[MediaWiki-commits] [Gerrit] Rewrite sitemap.wikimedia.org to dumps.wikimedia.org - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/234256 Change subject: Rewrite sitemap.wikimedia.org to dumps.wikimedia.org .. Rewrite sitemap.wikimedia.org to dumps.wikimedia.org The DNS change is in I086cf78. Bug: T110511 Change-Id: I6e2436428be403e8f73ea22ef0ce13759c3ab74e --- M modules/mediawiki/files/apache/sites/redirects.conf M modules/mediawiki/files/apache/sites/redirects/redirects.dat 2 files changed, 7 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/56/234256/1 diff --git a/modules/mediawiki/files/apache/sites/redirects.conf b/modules/mediawiki/files/apache/sites/redirects.conf index 5a6a2fb..de8cd15 100644 --- a/modules/mediawiki/files/apache/sites/redirects.conf +++ b/modules/mediawiki/files/apache/sites/redirects.conf @@ -369,6 +369,7 @@ ServerAlias svn.mediawiki.org ServerAlias download.wikimedia.org ServerAlias download.wikipedia.org + ServerAlias sitemap.wikimedia.org # allow caching for redirects IfModule mod_headers.c @@ -935,6 +936,9 @@ # rewrite download.wikipedia.org https://dumps.wikimedia.org RewriteCond %{HTTP_HOST} =download.wikipedia.org RewriteRule ^[^\x00-\x1F]* https://dumps.wikimedia.org$0 [R=301,L,NE] + # rewrite sitemap.wikimedia.org https://dumps.wikimedia.org + RewriteCond %{HTTP_HOST} =sitemap.wikimedia.org + RewriteRule ^[^\x00-\x1F]* https://dumps.wikimedia.org$0 [R=301,L,NE] # Type: wildcard # funnel*wikijunior.com //en.wikibooks.org/wiki/Wikijunior diff --git a/modules/mediawiki/files/apache/sites/redirects/redirects.dat b/modules/mediawiki/files/apache/sites/redirects/redirects.dat index ec68022..9f7d064 100644 --- a/modules/mediawiki/files/apache/sites/redirects/redirects.dat +++ b/modules/mediawiki/files/apache/sites/redirects/redirects.dat @@ -515,3 +515,6 @@ # rewrite download.wiki(m|p)edia to dumps.wikimedia - T107575 rewritedownload.wikimedia.org https://dumps.wikimedia.org rewritedownload.wikipedia.org https://dumps.wikimedia.org + +# rewrite sitemap.wikimedia.org to dumps.wikimedia - T110511 +rewritesitemap.wikimedia.org https://dumps.wikimedia.org \ No newline at end of file -- To view, visit https://gerrit.wikimedia.org/r/234256 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6e2436428be403e8f73ea22ef0ce13759c3ab74e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Point sitemap.wikimedia.org to text-lb. - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/234257 Change subject: Point sitemap.wikimedia.org to text-lb. .. Point sitemap.wikimedia.org to text-lb. The redirect config in puppet is I6e24364. Bug: T110511 Change-Id: I086cf78f3006f6b94773871996e0295f5b15aca0 --- M templates/wikimedia.org 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/57/234257/1 diff --git a/templates/wikimedia.org b/templates/wikimedia.org index 03b4f93..8c4ba0e 100644 --- a/templates/wikimedia.org +++ b/templates/wikimedia.org @@ -59,7 +59,7 @@ scs-ext 1H IN A84.40.25.238 dumps 1H IN CNAME dataset1001 -sitemap 1H IN CNAME dumps +sitemap 600 IN DYNA geoip!text-addrs lists 1H IN A208.80.154.4 1H IN 2620:0:861:1::2 -- To view, visit https://gerrit.wikimedia.org/r/234257 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I086cf78f3006f6b94773871996e0295f5b15aca0 Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Change protocol relative to https - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/226731 Change subject: Change protocol relative to https .. Change protocol relative to https Most domains are HTTPS-only (the only exception is tools.wmflabs.org), so I suggest to change all the %{ENV:RW_PROTO} to https. For example, currently http://wikimedia.com redirects to http://www.wikimedia.org first, and then redirects to https://www.wikimedia.org. After this patch is merged, only one redirect is needed. Change-Id: I5fb23b5f896063e0f8e35cad31786bdc3a6d07e7 --- M modules/mediawiki/files/apache/sites/redirects.conf 1 file changed, 382 insertions(+), 382 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/31/226731/1 diff --git a/modules/mediawiki/files/apache/sites/redirects.conf b/modules/mediawiki/files/apache/sites/redirects.conf index fc0858b..d30d2f2 100644 --- a/modules/mediawiki/files/apache/sites/redirects.conf +++ b/modules/mediawiki/files/apache/sites/redirects.conf @@ -405,64 +405,64 @@ # Type: plainOverride # override education.wikimedia.org/evaluating //commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/evaluating$ %{ENV:RW_PROTO}://commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf [R=301,L,NE] + RewriteRule ^/evaluating$ https://commons.wikimedia.org/wiki/File:Evaluating_Wikipedia_brochure.pdf [R=301,L,NE] # override education.wikimedia.org/illustrating //commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/illustrating$ %{ENV:RW_PROTO}://commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf [R=301,L,NE] + RewriteRule ^/illustrating$ https://commons.wikimedia.org/wiki/File:Illustrating_Wikipedia_brochure.pdf [R=301,L,NE] # override education.wikimedia.org/casestudies //outreach.wikimedia.org/wiki/Education/Case_Studies RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/casestudies$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies [R=301,L,NE] + RewriteRule ^/casestudies$ https://outreach.wikimedia.org/wiki/Education/Case_Studies [R=301,L,NE] # override education.wikimedia.org/content //outreach.wikimedia.org/wiki/Education/Case_Studies/content RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/content$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/content [R=301,L,NE] + RewriteRule ^/content$ https://outreach.wikimedia.org/wiki/Education/Case_Studies/content [R=301,L,NE] # override education.wikimedia.org/copyediting //outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/copyediting$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting [R=301,L,NE] + RewriteRule ^/copyediting$ https://outreach.wikimedia.org/wiki/Education/Case_Studies/copyediting [R=301,L,NE] # override education.wikimedia.org/definitions //outreach.wikimedia.org/wiki/Education/Case_Studies/definitions RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/definitions$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/definitions [R=301,L,NE] + RewriteRule ^/definitions$ https://outreach.wikimedia.org/wiki/Education/Case_Studies/definitions [R=301,L,NE] # override education.wikimedia.org/featuredarticle //outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/featuredarticle$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle [R=301,L,NE] + RewriteRule ^/featuredarticle$ https://outreach.wikimedia.org/wiki/Education/Case_Studies/featuredarticle [R=301,L,NE] # override education.wikimedia.org/fivecriteria //outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/fivecriteria$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria [R=301,L,NE] + RewriteRule ^/fivecriteria$ https://outreach.wikimedia.org/wiki/Education/Case_Studies/fivecriteria [R=301,L,NE] # override education.wikimedia.org/illustrations //outreach.wikimedia.org/wiki/Education/Case_Studies/illustrations RewriteCond %{HTTP_HOST} =education.wikimedia.org - RewriteRule ^/illustrations$ %{ENV:RW_PROTO}://outreach.wikimedia.org/wiki/Education/Case_Studies/illustrations [R=301,L,NE] + RewriteRule
[MediaWiki-commits] [Gerrit] Update links on dumps.wm.org to HTTPS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/224750 Change subject: Update links on dumps.wm.org to HTTPS .. Update links on dumps.wm.org to HTTPS Some links on https://dumps.wikimedia.org/ are hard-coded http:. I changed them to either https: or relative links. Change-Id: Ic8abfffa607dbe19106a5b9cf927a38d788cf234 --- M modules/dataset/files/html/legal.html M modules/dataset/files/html/pagecounts-ez_index.html M modules/dataset/files/html/poty_index.html M modules/dataset/files/html/public_index.html 4 files changed, 17 insertions(+), 17 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/50/224750/1 diff --git a/modules/dataset/files/html/legal.html b/modules/dataset/files/html/legal.html index fc98664..07b4451 100644 --- a/modules/dataset/files/html/legal.html +++ b/modules/dataset/files/html/legal.html @@ -108,22 +108,22 @@ div id=globalWrapper div id=content h1License information/h1 -pWikimedia’s a href=https://wikimediafoundation.org/wiki/Mission;mission/a is to create educational content that is freely available to all people. In keeping with that goal, all information on Wikimedia projects may be freely shared, copied, remixed, and used for any purpose (including commercial purposes!) in perpetuity. To help guide users of a href=http://dumps.wikimedia.org/;dumps.wikimedia.org/a, this page contains more detailed information about Wikimedia’s licensing and licensing policies as they may apply to our dumps./p +pWikimedia’s a href=https://wikimediafoundation.org/wiki/Mission;mission/a is to create educational content that is freely available to all people. In keeping with that goal, all information on Wikimedia projects may be freely shared, copied, remixed, and used for any purpose (including commercial purposes!) in perpetuity. To help guide users of a href=https://dumps.wikimedia.org/;dumps.wikimedia.org/a, this page contains more detailed information about Wikimedia’s licensing and licensing policies as they may apply to our dumps./p div style=background:#ff;border-width:1px;border-style:solid;border-color:red;padding:1em;font-size:large;This is a high-level guide only. Where this information conflicts with specific information in the a href=https://wikimediafoundation.org/wiki/Terms_of_Use;Wikimedia Foundation Terms of Use/a, or with other information contained inside the dumps themselves, this description should be ignored. Those terms are controlling./div h2Text/h2 -pExcept as discussed below, all original textual content is licensed under the a href=http://www.wikipedia.org/wiki/Wikipedia:Copyrights; title=Wikipedia Copyrights -GNU Free Documentation License/a (GFDL) and the a href=http://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 3.0 License/a. Some text may be available only under the Creative Commons license; see our a href=http://wikimediafoundation.org/wiki/Terms_of_use;Terms of Use/a for details. Text written by some authors may be released under additional licenses or into the public domain./p +pExcept as discussed below, all original textual content is licensed under the a href=https://www.wikipedia.org/wiki/Wikipedia:Copyrights; title=Wikipedia Copyrights +GNU Free Documentation License/a (GFDL) and the a href=https://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 3.0 License/a. Some text may be available only under the Creative Commons license; see our a href=https://wikimediafoundation.org/wiki/Terms_of_use;Terms of Use/a for details. Text written by some authors may be released under additional licenses or into the public domain./p h2Images/h2 -pBy default, images uploaded to our services are under the a href=http://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 3.0 License/a. However, many images are NOT released under Creative Commons. Image copyright information is contained in the image description page inside the text dumps.p +pBy default, images uploaded to our services are under the a href=https://creativecommons.org/licenses/by-sa/3.0/; title=Creative Commons Attribution-Share-Alike 3.0 LicenseCreative Commons Attribution-Share-Alike 3.0 License/a. However, many images are NOT released under Creative Commons. Image copyright information is contained in the image description page inside the text dumps.p h2Exceptions/h2 h3Wikinews/h3 -pAs of 2005-09-25 all Wikinews textual content is licensed under the a
