bug: 38516
Change-Id: Ic07decaac2b4371c58f9c78401692b85c071d9ee
---
M modules/phabricator/templates/phabricator-default.conf.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/97/164897/1

diff --git a/modules/phabricator/templates/phabricator-default.conf.erb 
b/modules/phabricator/templates/phabricator-default.conf.erb
index b67a39f..608ad34 100644
--- a/modules/phabricator/templates/phabricator-default.conf.erb
+++ b/modules/phabricator/templates/phabricator-default.conf.erb
@@ -23,7 +23,7 @@
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
 
   # enable HTTP Strict Transport Security
-  Header set Strict-Transport-Security max-age=604800
+  Header set Strict-Transport-Security max-age=31536000
 
 %# Apache 2.4 and Newer %
 % if @lsbdistcodename == 'trusty'%

-- 
To view, visit https://gerrit.wikimedia.org/r/164897
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic07decaac2b4371c58f9c78401692b85c071d9ee
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] phabricator - enable HSTS with max-age 7 days - change (operations/puppet)

2014-09-24 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/162805

Change subject: phabricator - enable HSTS with max-age 7 days
..

phabricator - enable HSTS with max-age 7 days

I4d207a4d makes phabricator HTTPS only. This patch
enables HTTP Strict Transport Security with a max-age
of 7 days, just like what we did on Bugzilla and on
Gerrit (I2b9e4536, I37924865). We will increase the
max-age to 1 year, one week after this patch is merged.

Change-Id: Ide46c1312a7bb9e9ebd2319da10185808bf41de0
---
M modules/phabricator/templates/phabricator-default.conf.erb
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/05/162805/1

diff --git a/modules/phabricator/templates/phabricator-default.conf.erb 
b/modules/phabricator/templates/phabricator-default.conf.erb
index de3e9e3..b67a39f 100644
--- a/modules/phabricator/templates/phabricator-default.conf.erb
+++ b/modules/phabricator/templates/phabricator-default.conf.erb
@@ -22,6 +22,9 @@
   RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect,L]
   Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
 
+  # enable HTTP Strict Transport Security
+  Header set Strict-Transport-Security max-age=604800
+
 %# Apache 2.4 and Newer %
 % if @lsbdistcodename == 'trusty'%
   Directory %= @docroot %

-- 
To view, visit https://gerrit.wikimedia.org/r/162805
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ide46c1312a7bb9e9ebd2319da10185808bf41de0
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] lists.wm.org - raise HSTS max-age to 1 year - change (operations/puppet)

2014-09-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/161177

Change subject: lists.wm.org - raise HSTS max-age to 1 year
..

lists.wm.org - raise HSTS max-age to 1 year

Patch I53f27e7d enabled HTTP Strict Transport Security
and set its max-age to 7 days. This patch raises the
max-age to 1 year (365 days).

Still, I don't believe an increased HSTS max-age could
cause any problems in the server's functionality, as
long as we keep supporting HTTPS. A related discussion
is on Ic3062981.

Bug: 38516
Change-Id: I45ac77e1e0bc2dda6e17f577ea9b9927d2af177e
---
M files/lighttpd/50-mailman.conf
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/77/161177/1

diff --git a/files/lighttpd/50-mailman.conf b/files/lighttpd/50-mailman.conf
index 4df9ead..04785fa 100644
--- a/files/lighttpd/50-mailman.conf
+++ b/files/lighttpd/50-mailman.conf
@@ -87,5 +87,5 @@
 
 # Strict Transport Security
 $HTTP[scheme] == https {
-setenv.add-response-header  = ( Strict-Transport-Security = 
max-age=604800)
+setenv.add-response-header  = ( Strict-Transport-Security = 
max-age=31536000)
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/161177
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I45ac77e1e0bc2dda6e17f577ea9b9927d2af177e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] racktables - remove RewriteCond on /status - change (operations/puppet)

2014-09-15 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/160528

Change subject: racktables - remove RewriteCond on /status
..

racktables - remove RewriteCond on /status

As I mentioned in Idc9a448f comment 14, all HTTP connection to
racktable redirects to HTTPS except for:
http://racktables.wikimedia.org/status

But I don't see a reason why this URL should be excluded; especially
it actually returns 404. So this patch removes the line:
RewriteCond %{REQUEST_URI} !^/status$

Change-Id: I610d984b81e6a7e188398db27b92bd6eff2a07ee
---
M templates/apache/sites/racktables.wikimedia.org.erb
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/28/160528/1

diff --git a/templates/apache/sites/racktables.wikimedia.org.erb 
b/templates/apache/sites/racktables.wikimedia.org.erb
index 757bf6b..f414df1 100644
--- a/templates/apache/sites/racktables.wikimedia.org.erb
+++ b/templates/apache/sites/racktables.wikimedia.org.erb
@@ -10,7 +10,6 @@
 
 RewriteEngine on
 RewriteCond %{HTTP:X-Forwarded-Proto} !https
-RewriteCond %{REQUEST_URI} !^/status$
 RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} 
[R=301,E=ProtoRedirect]
 Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
 

-- 
To view, visit https://gerrit.wikimedia.org/r/160528
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I610d984b81e6a7e188398db27b92bd6eff2a07ee
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] gerrit - raise HSTS max-age to 1 year - change (operations/puppet)

2014-09-11 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/159729

Change subject: gerrit - raise HSTS max-age to 1 year
..

gerrit - raise HSTS max-age to 1 year

In I37924865, we enabled HSTS and set the max-age to 7 days.
This patch raises the max-age to 1 year (365 days).