[MediaWiki-commits] [Gerrit] Remove old double-subdomain aliases - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/224309 Change subject: Remove old double-subdomain aliases .. Remove old double-subdomain aliases wikipedia.org can be preloaded after this and Iac4deed5 are merged. Bug: T102814 Change-Id: I91cbc925e14f60a1cfb0ae16eb0dc3c8de44fa6e --- M templates/wikipedia.org 1 file changed, 0 insertions(+), 8 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/09/224309/1 diff --git a/templates/wikipedia.org b/templates/wikipedia.org index 60d4767..1a61d36 100644 --- a/templates/wikipedia.org +++ b/templates/wikipedia.org @@ -56,14 +56,6 @@ www 600 IN DYNA geoip!text-addrs zh-tw 600 IN DYNA geoip!text-addrs -; Old double-subdomain aliases (bug 31335) -arbcom.de 600 IN DYNA geoip!text-addrs -arbcom.en 600 IN DYNA geoip!text-addrs -arbcom.fi 600 IN DYNA geoip!text-addrs -arbcom.nl 600 IN DYNA geoip!text-addrs -wg.en 600 IN DYNA geoip!text-addrs - - ; All languages will automatically be included here. {{ geolanglist('text-addrs') }} -- To view, visit https://gerrit.wikimedia.org/r/224309 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I91cbc925e14f60a1cfb0ae16eb0dc3c8de44fa6e Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Rank all ECDHE all DHE all RSA - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/224232 Change subject: Rank all ECDHE all DHE all RSA .. Rank all ECDHE all DHE all RSA Some clients support both ECDHE and DHE 1024-bit. The current cipher suite breaks them, since we use DHE 2048-bit. ECDHE is also better in performance. So I suggest we prefer ECDHE+non-AEAD over DHE+AEAD. Only IE 11 on Win 7, 8.1, WP8.1 are negatively affected, which only support DHE-GCM, not ECDHE-GCM. Bug: T105455 Change-Id: Ie9f36e47a0bc03660703e2a64de39042cfe87691 --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 11 insertions(+), 11 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/32/224232/1 diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index f85788f..16774ea 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -14,12 +14,12 @@ # Note that due to POODLE, SSLv3 is universally disabled and none of these # options are compatible with SSLv3-only clients such as IE6/XP. # Current options are: -# - strong: Only TLSv1.2 with PFS+AEAD ciphers. In practice this is a +# - strong: Only TLSv1.2 with ECDHE+AEAD ciphers. In practice this is a # very short list, and requires a very modern client. No # tradeoff is made for compatibility. Known to work with: -# New FF/Chrome, IE11, Java8, Android 4.4+, OpenSSL 1.0.x +# New FF/Chrome, Java8, Android 4.4+, OpenSSL 1.0.x # Definitely broken with: All Safari (OSX/iOS). -# IE11 support requires either DHE support or an ECDSA key. +# IE11 support requires an ECDSA key. # - mid:Supports TLSv1.0 and higher, and adds several forward-secret # options which are not AEAD. This is compatible with many # more clients than strong. With a DHE-capable server, @@ -75,30 +75,30 @@ # 4) Auth: ECDSA RSA (Server Performance) # 5) Kx: ECDHE DHE (Server Performance) basic = { -# Forward-Secret + AEAD +# ECHDE + AEAD 'strong' = [ '-ALL', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', - 'DHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', - 'DHE-RSA-AES256-GCM-SHA384', ], -# Forward-Secret, but not AEAD +# ECDHE + non-AEAD, and DHE 'mid' = [ 'ECDHE-ECDSA-AES128-SHA256', 'ECDHE-RSA-AES128-SHA256', - 'DHE-RSA-AES128-SHA256', 'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA', - 'DHE-RSA-AES128-SHA', 'ECDHE-ECDSA-AES256-SHA384', 'ECDHE-RSA-AES256-SHA384', - 'DHE-RSA-AES256-SHA256', 'ECDHE-ECDSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', - 'DHE-RSA-AES256-SHA', + 'DHE-RSA-AES128-GCM-SHA256', + 'DHE-RSA-AES256-GCM-SHA384', + 'DHE-RSA-AES128-SHA256', + 'DHE-RSA-AES128-SHA', + 'DHE-RSA-AES256-SHA256', + 'DHE-RSA-AES256-SHA', 'DHE-RSA-CAMELLIA128-SHA', 'DHE-RSA-CAMELLIA256-SHA', ], -- To view, visit https://gerrit.wikimedia.org/r/224232 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie9f36e47a0bc03660703e2a64de39042cfe87691 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Secure GeoIP and WMF-Last-Access cookies - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/224029 Change subject: Secure GeoIP and WMF-Last-Access cookies .. Secure GeoIP and WMF-Last-Access cookies Since all Wikimedia projects have moved to HTTPS only, there is no need to send GeoIP and WMF-Last-Access cookies if the connection is over HTTP. Bug: T105451 Change-Id: I6478e55f7a7f3d24f179b45cb178d2d77db12a31 --- M templates/varnish/geoip.inc.vcl.erb M templates/varnish/last-access.inc.vcl.erb 2 files changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/29/224029/1 diff --git a/templates/varnish/geoip.inc.vcl.erb b/templates/varnish/geoip.inc.vcl.erb index 5314e09..b7b30c5 100644 --- a/templates/varnish/geoip.inc.vcl.erb +++ b/templates/varnish/geoip.inc.vcl.erb @@ -228,7 +228,7 @@ // Use libvmod-header to ensure the Set-Cookie header we are adding does not // clobber or manipulate existing cookie headers (if any). Vmod_Func_header.append(sp, HDR_RESP, \013Set-Cookie:, cookie_buf, ; Path=/; Domain=., - host_safe, vrt_magic_string_end); + host_safe, ; Secure, vrt_magic_string_end); } }C } diff --git a/templates/varnish/last-access.inc.vcl.erb b/templates/varnish/last-access.inc.vcl.erb index 71ecfbf..e548288 100644 --- a/templates/varnish/last-access.inc.vcl.erb +++ b/templates/varnish/last-access.inc.vcl.erb @@ -55,7 +55,7 @@ Vmod_Func_header.append(sp, HDR_RESP, \013Set-Cookie:, WMF-Last-Access=, VRT_GetHdr(sp, HDR_REQ, \011X-NowDay:), - ;Path=/;HttpOnly;Expires=, + ;Path=/;HttpOnly;Secure;Expires=, VRT_time_string(sp, (double)( ((time_t)VRT_r_now(sp) + 2764800) / 43200 * 43200 )), -- To view, visit https://gerrit.wikimedia.org/r/224029 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6478e55f7a7f3d24f179b45cb178d2d77db12a31 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] HSTS preload for Mediawiki and Wikimediafoundation - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/223054 Change subject: HSTS preload for Mediawiki and Wikimediafoundation .. HSTS preload for Mediawiki and Wikimediafoundation All subdomains of mediawiki.org and wikimediafoundation.org are covered by the TLS certificate now (If010437c). So they are ready to be preloaded. Bug: T104244 Change-Id: Icb98ddb75a46b7c6d170ec5c4e6eb0c1032d22db --- M modules/varnish/templates/vcl/wikimedia.vcl.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/54/223054/1 diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb b/modules/varnish/templates/vcl/wikimedia.vcl.erb index 886a8b5..c497e2d 100644 --- a/modules/varnish/templates/vcl/wikimedia.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb @@ -223,7 +223,7 @@ // HSTS to reach a client, the client implicitly has to have already // successfully reached us over HTTPS for the given domainname. if (req.http.X-Forwarded-Proto == https) { - if (req.http.Host ~ (?i)(^|\.)wikidata\.org$) { + if (req.http.Host ~ (?i)(^|\.)(wikidata|mediawiki|wikimediafoundation)\.org$) { set resp.http.Strict-Transport-Security = max-age=31536000; includeSubDomains; preload; } else { -- To view, visit https://gerrit.wikimedia.org/r/223054 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icb98ddb75a46b7c6d170ec5c4e6eb0c1032d22db Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Remove www.email.donate.wikimedia.org from DNS - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/223245 Change subject: Remove www.email.donate.wikimedia.org from DNS .. Remove www.email.donate.wikimedia.org from DNS It seems OK to remove http://www.email.donate.wikimedia.org/ Bug: T102827 Change-Id: I13c519fe57287e5450fc6b84507e7356dea944e4 --- M templates/wikimedia.org 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/45/223245/1 diff --git a/templates/wikimedia.org b/templates/wikimedia.org index c13d562..aa4d54e 100644 --- a/templates/wikimedia.org +++ b/templates/wikimedia.org @@ -692,7 +692,6 @@ links.email.donate 1H IN CNAME recp.mkt41.net. open.email.donate 1H IN CNAME open.mkt41.net. -www.email.donate1H IN CNAME wikimedia.org. ; Corp glue records -- To view, visit https://gerrit.wikimedia.org/r/223245 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I13c519fe57287e5450fc6b84507e7356dea944e4 Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Remove www.donate.mediawiki.org from DNS - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/222877 Change subject: Remove www.donate.mediawiki.org from DNS .. Remove www.donate.mediawiki.org from DNS http://www.donate.mediawiki.org is an Unconfigured domain. After this domain is removed, mediawiki.org can be submitted to HSTS preload list. Bug: T102827 Change-Id: I0940f278af2ec2cdd6be0317b3bb444fdc760362 --- M templates/mediawiki.org 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/77/222877/1 diff --git a/templates/mediawiki.org b/templates/mediawiki.org index 33bdce1..09fb984 100644 --- a/templates/mediawiki.org +++ b/templates/mediawiki.org @@ -44,7 +44,6 @@ donate 600 IN DYNA geoip!text-addrs download600 IN DYNA geoip!text-addrs integration 600 IN DYNA geoip!text-addrs -www.donate 600 IN DYNA geoip!text-addrs svn 600 IN DYNA geoip!text-addrs ; Mobile -- To view, visit https://gerrit.wikimedia.org/r/222877 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0940f278af2ec2cdd6be0317b3bb444fdc760362 Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Remove www.donate.wikimediafoundation.org from DNS - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/222876 Change subject: Remove www.donate.wikimediafoundation.org from DNS .. Remove www.donate.wikimediafoundation.org from DNS http://www.donate.wikimediafoundation.org redirects to https://wikimediafoundation.org/wiki/Home, which is not so useful anyway. After this domain is removed, wikimediafoundation.org can be submitted to HSTS preload list. Bug: T102827 Change-Id: I8e27563a458203c5e6cef24e8253afbfd35746bf --- M templates/wikimediafoundation.org 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/76/222876/1 diff --git a/templates/wikimediafoundation.org b/templates/wikimediafoundation.org index 902842b..a1d1266 100644 --- a/templates/wikimediafoundation.org +++ b/templates/wikimediafoundation.org @@ -40,6 +40,5 @@ www 600 IN DYNA geoip!text-addrs ; Other websites -www.donate 600 IN DYNA geoip!text-addrs donate 600 IN DYNA geoip!text-addrs m 600 IN DYNA geoip!mobile-addrs -- To view, visit https://gerrit.wikimedia.org/r/222876 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8e27563a458203c5e6cef24e8253afbfd35746bf Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Remove www.donate.wikipedia.org from DNS - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/222883 Change subject: Remove www.donate.wikipedia.org from DNS .. Remove www.donate.wikipedia.org from DNS http://www.donate.wikipedia.org/ redirects to http://donate.wikipedia.org/w/index.php, which redirects to https://donate.wikipedia.org/w/index.php, which redirects to https://wikimediafoundation.org/wiki/Home, which is not related to donation. Bug: T102827 Change-Id: Iacc184b672eaac819ab8732adb5d7616966940a6 --- M templates/wikipedia.org 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/83/222883/1 diff --git a/templates/wikipedia.org b/templates/wikipedia.org index 4e5f636..60d4767 100644 --- a/templates/wikipedia.org +++ b/templates/wikipedia.org @@ -80,7 +80,6 @@ shop600 IN DYNA geoip!text-addrs stats 1H IN CNAMEstats.wikimedia.org. store 600 IN DYNA geoip!text-addrs -www.donate 600 IN DYNA geoip!text-addrs www.m 600 IN DYNA geoip!mobile-addrs zero600 IN DYNA geoip!mobile-addrs -- To view, visit https://gerrit.wikimedia.org/r/222883 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iacc184b672eaac819ab8732adb5d7616966940a6 Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Remove www.donate.wiktionary.org from DNS - change (operations/dns)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/222880 Change subject: Remove www.donate.wiktionary.org from DNS .. Remove www.donate.wiktionary.org from DNS http://www.donate.wiktionary.org/ returns 404. Bug: T102827 Change-Id: I1c8903ba09c28ee5371bfdc2164538f5ee7cd5d5 --- M templates/wiktionary.org 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/dns refs/changes/80/222880/1 diff --git a/templates/wiktionary.org b/templates/wiktionary.org index 5098727..bad136e 100644 --- a/templates/wiktionary.org +++ b/templates/wiktionary.org @@ -40,7 +40,6 @@ {{ geolanglist('text-addrs') }} ; Other websites -www.donate 600 IN DYNA geoip!text-addrs donate 600 IN DYNA geoip!text-addrs ; Mobile -- To view, visit https://gerrit.wikimedia.org/r/222880 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1c8903ba09c28ee5371bfdc2164538f5ee7cd5d5 Gerrit-PatchSet: 1 Gerrit-Project: operations/dns Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Wikidata - HSTS include subdomains and preload - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/70 Change subject: Wikidata - HSTS include subdomains and preload .. Wikidata - HSTS include subdomains and preload wikidata.org only has four subdomains, all of which don't have certificate issues. So I believe it's safe to add includeSubDomains and preload tokens so that it can be preloaded. Bug: T104244 Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349 --- M modules/varnish/templates/vcl/wikimedia.vcl.erb 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/70/70/1 diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb b/modules/varnish/templates/vcl/wikimedia.vcl.erb index 859828f..cd804ec 100644 --- a/modules/varnish/templates/vcl/wikimedia.vcl.erb +++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb @@ -224,7 +224,12 @@ // successfully reached us over HTTPS for the given domainname. if (req.http.X-Forwarded-Proto == https) { if (!resp.http.Strict-Transport-Security) { - set resp.http.Strict-Transport-Security = max-age=15768000; + if (req.http.Host ~ (?i)(^|\.)wikidata\.org$) { + set resp.http.Strict-Transport-Security = max-age=15768000; includeSubDomains; preload; + } + else { + set resp.http.Strict-Transport-Security = max-age=15768000; + } } } } -- To view, visit https://gerrit.wikimedia.org/r/70 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] people - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/217557 Change subject: people - Raise HSTS max-age to 1 year .. people - Raise HSTS max-age to 1 year I2577bd04 enabled HSTS with max-age=7 days. Bug: T40516 Change-Id: I64ee4d25d70569e8c7bfaccfb08d0d814754150f --- M modules/publichtml/templates/apacheconfig.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/57/217557/1 diff --git a/modules/publichtml/templates/apacheconfig.erb b/modules/publichtml/templates/apacheconfig.erb index 4fc6917..9d44194 100644 --- a/modules/publichtml/templates/apacheconfig.erb +++ b/modules/publichtml/templates/apacheconfig.erb @@ -13,7 +13,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 DocumentRoot %= @docroot % -- To view, visit https://gerrit.wikimedia.org/r/217557 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I64ee4d25d70569e8c7bfaccfb08d0d814754150f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] noc - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/213976 Change subject: noc - Raise HSTS max-age to 1 year .. noc - Raise HSTS max-age to 1 year If nothing went wrong after Ie3706dd8 was merged, let's raise the HSTS max-age to 1 year. Bug: T40516 Change-Id: I4459049b3c7719fddfa144312a9743e8911f8453 --- M modules/noc/templates/noc.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/76/213976/1 diff --git a/modules/noc/templates/noc.wikimedia.org.erb b/modules/noc/templates/noc.wikimedia.org.erb index 5120070..cb442e1 100644 --- a/modules/noc/templates/noc.wikimedia.org.erb +++ b/modules/noc/templates/noc.wikimedia.org.erb @@ -18,7 +18,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 ErrorLog /var/log/apache2/error.log -- To view, visit https://gerrit.wikimedia.org/r/213976 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4459049b3c7719fddfa144312a9743e8911f8453 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] transparency - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/211394 Change subject: transparency - Raise HSTS max-age to 1 year .. transparency - Raise HSTS max-age to 1 year I14f5cf35 enabled HSTS with max-age=7 days. Bug: T40516 Change-Id: Ie61e3df798c13babdc3543f2bf4accd6c8275dc7 --- M templates/apache/sites/transparency.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/94/211394/1 diff --git a/templates/apache/sites/transparency.wikimedia.org.erb b/templates/apache/sites/transparency.wikimedia.org.erb index 44abf7c..55ee919 100644 --- a/templates/apache/sites/transparency.wikimedia.org.erb +++ b/templates/apache/sites/transparency.wikimedia.org.erb @@ -19,5 +19,5 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 /VirtualHost -- To view, visit https://gerrit.wikimedia.org/r/211394 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie61e3df798c13babdc3543f2bf4accd6c8275dc7 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] RT - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206977 Change subject: RT - Raise HSTS max-age to 1 year .. RT - Raise HSTS max-age to 1 year I0d4d0afe enabled HSTS, which was merged one week ago. Bug: T40516 Change-Id: I120aed9fc9bd9decaa9de5fff90bff0b7cee432c --- M manifests/role/requesttracker.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/77/206977/1 diff --git a/manifests/role/requesttracker.pp b/manifests/role/requesttracker.pp index 7dafbb8..7e7388f 100644 --- a/manifests/role/requesttracker.pp +++ b/manifests/role/requesttracker.pp @@ -6,7 +6,7 @@ install_certificate { 'rt.wikimedia.org': } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365') class { '::requesttracker': apache_site = 'rt.wikimedia.org', -- To view, visit https://gerrit.wikimedia.org/r/206977 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I120aed9fc9bd9decaa9de5fff90bff0b7cee432c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] integration - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206981 Change subject: integration - Raise HSTS max-age to 1 year .. integration - Raise HSTS max-age to 1 year I09341edb enabled HSTS with max-age=7 days Bug: T40516 Change-Id: I0a79ddb89c0c27eb51da3d75619bb8c644bf4b29 --- M modules/contint/templates/apache/integration.