Bug: 38516
Change-Id: Ic3062981aae93fadde3627c1493499fe9b276098
---
M manifests/gerrit.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/29/159729/1

diff --git a/manifests/gerrit.pp b/manifests/gerrit.pp
index 6dabfce..58e2ce3 100644
--- a/manifests/gerrit.pp
+++ b/manifests/gerrit.pp
@@ -26,7 +26,7 @@
 $dbuser = $db_user
 $dbpass = $passwords::gerrit::gerrit_db_pass
 $bzpass = $passwords::gerrit::gerrit_bz_pass
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
 
 # Setup LDAP
 include ldap::role::config::labs

-- 
To view, visit https://gerrit.wikimedia.org/r/159729
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic3062981aae93fadde3627c1493499fe9b276098
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] gerrit: Enable StrictTransportSecurity max-age=7days - change (operations/puppet)

2014-09-01 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/157789

Change subject: gerrit: Enable StrictTransportSecurity max-age=7days
..

gerrit: Enable StrictTransportSecurity max-age=7days

This enables HTTP Strict Transport Security (HSTS) on
gerrit with max-age=7 days.

Bug: 38516
Change-Id: I379248653df24799f15e53325eec482450ff3d92
---
M manifests/gerrit.pp
1 file changed, 3 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/89/157789/1

diff --git a/manifests/gerrit.pp b/manifests/gerrit.pp
index 079bec2..6dabfce 100644
--- a/manifests/gerrit.pp
+++ b/manifests/gerrit.pp
@@ -26,7 +26,7 @@
 $dbuser = $db_user
 $dbpass = $passwords::gerrit::gerrit_db_pass
 $bzpass = $passwords::gerrit::gerrit_bz_pass
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7')
 
 # Setup LDAP
 include ldap::role::config::labs
@@ -309,6 +309,8 @@
 include ::apache::mod::proxy_http
 
 include ::apache::mod::ssl
+
+include ::apache::mod::headers
 }
 
 class gerrit::crons {

-- 
To view, visit https://gerrit.wikimedia.org/r/157789
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I379248653df24799f15e53325eec482450ff3d92
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Use https for www.aclu.org - change (wikimedia/TransparencyReport)

2014-08-29 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/157330

Change subject: Use https for www.aclu.org
..

Use https for www.aclu.org

In I136d08dd, the link to www.aclu.org was changed to protocol relative.
But https://www.aclu.org is https only, so this patch changes the link
to https.

Change-Id: Idf6655dc6ad5b5d4a741b071cc6a26bfaf00c5a4
---
M build/faq.html
M locales/en.yml
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/TransparencyReport 
refs/changes/30/157330/1

diff --git a/build/faq.html b/build/faq.html
index e2067b2..1458519 100644
--- a/build/faq.html
+++ b/build/faq.html
@@ -74,7 +74,7 @@
 
a name=my_personal_information/a
h2 class=questionimg src=/images/chevron.svgspanHelp! My 
personal information is being sought because of something I did on the 
Wikimedia projects. What should I do?/span/h2
-   div class=answerpIf you are the subject of a subpoena, it is 
highly recommended that you consult your own lawyer immediately. There are a 
number of organizations that will fight on a user's behalf, like the a 
href='//www.aclu.org/'American Civil Liberties Union/a (ACLU) or the a 
href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you 
need help finding an attorney, WMF may be able to put you in touch with some of 
these organizations or help you secure an attorney at reduced or pro-bono 
rates. In rare cases, assistance may also be available under our a 
href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal
 Fees Assistance Program/a or a 
href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Policies#Defense_of_Contributors'Defense
 of Contributors Program/a./ppAdditionally, in certain situations, WMF 
may challenge a subpoena on a user’s behalf if it is unnecessarily broad or 
burdensome, or if we believe the subpoena threatens the free speech of users on 
our projects. For more information about subpoenas, see our a 
href='//wikimediafoundation.org/wiki/Privacy_policy/Subpoena_FAQ'Subpoena 
FAQ/a. /p/div
+   div class=answerpIf you are the subject of a subpoena, it is 
highly recommended that you consult your own lawyer immediately. There are a 
number of organizations that will fight on a user's behalf, like the a 
href='https://www.aclu.org/'American Civil Liberties Union/a (ACLU) or the 
a href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you 
need help finding an attorney, WMF may be able to put you in touch with some of 
these organizations or help you secure an attorney at reduced or pro-bono 
rates. In rare cases, assistance may also be available under our a 
href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal
 Fees Assistance Program/a or a 
href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Policies#Defense_of_Contributors'Defense
 of Contributors Program/a./ppAdditionally, in certain situations, WMF 
may challenge a subpoena on a user’s behalf if it is unnecessarily broad or 
burdensome, or if we believe the subpoena threatens the free speech of users on 
our projects. For more information about subpoenas, see our a 
href='//wikimediafoundation.org/wiki/Privacy_policy/Subpoena_FAQ'Subpoena 
FAQ/a. /p/div
 