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/81/206981/1 diff --git a/modules/contint/templates/apache/integration.wikimedia.org.erb b/modules/contint/templates/apache/integration.wikimedia.org.erb index 3de7005..fe20e6c 100644 --- a/modules/contint/templates/apache/integration.wikimedia.org.erb +++ b/modules/contint/templates/apache/integration.wikimedia.org.erb @@ -22,7 +22,7 @@ Redirect 301 /monitoring/ https://tools.wmflabs.org/nagf/?project=integration Header always merge Vary X-Forwarded-Proto -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 Include *_proxy -- To view, visit https://gerrit.wikimedia.org/r/206981 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0a79ddb89c0c27eb51da3d75619bb8c644bf4b29 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] annual - Raise HSTS max-age to 1 year and add always - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206984 Change subject: annual - Raise HSTS max-age to 1 year and add always .. annual - Raise HSTS max-age to 1 year and add always I34d3b071 enabled HSTS with max-age=7 days. This patch also adds the always flag. Bug: T599 Bug: T40516 Change-Id: I33c370bc6a9b5572eeb69f6c106a63011e456f3b --- M modules/annualreport/files/annual.wikimedia.org 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/84/206984/1 diff --git a/modules/annualreport/files/annual.wikimedia.org b/modules/annualreport/files/annual.wikimedia.org index 19d030d..e3e5642 100644 --- a/modules/annualreport/files/annual.wikimedia.org +++ b/modules/annualreport/files/annual.wikimedia.org @@ -15,7 +15,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto -Header set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/206984 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I33c370bc6a9b5572eeb69f6c106a63011e456f3b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] ishmael - Raise HSTS max-age to 1 year and add always - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206992 Change subject: ishmael - Raise HSTS max-age to 1 year and add always .. ishmael - Raise HSTS max-age to 1 year and add always I832e85fe enabled HSTS with max-age=7 days. Bug: T40516 Change-Id: I0656409e2f73ac6e90440f67e4debe796a79a6e8 --- M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/92/206992/1 diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb index 78e3383..b9ed142 100644 --- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb +++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb @@ -11,7 +11,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 Directory %= @docroot % Options FollowSymLinks -- To view, visit https://gerrit.wikimedia.org/r/206992 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0656409e2f73ac6e90440f67e4debe796a79a6e8 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] doc - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206980 Change subject: doc - Raise HSTS max-age to 1 year .. doc - Raise HSTS max-age to 1 year If7a5670b enabled HSTS with max-age=7 days. Bug: T40516 Change-Id: Ic67a34079aab4a8c763b1b05364b09f29f93b014 --- M modules/contint/templates/apache/doc.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/80/206980/1 diff --git a/modules/contint/templates/apache/doc.wikimedia.org.erb b/modules/contint/templates/apache/doc.wikimedia.org.erb index 3233c92..ac2cb0f 100644 --- a/modules/contint/templates/apache/doc.wikimedia.org.erb +++ b/modules/contint/templates/apache/doc.wikimedia.org.erb @@ -30,7 +30,7 @@ Header always merge Vary X-Forwarded-Proto # Enable HTTP Strict Transport Security -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 DocumentRoot /srv/org/wikimedia/doc -- To view, visit https://gerrit.wikimedia.org/r/206980 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic67a34079aab4a8c763b1b05364b09f29f93b014 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] donate - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206979 Change subject: donate - Raise HSTS max-age to 1 year .. donate - Raise HSTS max-age to 1 year If5c93760 enabled HSTS one week ago. Bug: T40516 Change-Id: I1419a428e4079a05ee5b526bc05540405eb2ee08 --- M modules/mediawiki/files/apache/sites/main.conf 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/79/206979/1 diff --git a/modules/mediawiki/files/apache/sites/main.conf b/modules/mediawiki/files/apache/sites/main.conf index 8765af2..a6fd708 100644 --- a/modules/mediawiki/files/apache/sites/main.conf +++ b/modules/mediawiki/files/apache/sites/main.conf @@ -325,7 +325,7 @@ RewriteRule (.) https://donate.wikimedia.org%{REQUEST_URI} [R=301] # Enable HTTP Strict Transport Security (HSTS) -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 RewriteRule ^/$ https://donate.wikimedia.org/wiki/Special:FundraiserRedirector [R=302,L] -- To view, visit https://gerrit.wikimedia.org/r/206979 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1419a428e4079a05ee5b526bc05540405eb2ee08 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] servermon - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206982 Change subject: servermon - Raise HSTS max-age to 1 year .. servermon - Raise HSTS max-age to 1 year I9e2d7a00 enabled HSTS with max-age=7 days Bug: T40516 Change-Id: I3969d41b12f215efe92587fb2b46074c97931ada --- M templates/apache/sites/servermon.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/82/206982/1 diff --git a/templates/apache/sites/servermon.wikimedia.org.erb b/templates/apache/sites/servermon.wikimedia.org.erb index 8548bbe..1cf03c0 100644 --- a/templates/apache/sites/servermon.wikimedia.org.erb +++ b/templates/apache/sites/servermon.wikimedia.org.erb @@ -11,7 +11,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header always set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 DocumentRoot /srv/nonexistent Directory / -- To view, visit https://gerrit.wikimedia.org/r/206982 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3969d41b12f215efe92587fb2b46074c97931ada Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] iegreview - Raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/206983 Change subject: iegreview - Raise HSTS max-age to 1 year .. iegreview - Raise HSTS max-age to 1 year Ie59668d1 enabled HSTS with max-age=7 days. Bug: T40516 Change-Id: I2742bcd02e8ecb0e07bfe22e1f9b3fd792a04dbb --- M modules/iegreview/templates/apache.conf.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/83/206983/1 diff --git a/modules/iegreview/templates/apache.conf.erb b/modules/iegreview/templates/apache.conf.erb index e27a31a..4dfdc93 100644 --- a/modules/iegreview/templates/apache.conf.erb +++ b/modules/iegreview/templates/apache.conf.erb @@ -12,7 +12,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect - Header set Strict-Transport-Security max-age=604800 + Header set Strict-Transport-Security max-age=31536000 %- end -% Directory / -- To view, visit https://gerrit.wikimedia.org/r/206983 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2742bcd02e8ecb0e07bfe22e1f9b3fd792a04dbb Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] dbtree - Raise HSTS max-age to 1 year and add always flag - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/202267 Change subject: dbtree - Raise HSTS max-age to 1 year and add always flag .. dbtree - Raise HSTS max-age to 1 year and add always flag I898aef75 enabled HSTS with a 7 days max-age. Bug: T40516 Change-Id: Iaedc362df270468fcfa9c23d4b0f748dee5e502d --- M modules/noc/templates/dbtree.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/67/202267/1 diff --git a/modules/noc/templates/dbtree.wikimedia.org.erb b/modules/noc/templates/dbtree.wikimedia.org.erb index 05a6654..d209570 100644 --- a/modules/noc/templates/dbtree.wikimedia.org.erb +++ b/modules/noc/templates/dbtree.wikimedia.org.erb @@ -24,7 +24,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=31536000 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/202267 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iaedc362df270468fcfa9c23d4b0f748dee5e502d Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] transparency: make it HTTPS only and enable HSTS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199517 Change subject: transparency: make it HTTPS only and enable HSTS .. transparency: make it HTTPS only and enable HSTS Make https://transparency.wikimedia.org/ HTTPS only, and enable HSTS with max-age=7 days. I also deleted the unused 404 code. Bug: T40516 Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76 --- M manifests/role/transparency.pp M templates/apache/sites/transparency.wikimedia.org.erb 2 files changed, 6 insertions(+), 6 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/17/199517/1 diff --git a/manifests/role/transparency.pp b/manifests/role/transparency.pp index 77dd7f3..9b177b9 100644 --- a/manifests/role/transparency.pp +++ b/manifests/role/transparency.pp @@ -6,6 +6,7 @@ class role::transparency { include ::apache include ::apache::mod::rewrite +include ::apache::mod::headers $repo_dir = '/srv/org/wikimedia/TransparencyReport' $docroot = ${repo_dir}/build diff --git a/templates/apache/sites/transparency.wikimedia.org.erb b/templates/apache/sites/transparency.wikimedia.org.erb index 82f9393..44abf7c 100644 --- a/templates/apache/sites/transparency.wikimedia.org.erb +++ b/templates/apache/sites/transparency.wikimedia.org.erb @@ -1,5 +1,5 @@ # vim:ft=apache: ts=4 sw=4 -# Apache configuration for http://transparency.wikimedia.org +# Apache configuration for https://transparency.wikimedia.org # This file is managed by Puppet. VirtualHost *:80 ServerName transparency.wikimedia.org @@ -15,10 +15,9 @@ allow from all /Directory -# Serve 404s for all requests until the launch, at 2014-Aug-06 08:30 UTC. -# This code can be removed any time after that. --OL RewriteEngine on -RewriteCond %{ENV:REDIRECT_STATUS} !=404 -RewriteCond %{TIME} %= Time.utc(2014, 'Aug', 6, 8, 30).strftime('%Y%m%d%H%M%S') % -RewriteRule .* - [L,R=404] +RewriteCond %{HTTP:X-Forwarded-Proto} !https +RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] +Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header always set Strict-Transport-Security max-age=604800 /VirtualHost -- To view, visit https://gerrit.wikimedia.org/r/199517 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] noc - redirect HTTP to HTTPS; enable HSTS 7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199515 Change subject: noc - redirect HTTP to HTTPS; enable HSTS 7 days .. noc - redirect HTTP to HTTPS; enable HSTS 7 days Make https://noc.wikimedia.org HTTPS only, and enable HSTS with max-age=7 days. Change-Id: Ie3706dd85c6f796f8ff55c3ea95461c963cc2f26 --- M modules/noc/templates/noc.wikimedia.org.erb 1 file changed, 5 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/15/199515/1 diff --git a/modules/noc/templates/noc.wikimedia.org.erb b/modules/noc/templates/noc.wikimedia.org.erb index a2abe28..5120070 100644 --- a/modules/noc/templates/noc.wikimedia.org.erb +++ b/modules/noc/templates/noc.wikimedia.org.erb @@ -15,6 +15,11 @@ RewriteRule ^/~(.+) https://people.wikimedia.org/~$1 [R=301,L] RewriteRule ^/dbtree(.*)$ https://dbtree.wikimedia.org [R=301,L] +RewriteCond %{HTTP:X-Forwarded-Proto} !https +RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] +Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header always set Strict-Transport-Security max-age=604800 + ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, -- To view, visit https://gerrit.wikimedia.org/r/199515 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie3706dd85c6f796f8ff55c3ea95461c963cc2f26 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] donate - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199200 Change subject: donate - Enable HSTS max-age=7 days .. donate - Enable HSTS max-age=7 days https://donate.