hr
 
diff --git a/locales/en.yml b/locales/en.yml
index aae548f..0f7443d 100644
--- a/locales/en.yml
+++ b/locales/en.yml
@@ -99,7 +99,7 @@
 q_nonpublic_personal_information: When would you not tell a user that his 
or her nonpublic personal information is being disclosed as a result of a legal 
process, such as a subpoena?
 a_nonpublic_personal_information: pWe are committed to notifying users 
if we plan on disclosing nonpublic personal information. However, we cannot 
notify a user if we are legally restrained from doing so (e.g. by a gag order), 
if a credible threat to life or limb is present, or if the user has not 
provided us with an e-mail address or valid contact information./p
 q_my_personal_information: Help! My personal information is being sought 
because of something I did on the Wikimedia projects. What should I do?
-a_my_personal_information: pIf you are the subject of a subpoena, it is 
highly recommended that you consult your own lawyer immediately. There are a 
number of organizations that will fight on a user's behalf, like the a 
href='//www.aclu.org/'American Civil Liberties Union/a (ACLU) or the a 
href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you 
need help finding an attorney, WMF may be able to put you in touch with some of 
these organizations or help you secure an attorney at reduced or pro-bono 
rates. In rare cases, assistance may also be available under our a 
href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal
 Fees Assistance

[MediaWiki-commits] [Gerrit] ssl_ciphersuite - change Header add to Header set - change (operations/puppet)

2014-08-19 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/155016

Change subject: ssl_ciphersuite - change Header add to Header set
..

ssl_ciphersuite - change Header add to Header set

Per I3f317856 and I3b28b725, the consensus is to use
Header set Strict-Transport-Security instead of
Header add Strict-Transport-Security.

Change-Id: I76180c650d1af64df56a9bd5d120bbd170c06557
---
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/16/155016/1

diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 1f99c7f..744bb30 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -121,7 +121,7 @@
   output.push('SSLHonorCipherOrder On')
   unless hsts_days.nil?
 hsts_seconds = hsts_days * 86400
-output.push(Header add Strict-Transport-Security 
\max-age=#{hsts_seconds}\)
+output.push(Header set Strict-Transport-Security 
\max-age=#{hsts_seconds}\)
   end
 else
   # nginx

-- 
To view, visit https://gerrit.wikimedia.org/r/155016
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I76180c650d1af64df56a9bd5d120bbd170c06557
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] wikitech - use ssl_ciphersuite to add HSTS - change (operations/puppet)

2014-08-15 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/154368

Change subject: wikitech - use ssl_ciphersuite to add HSTS
..

wikitech - use ssl_ciphersuite to add HSTS

ssl_ciphersuite can also be used to add HSTS (I9bc1104b), so use it.

Change-Id: I4655ebb78b71eba5c8781c9960a25b212bd295b6
---
M manifests/role/nova.pp
M templates/apache/sites/wikitech.wikimedia.org.erb
2 files changed, 1 insertion(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/68/154368/1

diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp
index d486361..0ab32b7 100644
--- a/manifests/role/nova.pp
+++ b/manifests/role/nova.pp
@@ -306,7 +306,7 @@
 ca = $ca
 }
 
-$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
 
 class { 'openstack::openstack-manager':
 openstack_version = $openstack_version,
diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb 
b/templates/apache/sites/wikitech.wikimedia.org.erb
index a49ad9d..19b332f 100644
--- a/templates/apache/sites/wikitech.wikimedia.org.erb
+++ b/templates/apache/sites/wikitech.wikimedia.org.erb
@@ -45,8 +45,6 @@
 SSLCACertificatePath /etc/ssl/certs/
 %= @ssl_settings.join(\n) %
 
-Header set Strict-Transport-Security max-age=31536000
-
 RedirectMatch ^/$ https://%= @webserver_hostname %/wiki/
 
 RewriteEngine on

-- 
To view, visit https://gerrit.wikimedia.org/r/154368
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4655ebb78b71eba5c8781c9960a25b212bd295b6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Use protocol relative URLs for some links on Transparency Re... - change (wikimedia/TransparencyReport)

2014-08-09 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/153026

Change subject: Use protocol relative URLs for some links on Transparency 
Report pages
..

Use protocol relative URLs for some links on Transparency Report pages

Some links on the Wikimedia Foundation Transparency Report have hardcoded
http: as there protocol. I changed them to protocol relative links.
The links with hardcoded https are not changed to protocol relative.

Change-Id: Id2b651cb64cf803bf87cb7d5e25ea350a944474f
---
M build/content.html
M build/faq.html
M build/index.html
M build/javascripts/content.js
M build/privacy.html
5 files changed, 18 insertions(+), 18 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/wikimedia/TransparencyReport 
refs/changes/26/153026/1

diff --git a/build/content.html b/build/content.html
index f01f626..7a59750 100644
--- a/build/content.html
+++ b/build/content.html
@@ -75,7 +75,7 @@
   blockquote
 pWe change people through conversation, not through censorship./p
 footer
-  a href=http://commons.wikimedia.org/wiki/File:Jay-Z_2011.jpg;img 
src=/images/quote_jay.png/a
+  a href=//commons.wikimedia.org/wiki/File:Jay-Z_2011.jpgimg 
src=/images/quote_jay.png/a
   pa href='https://en.wikipedia.org/wiki/Jay-Z'Jay 
Z/asmallMusician (a 
href='https://en.wikipedia.org/wiki/Decoded_%28book%29'2010/a)/small/p
 /footer
   /blockquote
@@ -195,7 +195,7 @@
 h3
   The ClassicsbrsmallNovember 2013/small
 /h3
-pA publishing company sent us a takedown request concerning four famous 
works on a href='https://wikisource.org/'Wikisource/a: French translations 
of a href='https://en.wikipedia.org/wiki/Jane_Austen'Jane Austen's/a a 
href='http://fr.wikisource.org/wiki/Les_Cinq_Filles_de_Mrs_Bennet'emPride 
and Prejudice/em/a and a 
href='http://fr.wikisource.org/wiki/Persuasion'emPersuasion/em/a, a 
French translation of a 
href='https://en.wikipedia.org/wiki/Arthur_Conan_Doyle'Arthur Conan 
Doyle's/a a 
href='https://fr.wikisource.org/wiki/Les_Aventures_de_Sherlock_Holmes'emThe 
Adventures of Sherlock Holmes/em/a, and a 
href='https://en.wikipedia.org/wiki/Jean_de_la_Fontaine'Jean de la 
Fontaine’s/a a 
href='http://fr.wikisource.org/wiki/Fables_de_La_Fontaine,_livres_I-III'emFables/em/a.
 We immediately noticed the peculiarity with the request: all four original 
works (and likely their French translations as well) were old enough to have 
fallen into the a href='https://en.wikipedia.org/wiki/Public_domain'public 
domain/a. When we alerted the company to this point, it rescinded the 
takedown notice./p
+pA publishing company sent us a takedown request concerning four famous 
works on a href='https://wikisource.org/'Wikisource/a: French translations 
of a href='https://en.wikipedia.org/wiki/Jane_Austen'Jane Austen's/a a 
href='//fr.wikisource.org/wiki/Les_Cinq_Filles_de_Mrs_Bennet'emPride and 
Prejudice/em/a and a 
href='//fr.wikisource.org/wiki/Persuasion'emPersuasion/em/a, a French 
translation of a 
href='https://en.wikipedia.org/wiki/Arthur_Conan_Doyle'Arthur Conan 
Doyle's/a a 
href='https://fr.wikisource.org/wiki/Les_Aventures_de_Sherlock_Holmes'emThe 
Adventures of Sherlock Holmes/em/a, and a 
href='https://en.wikipedia.org/wiki/Jean_de_la_Fontaine'Jean de la 
Fontaine’s/a a 
href='//fr.wikisource.org/wiki/Fables_de_La_Fontaine,_livres_I-III'emFables/em/a.
 We immediately noticed the peculiarity with the request: all four original 
works (and likely their French translations as well) were old enough to have 
fallen into the a href='https://en.wikipedia.org/wiki/Public_domain'public 
domain/a. When we alerted the company to this point, it rescinded the 
takedown notice./p
   /div
 /div
 
@@ -265,16 +265,16 @@
ul
lia 
href=https://meta.wikimedia.org/wiki/Wikimedia_Foundation_Transparency_Report;Wiki
 Version/a/li
lia 
href=/data/data_aug2014.odsDownload Data/a/li
-   lia 
href=http://wikimediafoundation.org/wiki/Privacy_policy;Privacy 
Policy/a/li
+   lia 
href=//wikimediafoundation.org/wiki/Privacy_policyPrivacy Policy/a/li
lia 
href=https://meta.wikimedia.org/wiki/Data_retention_guidelines;Data Retention 
Guidelines/a/li
/ul
/div
 
div class=col-md-2
ul
-   lia 
href=http://wikimediafoundation.org;About Us/a/li
+   lia 
href=//wikimediafoundation.orgAbout Us/a/li
lia 
href=https://blog.wikimedia.org/;Blog/a/li
-

[MediaWiki-commits] [Gerrit] Wikitech -- use Header set instead of Header append - change (operations/puppet)

2014-07-27 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/149626

Change subject: Wikitech -- use Header set instead of Header append
..