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: If5c937602ad3ed8e5bed06b875ce994c0b4848f2 --- M modules/mediawiki/files/apache/sites/main.conf 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/199200/1 diff --git a/modules/mediawiki/files/apache/sites/main.conf b/modules/mediawiki/files/apache/sites/main.conf index df1f752..6d13608 100644 --- a/modules/mediawiki/files/apache/sites/main.conf +++ b/modules/mediawiki/files/apache/sites/main.conf @@ -324,6 +324,9 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule (.) https://donate.wikimedia.org%{REQUEST_URI} [R=301] +# Enable HTTP Strict Transport Security (HSTS) +Header set Strict-Transport-Security max-age=604800 + RewriteRule ^/$ https://donate.wikimedia.org/wiki/Special:FundraiserRedirector [R=302,L] # Don't allow rewriting robots.txt -- To view, visit https://gerrit.wikimedia.org/r/199200 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If5c937602ad3ed8e5bed06b875ce994c0b4848f2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Add always flag when add HSTS header in Apache - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199319 Change subject: Add always flag when add HSTS header in Apache .. Add always flag when add HSTS header in Apache Without the always flag, HSTS headers are only set for 2xx responses. 'Always' in this context refers to whether headers you add will be sent during both a successful and unsucessful response https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header Change-Id: I5189b9f208e1dda7e7844171df1e7a87d5e5a03b --- M modules/devportal/templates/dev.wikimedia.org.erb M modules/phabricator/templates/phabricator-default.conf.erb M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb M templates/apache/sites/servermon.wikimedia.org.erb 4 files changed, 4 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/19/199319/1 diff --git a/modules/devportal/templates/dev.wikimedia.org.erb b/modules/devportal/templates/dev.wikimedia.org.erb index ead8d9f..ea26f43 100644 --- a/modules/devportal/templates/dev.wikimedia.org.erb +++ b/modules/devportal/templates/dev.wikimedia.org.erb @@ -15,7 +15,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto -Header set Strict-Transport-Security max-age=31536000 +Header always set Strict-Transport-Security max-age=31536000 Directory / Order Deny,Allow diff --git a/modules/phabricator/templates/phabricator-default.conf.erb b/modules/phabricator/templates/phabricator-default.conf.erb index 87d5375..be1197e 100644 --- a/modules/phabricator/templates/phabricator-default.conf.erb +++ b/modules/phabricator/templates/phabricator-default.conf.erb @@ -17,7 +17,7 @@ Header always merge Vary X-Forwarded-Proto env=ProtoRedirect # enable HTTP Strict Transport Security - Header set Strict-Transport-Security max-age=31536000 + Header always set Strict-Transport-Security max-age=31536000 Directory %= @docroot % Options Indexes FollowSymLinks MultiViews diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index 3a7ca11..fbd9346 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -117,7 +117,7 @@ output.push('SSLHonorCipherOrder On') unless hsts_days.nil? hsts_seconds = hsts_days * 86400 -output.push(Header set Strict-Transport-Security \max-age=#{hsts_seconds}\) +output.push(Header always set Strict-Transport-Security \max-age=#{hsts_seconds}\) end else # nginx diff --git a/templates/apache/sites/servermon.wikimedia.org.erb b/templates/apache/sites/servermon.wikimedia.org.erb index 35e1905..ab45e58 100644 --- a/templates/apache/sites/servermon.wikimedia.org.erb +++ b/templates/apache/sites/servermon.wikimedia.org.erb @@ -11,7 +11,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -Header set Strict-Transport-Security max-age=604800 +Header always set Strict-Transport-Security max-age=604800 DocumentRoot /srv/nonexistent Directory / -- To view, visit https://gerrit.wikimedia.org/r/199319 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5189b9f208e1dda7e7844171df1e7a87d5e5a03b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] doc - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/198819 Change subject: doc - Enable HSTS max-age=7 days .. doc - Enable HSTS max-age=7 days https://doc.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: If7a5670bfd0e7eb01a4d0136e7c5b948f0592826 --- M modules/contint/templates/apache/doc.wikimedia.org.erb 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/19/198819/1 diff --git a/modules/contint/templates/apache/doc.wikimedia.org.erb b/modules/contint/templates/apache/doc.wikimedia.org.erb index 11666ee..8fef0e3 100644 --- a/modules/contint/templates/apache/doc.wikimedia.org.erb +++ b/modules/contint/templates/apache/doc.wikimedia.org.erb @@ -29,6 +29,9 @@ Header always merge Vary X-Forwarded-Proto +# Enable HTTP Strict Transport Security +Header set Strict-Transport-Security max-age=604800 + DocumentRoot /srv/org/wikimedia/doc # Favicon proxy -- To view, visit https://gerrit.wikimedia.org/r/198819 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If7a5670bfd0e7eb01a4d0136e7c5b948f0592826 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] scholarships - Increase HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199126 Change subject: scholarships - Increase HSTS max-age to 1 year .. scholarships - Increase HSTS max-age to 1 year The current HSTS max-age for https://scholarships.wikimedia.org is 7 days. Bug: T40516 Change-Id: Ibfbf321533f7c030e7aea75a9e48234f4fb17c3e --- M modules/wikimania_scholarships/templates/apache.conf.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/26/199126/1 diff --git a/modules/wikimania_scholarships/templates/apache.conf.erb b/modules/wikimania_scholarships/templates/apache.conf.erb index 612fd8d..3cbacc9 100644 --- a/modules/wikimania_scholarships/templates/apache.conf.erb +++ b/modules/wikimania_scholarships/templates/apache.conf.erb @@ -11,7 +11,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect - Header set Strict-Transport-Security max-age=604800 + Header set Strict-Transport-Security max-age=31536000 DocumentRoot %= @deploy_dir %/public -- To view, visit https://gerrit.wikimedia.org/r/199126 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibfbf321533f7c030e7aea75a9e48234f4fb17c3e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] servermon - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199134 Change subject: servermon - Enable HSTS max-age=7 days .. servermon - Enable HSTS max-age=7 days https://servermon.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: I9e2d7a00d76991805ddc456c1a3d6a4874615ca2 --- M templates/apache/sites/servermon.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/34/199134/1 diff --git a/templates/apache/sites/servermon.wikimedia.org.erb b/templates/apache/sites/servermon.wikimedia.org.erb index 12b3ae6..35e1905 100644 --- a/templates/apache/sites/servermon.wikimedia.org.erb +++ b/templates/apache/sites/servermon.wikimedia.org.erb @@ -11,6 +11,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header set Strict-Transport-Security max-age=604800 DocumentRoot /srv/nonexistent Directory / -- To view, visit https://gerrit.wikimedia.org/r/199134 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9e2d7a00d76991805ddc456c1a3d6a4874615ca2 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] dbtree - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199139 Change subject: dbtree - Enable HSTS max-age=7 days .. dbtree - Enable HSTS max-age=7 days https://dbtree.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: I898aef758979748aabd75e956be40924d8e1a851 --- M modules/noc/templates/dbtree.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/39/199139/1 diff --git a/modules/noc/templates/dbtree.wikimedia.org.erb b/modules/noc/templates/dbtree.wikimedia.org.erb index 7a472cb..05a6654 100644 --- a/modules/noc/templates/dbtree.wikimedia.org.erb +++ b/modules/noc/templates/dbtree.wikimedia.org.erb @@ -24,6 +24,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header set Strict-Transport-Security max-age=604800 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/199139 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I898aef758979748aabd75e956be40924d8e1a851 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] iegreview - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199142 Change subject: iegreview - Enable HSTS max-age=7 days .. iegreview - Enable HSTS max-age=7 days https://iegreview.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: Ie59668d1246e862a84d20d7e9926c5ef5d548291 --- M modules/iegreview/templates/apache.conf.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/42/199142/1 diff --git a/modules/iegreview/templates/apache.conf.erb b/modules/iegreview/templates/apache.conf.erb index 711631e..e27a31a 100644 --- a/modules/iegreview/templates/apache.conf.erb +++ b/modules/iegreview/templates/apache.conf.erb @@ -12,6 +12,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect + Header set Strict-Transport-Security max-age=604800 %- end -% Directory / -- To view, visit https://gerrit.wikimedia.org/r/199142 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie59668d1246e862a84d20d7e9926c5ef5d548291 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] annual - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/199087 Change subject: annual - Enable HSTS max-age=7 days .. annual - Enable HSTS max-age=7 days https://annual.wikimedia.org is HTTPS only. Bug: T599 Bug: T40516 Change-Id: I34d3b0719f09991c7c55de025046462bfeee483f --- M modules/annualreport/files/annual.wikimedia.org 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/87/199087/1 diff --git a/modules/annualreport/files/annual.wikimedia.org b/modules/annualreport/files/annual.wikimedia.org index 33d3b50..19d030d 100644 --- a/modules/annualreport/files/annual.wikimedia.org +++ b/modules/annualreport/files/annual.wikimedia.org @@ -15,6 +15,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto +Header set Strict-Transport-Security max-age=604800 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/199087 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I34d3b0719f09991c7c55de025046462bfeee483f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] RT - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/198455 Change subject: RT - Enable HSTS max-age=7 days .. RT - Enable HSTS max-age=7 days https://rt.wikimedia.org/ is HTTPS only. Change-Id: I0d4d0afe4033a7583a5f8a8042c5a0c28bf84eed --- M manifests/role/requesttracker.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/55/198455/1 diff --git a/manifests/role/requesttracker.pp b/manifests/role/requesttracker.pp index 48036ae..aa77fa2 100644 --- a/manifests/role/requesttracker.pp +++ b/manifests/role/requesttracker.pp @@ -6,7 +6,7 @@ install_certificate { 'rt.wikimedia.org': } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7') class { '::requesttracker': apache_site = 'rt.wikimedia.org', -- To view, visit https://gerrit.wikimedia.org/r/198455 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0d4d0afe4033a7583a5f8a8042c5a0c28bf84eed Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] ishmael - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/198457 Change subject: ishmael - Enable HSTS max-age=7 days .. ishmael - Enable HSTS max-age=7 days https://ishmael.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: I832e85fe0b94c3fb610785e71d7a96144833ac7f --- M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/57/198457/1 diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb index 60b5ed3..78e3383 100644 --- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb +++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb @@ -11,6 +11,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header set Strict-Transport-Security max-age=604800 Directory %= @docroot % Options FollowSymLinks -- To view, visit https://gerrit.wikimedia.org/r/198457 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I832e85fe0b94c3fb610785e71d7a96144833ac7f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] integration - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/198458 Change subject: integration - Enable HSTS max-age=7 days .. integration - Enable HSTS max-age=7 days https://integration.wikimedia.org is HTTPS only. Bug: T40516 Change-Id: I09341edb1ad33556acccfb9bfa747308b273aa2c --- M modules/contint/templates/apache/integration.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/58/198458/1 diff --git a/modules/contint/templates/apache/integration.wikimedia.org.erb b/modules/contint/templates/apache/integration.wikimedia.org.erb index 3f52e57..4496d52 100644 --- a/modules/contint/templates/apache/integration.wikimedia.org.erb +++ b/modules/contint/templates/apache/integration.wikimedia.org.erb @@ -20,6 +20,7 @@ RewriteRule (.) https://integration.wikimedia.org%{REQUEST_URI} [R=301] Header always merge Vary X-Forwarded-Proto +Header set Strict-Transport-Security max-age=604800 Include *_proxy -- To view, visit https://gerrit.wikimedia.org/r/198458 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I09341edb1ad33556acccfb9bfa747308b273aa2c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] gdash - Enable HSTS max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/198469 Change subject: gdash - Enable HSTS max-age=7 days .. gdash - Enable HSTS max-age=7 days I29515ddd redirects http://gdash.wikimedia.org to https://gdash.wikimedia.org. So enable HSTS on this domain. Bug: T40516 Change-Id: Ibcc91ae7ed79900cc59cfb04b9c20f5f4f8e9789 --- M templates/apache/sites/gdash.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/69/198469/1 diff --git a/templates/apache/sites/gdash.wikimedia.org.erb b/templates/apache/sites/gdash.wikimedia.org.erb index 1468928..6daf441 100644 --- a/templates/apache/sites/gdash.wikimedia.org.erb +++ b/templates/apache/sites/gdash.wikimedia.org.erb @@ -9,6 +9,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header set Strict-Transport-Security max-age=604800 Location / SetHandler uwsgi-handler -- To view, visit https://gerrit.wikimedia.org/r/198469 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibcc91ae7ed79900cc59cfb04b9c20f5f4f8e9789 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] dev.wm.org - Increase HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/197272 Change subject: dev.wm.org - Increase HSTS max-age to 1 year .. dev.wm.org - Increase HSTS max-age to 1 year It has been one week after I3c5a250f was merged, so if there is nothing wrong, let's increase the HSTS max-age to 1 year, i.e. 31536000 seconds. Change-Id: I2b5f9d979c52bf458686967c20d31971ba1c1308 --- M modules/devportal/templates/dev.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/72/197272/1 diff --git a/modules/devportal/templates/dev.wikimedia.org.erb b/modules/devportal/templates/dev.wikimedia.org.erb index 106293c..ead8d9f 100644 --- a/modules/devportal/templates/dev.wikimedia.org.erb +++ b/modules/devportal/templates/dev.wikimedia.org.erb @@ -15,7 +15,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto -Header set Strict-Transport-Security max-age=604800 +Header set Strict-Transport-Security max-age=31536000 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/197272 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2b5f9d979c52bf458686967c20d31971ba1c1308 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Enable HSTS on racktables with max-age=7days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/195444 Change subject: Enable HSTS on racktables with max-age=7days .. Enable HSTS on racktables with max-age=7days https://racktables.wikimedia.org is HTTPS only, so let's enable HSTS. Bug: T40516 Change-Id: I62dc0268105b371bbcb256bb44bfbe029f86185c --- M modules/racktables/templates/racktables.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/44/195444/1 diff --git a/modules/racktables/templates/racktables.wikimedia.org.erb b/modules/racktables/templates/racktables.wikimedia.org.erb index 757bf6b..dfe506e 100644 --- a/modules/racktables/templates/racktables.wikimedia.org.erb +++ b/modules/racktables/templates/racktables.wikimedia.org.erb @@ -13,6 +13,7 @@ RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect +Header set Strict-Transport-Security max-age=604800 DocumentRoot /srv/org/wikimedia/racktables/wwwroot Directory / -- To view, visit https://gerrit.wikimedia.org/r/195444 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I62dc0268105b371bbcb256bb44bfbe029f86185c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Enable HSTS on tendril with max-age=7days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/195346 Change subject: Enable HSTS on tendril with max-age=7days .. Enable HSTS on tendril with max-age=7days https://tendril.wikimedia.org is HTTPS only, so let's enable HSTS on tendril. Bug: T40516 Change-Id: If4f89e34e2a7dd2b4141194e675a085c73d8de66 --- M manifests/role/tendril.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/46/195346/1 diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp index a6d..8c9886d 100644 --- a/manifests/role/tendril.pp +++ b/manifests/role/tendril.pp @@ -6,7 +6,7 @@ system::role { 'role::tendril': description = 'tendril server' } install_certificate{ 'tendril.wikimedia.org': } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7') class { '::tendril': site_name= 'tendril.wikimedia.org', -- To view, visit https://gerrit.wikimedia.org/r/195346 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If4f89e34e2a7dd2b4141194e675a085c73d8de66 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Enable HSTS on dev.wm.org max-age=7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/195338 Change subject: Enable HSTS on dev.wm.org max-age=7 days .. Enable HSTS on dev.wm.org max-age=7 days Bug: T40516 Bug: T67074 Change-Id: I3c5a250f34b24b07269b658106c86a9eba60c494 --- M modules/devportal/templates/dev.wikimedia.org.erb 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/38/195338/1 diff --git a/modules/devportal/templates/dev.wikimedia.org.erb b/modules/devportal/templates/dev.wikimedia.org.erb index 8e06760..106293c 100644 --- a/modules/devportal/templates/dev.wikimedia.org.erb +++ b/modules/devportal/templates/dev.wikimedia.org.erb @@ -15,6 +15,7 @@ RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto +Header set Strict-Transport-Security max-age=604800 Directory / Order Deny,Allow -- To view, visit https://gerrit.wikimedia.org/r/195338 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3c5a250f34b24b07269b658106c86a9eba60c494 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks - change (mediawiki/core)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/193549 Change subject: Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks .. Add zh-Hans-CN, zh-Hant-HK, etc to variantfallbacks Change-Id: I7e5ef1cfc6cb9896b8aaa999639eafb8188e76d9 --- M languages/classes/LanguageZh.php 1 file changed, 6 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/49/193549/1 diff --git a/languages/classes/LanguageZh.php b/languages/classes/LanguageZh.php index 4271ed3..4eef3c6 100644 --- a/languages/classes/LanguageZh.php +++ b/languages/classes/LanguageZh.php @@ -134,7 +134,13 @@ $variantfallbacks = array( 'zh' = array( 'zh-hans', 'zh-hant', 'zh-cn', 'zh-tw', 'zh-hk', 'zh-sg', 'zh-mo', 'zh-my' ), 'zh-hans' = array( 'zh-cn', 'zh-sg', 'zh-my' ), + 'zh-hans-cn' = array( 'zh-cn', 'zh-hans', 'zh-sg', 'zh-my'), + 'zh-hans-sg' = array( 'zh-sg', 'zh-hans', 'zh-cn', 'zh-my'), + 'zh-hans-my' = array( 'zh-my', 'zh-hans', 'zh-sg', 'zh-cn'), 'zh-hant' = array( 'zh-tw', 'zh-hk', 'zh-mo' ), + 'zh-hant-hk' = array( 'zh-hk', 'zh-hant', 'zh-mo', 'zh-tw' ), + 'zh-hant-mo' = array( 'zh-mo', 'zh-hant', 'zh-hk', 'zh-tw' ), + 'zh-hant-tw' = array( 'zh-tw', 'zh-hant', 'zh-hk', 'zh-mo' ), 'zh-cn' = array( 'zh-hans', 'zh-sg', 'zh-my' ), 'zh-sg' = array( 'zh-hans', 'zh-cn', 'zh-my' ), 'zh-my' = array( 'zh-hans', 'zh-sg', 'zh-cn' ), -- To view, visit https://gerrit.wikimedia.org/r/193549 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7e5ef1cfc6cb9896b8aaa999639eafb8188e76d9 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: master Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] lists - disable SSLv3 - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/169978 Change subject: lists - disable SSLv3 .. lists - disable SSLv3 This will not disable SSLv3 on lists.wikimedia.org for now, because we are using lighttpd/1.4.26, but disabling SSLv3 was not supported until 1.4.29. (http://www.lighttpd.net/2011/7/3/1-4-29/) Nevertheless, I think it's a good idea to update the configuation, so that when we update the server, it will take effect immediately. Change-Id: I56282aa31b26f69350cf1743c5b46de3715e98a8 --- M files/lighttpd/50-mailman.conf 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/78/169978/1 diff --git a/files/lighttpd/50-mailman.conf b/files/lighttpd/50-mailman.conf index 04785fa..64d4bf8 100644 --- a/files/lighttpd/50-mailman.conf +++ b/files/lighttpd/50-mailman.conf @@ -38,6 +38,7 @@ ssl.pemfile = /etc/ssl/private/lists.wikimedia.org.pem ssl.ca-file = /etc/ssl/certs/RapidSSL_CA.pem # TODO: with 1.4.30, set cipher lists, disable client renegotiation + ssl.use-sslv3 = disable url.redirect = ( ^/(index\.html?)