Wikitech -- use Header set instead of Header append

Per I3f317856 and I3b28b725, the consensus is to use
Header set Strict-Transport-Security instead of
Header append Strict-Transport-Security.

Change-Id: Ic122c688cfa52d3a4c4ca94b64f3820c3ae832ad
---
M templates/apache/sites/wikitech.wikimedia.org.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/26/149626/1

diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb 
b/templates/apache/sites/wikitech.wikimedia.org.erb
index 0a82573..cca9597 100644
--- a/templates/apache/sites/wikitech.wikimedia.org.erb
+++ b/templates/apache/sites/wikitech.wikimedia.org.erb
@@ -47,7 +47,7 @@
 SSLCertificateKeyFile /etc/ssl/private/%= @certificate %.key
 SSLCACertificatePath /etc/ssl/certs/
 
-Header append Strict-Transport-Security max-age=31536000
+Header set Strict-Transport-Security max-age=31536000
 
 RedirectMatch ^/$ https://%= @webserver_hostname %/wiki/
 

-- 
To view, visit https://gerrit.wikimedia.org/r/149626
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic122c688cfa52d3a4c4ca94b64f3820c3ae832ad
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] icinga-admin -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-25 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/149267

Change subject: icinga-admin -- update cipher suite list to support PFS
..

icinga-admin -- update cipher suite list to support PFS

This patch changes cipher suite list for icinga-admin.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: I3440b8878cb534f09b960471b60ad2e4b4bd0c73
---
M templates/apache/sites/icinga.wikimedia.org.erb
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/67/149267/1

diff --git a/templates/apache/sites/icinga.wikimedia.org.erb 
b/templates/apache/sites/icinga.wikimedia.org.erb
index ff6f872..2340165 100644
--- a/templates/apache/sites/icinga.wikimedia.org.erb
+++ b/templates/apache/sites/icinga.wikimedia.org.erb
@@ -70,8 +70,8 @@
 VirtualHost *:443
 ServerName icinga-admin.wikimedia.org
 SSLEngine On
-SSLProtocol -ALL +SSLv3 +TLSv1
-SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
 SSLHonorCipherOrder on
 SSLCertificateFile /etc/ssl/private/icinga-admin.wikimedia.org.pem
 SSLCertificateKeyFile /etc/ssl/private/icinga-admin.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/149267
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3440b8878cb534f09b960471b60ad2e4b4bd0c73
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] planet.wikimedia.org -- fix https redirects to http - change (operations/puppet)

2014-07-25 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/149311

Change subject: planet.wikimedia.org -- fix https redirects to http
..

planet.wikimedia.org -- fix https redirects to http

Currently https://planet.wikimedia.org redirects to
http://meta.wikimedia.org/wiki/Planet_Wikimedia. This patch makes
https URLs redirect to https.

Bug: 68554
Change-Id: Idb11165b42f14ab5a2511683a70a602649cd2263
---
M modules/planet/templates/apache/planet.erb
1 file changed, 5 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/11/149311/1

diff --git a/modules/planet/templates/apache/planet.erb 
b/modules/planet/templates/apache/planet.erb
index fca91b3..fe8686b 100644
--- a/modules/planet/templates/apache/planet.erb
+++ b/modules/planet/templates/apache/planet.erb
@@ -11,8 +11,11 @@
 SSLCertificateChainFile /etc/ssl/certs/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.chained.pem
 SSLCertificateKeyFile /etc/ssl/private/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.key
 
-RewriteEngine on
-RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301]
+DocumentRoot /var/www/planet
+
+Redirect /atom.xml https://en.planet.%= 
scope.lookupvar('planet::planet_domain_name') %/atom.xml
+Redirect /rss10.xml https://en.planet.%= 
scope.lookupvar('planet::planet_domain_name') %/rss10.xml
+Redirect /rss20.xml https://en.planet.%= 
scope.lookupvar('planet::planet_domain_name') %/rss20.xml
 
 RedirectTemp / https://%= scope.lookupvar('planet::planet_meta_link') %
 /VirtualHost

-- 
To view, visit https://gerrit.wikimedia.org/r/149311
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Idb11165b42f14ab5a2511683a70a602649cd2263
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] tendril -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/148618

Change subject: tendril -- update cipher suite list to support PFS
..

tendril -- update cipher suite list to support PFS

This patch changes cipher suite list for tendril.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: I2e4d202fe322cd7e569f0f9d6112d22b82170924
---
M modules/tendril/templates/apache/tendril.wikimedia.org.erb
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/18/148618/1

diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb 
b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
index a413f3b..4fd9d93 100644
--- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb
+++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb
@@ -7,8 +7,8 @@
 VirtualHost *:443
ServerName %= @site_name %
SSLEngine On
-   SSLProtocol -ALL +SSLv3 +TLSv1
-   SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+   SSLProtocol +ALL -SSLv2
+   SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/private/tendril.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/148618
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2e4d202fe322cd7e569f0f9d6112d22b82170924
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] planet -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/148624

Change subject: planet -- update cipher suite list to support PFS
..

planet -- update cipher suite list to support PFS

This patch changes cipher suite list for planet.wikimedia.org and
*.planet.wikimedia.org to support Forward Secrecy.

Bug: 53259
Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9
---
M modules/planet/templates/apache/planet-language.erb
M modules/planet/templates/apache/planet.erb
2 files changed, 4 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/24/148624/1

diff --git a/modules/planet/templates/apache/planet-language.erb 
b/modules/planet/templates/apache/planet-language.erb
index 9e31fdf..45a9917 100644
--- a/modules/planet/templates/apache/planet-language.erb
+++ b/modules/planet/templates/apache/planet-language.erb
@@ -15,8 +15,8 @@
 
 ServerName %= @name %.planet.%= 
scope.lookupvar('planet::planet_domain_name') %
 SSLEngine on
-SSLProtocol -ALL +SSLv3 +TLSv1
-SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
 SSLHonorCipherOrder on
 SSLCertificateFile /etc/ssl/certs/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.pem
 SSLCertificateChainFile /etc/ssl/certs/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.chained.pem
diff --git a/modules/planet/templates/apache/planet.erb 
b/modules/planet/templates/apache/planet.erb
index 56ba1cd..fca91b3 100644
--- a/modules/planet/templates/apache/planet.erb
+++ b/modules/planet/templates/apache/planet.erb
@@ -4,8 +4,8 @@
 VirtualHost *:443
 ServerName planet.%= scope.lookupvar('planet::planet_domain_name') %
 SSLEngine on
-SSLProtocol -ALL +SSLv3 +TLSv1
-SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
 SSLHonorCipherOrder on
 SSLCertificateFile /etc/ssl/certs/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.pem
 SSLCertificateChainFile /etc/ssl/certs/star.planet.%= 
scope.lookupvar('planet::planet_domain_name') %.chained.pem

-- 
To view, visit https://gerrit.wikimedia.org/r/148624
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] svn -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-23 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/148631

Change subject: svn -- update cipher suite list to support PFS
..

svn -- update cipher suite list to support PFS

This patch changes cipher suite list for svn.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: I130dd511ca2e92a5717573f00df1ceaa01a94d52
---
M modules/subversion/files/apache/svn.wikimedia.org
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/31/148631/1

diff --git a/modules/subversion/files/apache/svn.wikimedia.org 
b/modules/subversion/files/apache/svn.wikimedia.org
index 3687cbb..90795e5 100644
--- a/modules/subversion/files/apache/svn.wikimedia.org
+++ b/modules/subversion/files/apache/svn.wikimedia.org
@@ -50,8 +50,8 @@
DocumentRoot /srv/org/wikimedia/svn
 
SSLEngine on
-   SSLProtocol -ALL +SSLv3 +TLSv1
-   SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+   SSLProtocol +ALL -SSLv2
+   SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/svn.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/svn.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/148631
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I130dd511ca2e92a5717573f00df1ceaa01a94d52
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] blog -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-19 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147739

Change subject: blog -- update cipher suite list to support PFS
..

blog -- update cipher suite list to support PFS

This patch changes cipher suite list for blog.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: I9fc796c6ba9dc99c3f16237bd29ee312a925edce
---
M files/apache/sites/blog.wikimedia.org
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/39/147739/1

diff --git a/files/apache/sites/blog.wikimedia.org 
b/files/apache/sites/blog.wikimedia.org
index fbafd6c..05737a2 100644
--- a/files/apache/sites/blog.wikimedia.org
+++ b/files/apache/sites/blog.wikimedia.org
@@ -58,8 +58,8 @@
DocumentRoot /srv/org/wikimedia/blog/
 
 SSLEngine on
-SSLProtocol -ALL +SSLv3 +TLSv1
-SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
 SSLHonorCipherOrder on
 SSLCertificateFile /etc/ssl/certs/blog.wikimedia.org.pem
 SSLCertificateKeyFile /etc/ssl/private/blog.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/147739
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9fc796c6ba9dc99c3f16237bd29ee312a925edce
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] ishmael -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-19 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147740

Change subject: ishmael -- update cipher suite list to support PFS
..

ishmael -- update cipher suite list to support PFS

This patch changes cipher suite list for ishmael.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: I3d664fa92028f4580f828412657e4c11571a708f
---
M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/40/147740/1

diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 
b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
index 3bf43ef..add40da 100644
--- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
+++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb
@@ -7,8 +7,8 @@
 VirtualHost *:443
ServerName %= @site_name %
SSLEngine On
-   SSLProtocol -ALL +SSLv3 +TLSv1
-   SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+   SSLProtocol +ALL -SSLv2
+   SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/private/ishmael.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/ishmael.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/147740
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3d664fa92028f4580f828412657e4c11571a708f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] use protocol relative url for image links on stats homepage - change (analytics/wikistats)

2014-07-19 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147876

Change subject: use protocol relative url for image links on stats homepage
..

use protocol relative url for image links on stats homepage

https://stats.wikimedia.org/ contains mixed content. It loads images
from http://upload.wikimedia.org. So I changed all occurrence of
http://upload.wikimedia.org; with //upload.wikimedia.org, and
http://wikimediafoundation.org/favicon.ico; with
//wikimediafoundation.org/favicon.ico.