?$ = https://lists.wikimedia.org/mailman/listinfo;, -- To view, visit https://gerrit.wikimedia.org/r/169978 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I56282aa31b26f69350cf1743c5b46de3715e98a8 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Wikitech - disable SSL3 - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/167169 Change subject: Wikitech - disable SSL3 .. Wikitech - disable SSL3 Change-Id: I2a968d75cffacacc0d5ca14cfbb0f837e1b41745 --- M manifests/role/nova.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/69/167169/1 diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp index df6fbaa..d167c75 100644 --- a/manifests/role/nova.pp +++ b/manifests/role/nova.pp @@ -194,7 +194,7 @@ ca = $ca } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl', '365') class { 'openstack::openstack-manager': openstack_version = $openstack_version, -- To view, visit https://gerrit.wikimedia.org/r/167169 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2a968d75cffacacc0d5ca14cfbb0f837e1b41745 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] OTRS - disable SSL3 - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/167170 Change subject: OTRS - disable SSL3 .. OTRS - disable SSL3 Disable SSLv3 on https://ticket.wikimedia.org Change-Id: I1f0e8703bb8c092521b7a0e50fe5c90f9b99e5f7 --- M manifests/role/nova.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/70/167170/1 diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp index df6fbaa..d167c75 100644 --- a/manifests/role/nova.pp +++ b/manifests/role/nova.pp @@ -194,7 +194,7 @@ ca = $ca } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl', '365') class { 'openstack::openstack-manager': openstack_version = $openstack_version, -- To view, visit https://gerrit.wikimedia.org/r/167170 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1f0e8703bb8c092521b7a0e50fe5c90f9b99e5f7 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] RT - Disable SSL3 - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/167171 Change subject: RT - Disable SSL3 .. RT - Disable SSL3 Change-Id: I52a0b68276cb5adeb68f72b002e0c7434a3bb19d --- M manifests/role/rt.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/71/167171/1 diff --git a/manifests/role/rt.pp b/manifests/role/rt.pp index 5bfd387..3031484 100644 --- a/manifests/role/rt.pp +++ b/manifests/role/rt.pp @@ -6,7 +6,7 @@ install_certificate { 'rt.wikimedia.org': } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl') class { 'misc::rt': site = 'rt.wikimedia.org', -- To view, visit https://gerrit.wikimedia.org/r/167171 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I52a0b68276cb5adeb68f72b002e0c7434a3bb19d Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] tendril - Disable SSL3 - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/167172 Change subject: tendril - Disable SSL3 .. tendril - Disable SSL3 This site works only in browsers with SNI support. Change-Id: Id6f5df022ab4ece8748af2fff92b8ff88b8f3344 --- M manifests/role/tendril.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/72/167172/1 diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp index 51572c6..53b5c27 100644 --- a/manifests/role/tendril.pp +++ b/manifests/role/tendril.pp @@ -6,7 +6,7 @@ system::role { 'role::tendril': description = 'tendril server' } install_certificate{ 'tendril.wikimedia.org': } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compatnossl') class { '::tendril': site_name = 'tendril.wikimedia.org', -- To view, visit https://gerrit.wikimedia.org/r/167172 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id6f5df022ab4ece8748af2fff92b8ff88b8f3344 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] phabricator - raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/164897 Change subject: phabricator - raise HSTS max-age to 1 year .. phabricator - raise HSTS max-age to 1 year Ide46c131 enabled HSTS one week ago with max-age of 7 days. If there is nothing unexpected happened, we can now raise the max-age to 1 year. Bug: 38516 Change-Id: Ic07decaac2b4371c58f9c78401692b85c071d9ee --- M modules/phabricator/templates/phabricator-default.conf.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/97/164897/1 diff --git a/modules/phabricator/templates/phabricator-default.conf.erb b/modules/phabricator/templates/phabricator-default.conf.erb index b67a39f..608ad34 100644 --- a/modules/phabricator/templates/phabricator-default.conf.erb +++ b/modules/phabricator/templates/phabricator-default.conf.erb @@ -23,7 +23,7 @@ Header always merge Vary X-Forwarded-Proto env=ProtoRedirect # enable HTTP Strict Transport Security - Header set Strict-Transport-Security max-age=604800 + Header set Strict-Transport-Security max-age=31536000 %# Apache 2.4 and Newer % % if @lsbdistcodename == 'trusty'% -- To view, visit https://gerrit.wikimedia.org/r/164897 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic07decaac2b4371c58f9c78401692b85c071d9ee Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] phabricator - enable HSTS with max-age 7 days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/162805 Change subject: phabricator - enable HSTS with max-age 7 days .. phabricator - enable HSTS with max-age 7 days I4d207a4d makes phabricator HTTPS only. This patch enables HTTP Strict Transport Security with a max-age of 7 days, just like what we did on Bugzilla and on Gerrit (I2b9e4536, I37924865). We will increase the max-age to 1 year, one week after this patch is merged. Change-Id: Ide46c1312a7bb9e9ebd2319da10185808bf41de0 --- M modules/phabricator/templates/phabricator-default.conf.erb 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/05/162805/1 diff --git a/modules/phabricator/templates/phabricator-default.conf.erb b/modules/phabricator/templates/phabricator-default.conf.erb index de3e9e3..b67a39f 100644 --- a/modules/phabricator/templates/phabricator-default.conf.erb +++ b/modules/phabricator/templates/phabricator-default.conf.erb @@ -22,6 +22,9 @@ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect,L] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect + # enable HTTP Strict Transport Security + Header set Strict-Transport-Security max-age=604800 + %# Apache 2.4 and Newer % % if @lsbdistcodename == 'trusty'% Directory %= @docroot % -- To view, visit https://gerrit.wikimedia.org/r/162805 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ide46c1312a7bb9e9ebd2319da10185808bf41de0 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] lists.wm.org - raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/161177 Change subject: lists.wm.org - raise HSTS max-age to 1 year .. lists.wm.org - raise HSTS max-age to 1 year Patch I53f27e7d enabled HTTP Strict Transport Security and set its max-age to 7 days. This patch raises the max-age to 1 year (365 days). Still, I don't believe an increased HSTS max-age could cause any problems in the server's functionality, as long as we keep supporting HTTPS. A related discussion is on Ic3062981. Bug: 38516 Change-Id: I45ac77e1e0bc2dda6e17f577ea9b9927d2af177e --- M files/lighttpd/50-mailman.conf 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/77/161177/1 diff --git a/files/lighttpd/50-mailman.conf b/files/lighttpd/50-mailman.conf index 4df9ead..04785fa 100644 --- a/files/lighttpd/50-mailman.conf +++ b/files/lighttpd/50-mailman.conf @@ -87,5 +87,5 @@ # Strict Transport Security $HTTP[scheme] == https { -setenv.add-response-header = ( Strict-Transport-Security = max-age=604800) +setenv.add-response-header = ( Strict-Transport-Security = max-age=31536000) } -- To view, visit https://gerrit.wikimedia.org/r/161177 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I45ac77e1e0bc2dda6e17f577ea9b9927d2af177e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] racktables - remove RewriteCond on /status - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/160528 Change subject: racktables - remove RewriteCond on /status .. racktables - remove RewriteCond on /status As I mentioned in Idc9a448f comment 14, all HTTP connection to racktable redirects to HTTPS except for: http://racktables.wikimedia.org/status But I don't see a reason why this URL should be excluded; especially it actually returns 404. So this patch removes the line: RewriteCond %{REQUEST_URI} !^/status$ Change-Id: I610d984b81e6a7e188398db27b92bd6eff2a07ee --- M templates/apache/sites/racktables.wikimedia.org.erb 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/28/160528/1 diff --git a/templates/apache/sites/racktables.wikimedia.org.erb b/templates/apache/sites/racktables.wikimedia.org.erb index 757bf6b..f414df1 100644 --- a/templates/apache/sites/racktables.wikimedia.org.erb +++ b/templates/apache/sites/racktables.wikimedia.org.erb @@ -10,7 +10,6 @@ RewriteEngine on RewriteCond %{HTTP:X-Forwarded-Proto} !https -RewriteCond %{REQUEST_URI} !^/status$ RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,E=ProtoRedirect] Header always merge Vary X-Forwarded-Proto env=ProtoRedirect -- To view, visit https://gerrit.wikimedia.org/r/160528 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I610d984b81e6a7e188398db27b92bd6eff2a07ee Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] gerrit - raise HSTS max-age to 1 year - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/159729 Change subject: gerrit - raise HSTS max-age to 1 year .. gerrit - raise HSTS max-age to 1 year In I37924865, we enabled HSTS and set the max-age to 7 days. This patch raises the max-age to 1 year (365 days). Bug: 38516 Change-Id: Ic3062981aae93fadde3627c1493499fe9b276098 --- M manifests/gerrit.