Change-Id: I31ef9823a5cb3bd92f49bb7f8ba06555a57c5321
---
M portal/index.html
1 file changed, 47 insertions(+), 47 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/analytics/wikistats 
refs/changes/76/147876/1

diff --git a/portal/index.html b/portal/index.html
index b3044ae..5e73671 100644
--- a/portal/index.html
+++ b/portal/index.html
@@ -4,8 +4,8 @@
   meta http-equiv=Content-type content=text/html; charset=iso-8859-1
   meta name=robots content=index,follow
   script language=javascript type=text/javascript 
src=../WikipediaStatistics11.js/script
-  link rel=shortcut icon href=http://wikimediafoundation.org/favicon.ico; 
/
-  link rel=apple-touch-icon 
href=http://wikimediafoundation.org/favicon.ico; /
+  link rel=shortcut icon href=//wikimediafoundation.org/favicon.ico /
+  link rel=apple-touch-icon href=//wikimediafoundation.org/favicon.ico /
   titleWikistats: Wikimedia Statistics/title
 
   script src=jquery-1.1.3.1.pack.js type=text/javascript/script
@@ -54,7 +54,7 @@
 
 table
 tr   
-  td valign=middlenbsp;img 
src='http://upload.wikimedia.org/wikipedia/commons/thumb/8/81/Wikimedia-logo.svg/25px-Wikimedia-logo.svg.png'/td
+  td valign=middlenbsp;img 
src='//upload.wikimedia.org/wikipedia/commons/thumb/8/81/Wikimedia-logo.svg/25px-Wikimedia-logo.svg.png'/td
   td valign=middle align=lefth1Wikimedia Statistics/h1/td
 /tr
 /table   
@@ -93,27 +93,27 @@
 Detailed trends for each project.br
 Tables and charts cover the entire history. 
table border=0 width=300
-  trtd valign=bottom align=left width=40a 
href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'img 
src='http://upload.wikimedia.org/wikipedia/commons/thumb/6/63/Wikipedia-logo.png/40px-Wikipedia-logo.png'
 width='40' height='40' border='0'  alt='Wikipedia'border=0 //abra 
href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'bWikipedia/b/a/td
- td valign=bottom align=left width=40a 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'img
 
src='http://upload.wikimedia.org/wikipedia/commons/thumb/4/4a/Commons-logo.svg/40px-Commons-logo.svg.png'
 width='40' height='48' alt='Commons' title='Free media repository' border=0 
//abra 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'bCommons/b/a/td
-  td valign=bottom align=left width=40a 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'img
 
src='http://upload.wikimedia.org/wikipedia/commons/e/e4/Wikidata-logo-en-135px.png'
 width='50' height='50' alt='Wikidata' title='Wikidata' border=0 
//abrba 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'Wikidata/a/b/td
-  td valign=bottom align=left width=40a 
href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'img 
src='http://upload.wikimedia.org/wikipedia/commons/b/b7/Wikivoyage-Logo-v3-en-highlight.png'
 width='40' height='40' alt='Wikivoyage' title='Wikivoyage' border=0 
//anbsp;a href='http://www.wikivoyage.org/' 
title='Wikivoyage'/abrba 
href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'Wikivoyage/a/b/td/tr
+  trtd valign=bottom align=left width=40a 
href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'img 
src='//upload.wikimedia.org/wikipedia/commons/thumb/6/63/Wikipedia-logo.png/40px-Wikipedia-logo.png'
 width='40' height='40' border='0'  alt='Wikipedia'border=0 //abra 
href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'bWikipedia/b/a/td
+ td valign=bottom align=left width=40a 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'img
 
src='//upload.wikimedia.org/wikipedia/commons/thumb/4/4a/Commons-logo.svg/40px-Commons-logo.svg.png'
 width='40' height='48' alt='Commons' title='Free media repository' border=0 
//abra 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'bCommons/b/a/td
+  td valign=bottom align=left width=40a 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'img
 src='//upload.wikimedia.org/wikipedia/commons/e/e4/Wikidata-logo-en-135px.png' 
width='50' height='50' alt='Wikidata' title='Wikidata' border=0 //abrba 
href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'Wikidata/a/b/td
+  td valign=bottom align=left width=40a 
href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'img

[MediaWiki-commits] [Gerrit] rt -- update cipher suite list to support PFS - change (operations/puppet)

2014-07-18 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147715

Change subject: rt -- update cipher suite list to support PFS
..

rt -- update cipher suite list to support PFS

This patch changes cipher suite list for rt.wikimedia.org
to support Forward Secrecy.

Bug: 53259
Change-Id: Ibe65118feb952a147cdfdd0b074c0ef995393b91
---
M templates/rt/rt4.apache.erb
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/15/147715/1

diff --git a/templates/rt/rt4.apache.erb b/templates/rt/rt4.apache.erb
index f3e78d8..09bbb4e 100644
--- a/templates/rt/rt4.apache.erb
+++ b/templates/rt/rt4.apache.erb
@@ -14,8 +14,8 @@
   ServerName %=@site%
 
   SSLEngine on
-  SSLProtocol -ALL +SSLv3 +TLSv1
-  SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+  SSLProtocol +ALL -SSLv2
+  SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
   SSLHonorCipherOrder on
   SSLCertificateFile /etc/ssl/certs/rt.wikimedia.org.pem
   SSLCertificateKeyFile /etc/ssl/private/rt.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/147715
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibe65118feb952a147cdfdd0b074c0ef995393b91
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] update SSL ciphers for Ganglia to support PFS - change (operations/puppet)

2014-07-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147110

Change subject: update SSL ciphers for Ganglia to support PFS
..

update SSL ciphers for Ganglia to support PFS

I used the cipher suite list from Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c.

Bug: 53259
Change-Id: Ifacd5e4a3a3fdb5b832afec947c2c213797429d9
---
M templates/apache/sites/ganglia.wikimedia.org.erb
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/10/147110/1

diff --git a/templates/apache/sites/ganglia.wikimedia.org.erb 
b/templates/apache/sites/ganglia.wikimedia.org.erb
index 9c9c22a..a0143b0 100644
--- a/templates/apache/sites/ganglia.wikimedia.org.erb
+++ b/templates/apache/sites/ganglia.wikimedia.org.erb
@@ -26,8 +26,8 @@
ServerAdmin r...@wikimedia.org
 
SSLEngine on
-   SSLProtocol -ALL +SSLv3 +TLSv1
-   SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
SSLHonorCipherOrder on
SSLCertificateFile %= ganglia_ssl_cert %
SSLCertificateKeyFile %= ganglia_ssl_key %

-- 
To view, visit https://gerrit.wikimedia.org/r/147110
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifacd5e4a3a3fdb5b832afec947c2c213797429d9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] update SSL ciphers for noc.wikimedia.org to support PFS - change (operations/puppet)

2014-07-17 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/147123

Change subject: update SSL ciphers for noc.wikimedia.org to support PFS
..

update SSL ciphers for noc.wikimedia.org to support PFS

I used the cipher suite list from Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c.

Bug: 53259
Change-Id: Ie4910dcb158157db6f05c2d3917ade7deb3f75ba
---
M files/apache/sites/noc.wikimedia.org
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/23/147123/1

diff --git a/files/apache/sites/noc.wikimedia.org 
b/files/apache/sites/noc.wikimedia.org
index 286ff1d..9030c1b 100644
--- a/files/apache/sites/noc.wikimedia.org
+++ b/files/apache/sites/noc.wikimedia.org
@@ -43,8 +43,8 @@
UserDir public_html
 
SSLEngine on
-   SSLProtocol -ALL +SSLv3 +TLSv1
-   SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+SSLProtocol +ALL -SSLv2
+SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/noc.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/noc.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/147123
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie4910dcb158157db6f05c2d3917ade7deb3f75ba
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] update SSL ciphers for contacts.wm.org to support PFS - change (operations/puppet)

2014-07-15 Thread Chmarkine (Code Review)

Chmarkine has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/146510

Change subject: update SSL ciphers for contacts.wm.org to support PFS
..

update SSL ciphers for contacts.wm.org to support PFS

I used the cipher suite list from I39b389b63ae6b8848abb20431091263717192582. 
Even though I think contacts.wikimedia.org is for internal use only, I guess 
it's still better to enable Forward Secrecy on it.

Bug: 53259
Change-Id: Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c
---
M files/apache/sites/contacts.wikimedia.org
1 file changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/10/146510/1

diff --git a/files/apache/sites/contacts.wikimedia.org 
b/files/apache/sites/contacts.wikimedia.org
index e10a97f..7a75561 100644
--- a/files/apache/sites/contacts.wikimedia.org
+++ b/files/apache/sites/contacts.wikimedia.org
@@ -12,8 +12,8 @@
 
 DocumentRoot /srv/org/wikimedia/contacts/
 SSLEngine On
-SSLProtocol -ALL +SSLv3 +TLSv1
-SSLCipherSuite 
AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA
+   SSLProtocol +ALL -SSLv2
+   SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
 SSLHonorCipherOrder on
 SSLCertificateFile /etc/ssl/certs/contacts.wikimedia.org.pem
 SSLCertificateKeyFile /etc/ssl/private/contacts.wikimedia.org.key

-- 
To view, visit https://gerrit.wikimedia.org/r/146510
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

73 matches

Mail list logo