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/29/159729/1 diff --git a/manifests/gerrit.pp b/manifests/gerrit.pp index 6dabfce..58e2ce3 100644 --- a/manifests/gerrit.pp +++ b/manifests/gerrit.pp @@ -26,7 +26,7 @@ $dbuser = $db_user $dbpass = $passwords::gerrit::gerrit_db_pass $bzpass = $passwords::gerrit::gerrit_bz_pass -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365') # Setup LDAP include ldap::role::config::labs -- To view, visit https://gerrit.wikimedia.org/r/159729 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic3062981aae93fadde3627c1493499fe9b276098 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] gerrit: Enable StrictTransportSecurity max-age=7days - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/157789 Change subject: gerrit: Enable StrictTransportSecurity max-age=7days .. gerrit: Enable StrictTransportSecurity max-age=7days This enables HTTP Strict Transport Security (HSTS) on gerrit with max-age=7 days. Bug: 38516 Change-Id: I379248653df24799f15e53325eec482450ff3d92 --- M manifests/gerrit.pp 1 file changed, 3 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/89/157789/1 diff --git a/manifests/gerrit.pp b/manifests/gerrit.pp index 079bec2..6dabfce 100644 --- a/manifests/gerrit.pp +++ b/manifests/gerrit.pp @@ -26,7 +26,7 @@ $dbuser = $db_user $dbpass = $passwords::gerrit::gerrit_db_pass $bzpass = $passwords::gerrit::gerrit_bz_pass -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '7') # Setup LDAP include ldap::role::config::labs @@ -309,6 +309,8 @@ include ::apache::mod::proxy_http include ::apache::mod::ssl + +include ::apache::mod::headers } class gerrit::crons { -- To view, visit https://gerrit.wikimedia.org/r/157789 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I379248653df24799f15e53325eec482450ff3d92 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Use https for www.aclu.org - change (wikimedia/TransparencyReport)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/157330 Change subject: Use https for www.aclu.org .. Use https for www.aclu.org In I136d08dd, the link to www.aclu.org was changed to protocol relative. But https://www.aclu.org is https only, so this patch changes the link to https. Change-Id: Idf6655dc6ad5b5d4a741b071cc6a26bfaf00c5a4 --- M build/faq.html M locales/en.yml 2 files changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/wikimedia/TransparencyReport refs/changes/30/157330/1 diff --git a/build/faq.html b/build/faq.html index e2067b2..1458519 100644 --- a/build/faq.html +++ b/build/faq.html @@ -74,7 +74,7 @@ a name=my_personal_information/a h2 class=questionimg src=/images/chevron.svgspanHelp! My personal information is being sought because of something I did on the Wikimedia projects. What should I do?/span/h2 - div class=answerpIf you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the a href='//www.aclu.org/'American Civil Liberties Union/a (ACLU) or the a href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our a href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal Fees Assistance Program/a or a href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Policies#Defense_of_Contributors'Defense of Contributors Program/a./ppAdditionally, in certain situations, WMF may challenge a subpoena on a user’s behalf if it is unnecessarily broad or burdensome, or if we believe the subpoena threatens the free speech of users on our projects. For more information about subpoenas, see our a href='//wikimediafoundation.org/wiki/Privacy_policy/Subpoena_FAQ'Subpoena FAQ/a. /p/div + div class=answerpIf you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the a href='https://www.aclu.org/'American Civil Liberties Union/a (ACLU) or the a href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our a href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal Fees Assistance Program/a or a href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Policies#Defense_of_Contributors'Defense of Contributors Program/a./ppAdditionally, in certain situations, WMF may challenge a subpoena on a user’s behalf if it is unnecessarily broad or burdensome, or if we believe the subpoena threatens the free speech of users on our projects. For more information about subpoenas, see our a href='//wikimediafoundation.org/wiki/Privacy_policy/Subpoena_FAQ'Subpoena FAQ/a. /p/div hr diff --git a/locales/en.yml b/locales/en.yml index aae548f..0f7443d 100644 --- a/locales/en.yml +++ b/locales/en.yml @@ -99,7 +99,7 @@ q_nonpublic_personal_information: When would you not tell a user that his or her nonpublic personal information is being disclosed as a result of a legal process, such as a subpoena? a_nonpublic_personal_information: pWe are committed to notifying users if we plan on disclosing nonpublic personal information. However, we cannot notify a user if we are legally restrained from doing so (e.g. by a gag order), if a credible threat to life or limb is present, or if the user has not provided us with an e-mail address or valid contact information./p q_my_personal_information: Help! My personal information is being sought because of something I did on the Wikimedia projects. What should I do? -a_my_personal_information: pIf you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the a href='//www.aclu.org/'American Civil Liberties Union/a (ACLU) or the a href='https://www.eff.org/'Electronic Frontier Foundation/a (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our a href='//meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Legal_Fees_Assistance_Program'Legal Fees Assistance
[MediaWiki-commits] [Gerrit] ssl_ciphersuite - change Header add to Header set - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/155016 Change subject: ssl_ciphersuite - change Header add to Header set .. ssl_ciphersuite - change Header add to Header set Per I3f317856 and I3b28b725, the consensus is to use Header set Strict-Transport-Security instead of Header add Strict-Transport-Security. Change-Id: I76180c650d1af64df56a9bd5d120bbd170c06557 --- M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/16/155016/1 diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb index 1f99c7f..744bb30 100644 --- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb +++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb @@ -121,7 +121,7 @@ output.push('SSLHonorCipherOrder On') unless hsts_days.nil? hsts_seconds = hsts_days * 86400 -output.push(Header add Strict-Transport-Security \max-age=#{hsts_seconds}\) +output.push(Header set Strict-Transport-Security \max-age=#{hsts_seconds}\) end else # nginx -- To view, visit https://gerrit.wikimedia.org/r/155016 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I76180c650d1af64df56a9bd5d120bbd170c06557 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] wikitech - use ssl_ciphersuite to add HSTS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/154368 Change subject: wikitech - use ssl_ciphersuite to add HSTS .. wikitech - use ssl_ciphersuite to add HSTS ssl_ciphersuite can also be used to add HSTS (I9bc1104b), so use it. Change-Id: I4655ebb78b71eba5c8781c9960a25b212bd295b6 --- M manifests/role/nova.pp M templates/apache/sites/wikitech.wikimedia.org.erb 2 files changed, 1 insertion(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/68/154368/1 diff --git a/manifests/role/nova.pp b/manifests/role/nova.pp index d486361..0ab32b7 100644 --- a/manifests/role/nova.pp +++ b/manifests/role/nova.pp @@ -306,7 +306,7 @@ ca = $ca } -$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat') +$ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365') class { 'openstack::openstack-manager': openstack_version = $openstack_version, diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb b/templates/apache/sites/wikitech.wikimedia.org.erb index a49ad9d..19b332f 100644 --- a/templates/apache/sites/wikitech.wikimedia.org.erb +++ b/templates/apache/sites/wikitech.wikimedia.org.erb @@ -45,8 +45,6 @@ SSLCACertificatePath /etc/ssl/certs/ %= @ssl_settings.join(\n) % -Header set Strict-Transport-Security max-age=31536000 - RedirectMatch ^/$ https://%= @webserver_hostname %/wiki/ RewriteEngine on -- To view, visit https://gerrit.wikimedia.org/r/154368 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4655ebb78b71eba5c8781c9960a25b212bd295b6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Use protocol relative URLs for some links on Transparency Re... - change (wikimedia/TransparencyReport)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/153026 Change subject: Use protocol relative URLs for some links on Transparency Report pages .. Use protocol relative URLs for some links on Transparency Report pages Some links on the Wikimedia Foundation Transparency Report have hardcoded http: as there protocol. I changed them to protocol relative links. The links with hardcoded https are not changed to protocol relative. Change-Id: Id2b651cb64cf803bf87cb7d5e25ea350a944474f --- M build/content.html M build/faq.html M build/index.html M build/javascripts/content.js M build/privacy.html 5 files changed, 18 insertions(+), 18 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/wikimedia/TransparencyReport refs/changes/26/153026/1 diff --git a/build/content.html b/build/content.html index f01f626..7a59750 100644 --- a/build/content.html +++ b/build/content.html @@ -75,7 +75,7 @@ blockquote pWe change people through conversation, not through censorship./p footer - a href=http://commons.wikimedia.org/wiki/File:Jay-Z_2011.jpg;img src=/images/quote_jay.png/a + a href=//commons.wikimedia.org/wiki/File:Jay-Z_2011.jpgimg src=/images/quote_jay.png/a pa href='https://en.wikipedia.org/wiki/Jay-Z'Jay Z/asmallMusician (a href='https://en.wikipedia.org/wiki/Decoded_%28book%29'2010/a)/small/p /footer /blockquote @@ -195,7 +195,7 @@ h3 The ClassicsbrsmallNovember 2013/small /h3 -pA publishing company sent us a takedown request concerning four famous works on a href='https://wikisource.org/'Wikisource/a: French translations of a href='https://en.wikipedia.org/wiki/Jane_Austen'Jane Austen's/a a href='http://fr.wikisource.org/wiki/Les_Cinq_Filles_de_Mrs_Bennet'emPride and Prejudice/em/a and a href='http://fr.wikisource.org/wiki/Persuasion'emPersuasion/em/a, a French translation of a href='https://en.wikipedia.org/wiki/Arthur_Conan_Doyle'Arthur Conan Doyle's/a a href='https://fr.wikisource.org/wiki/Les_Aventures_de_Sherlock_Holmes'emThe Adventures of Sherlock Holmes/em/a, and a href='https://en.wikipedia.org/wiki/Jean_de_la_Fontaine'Jean de la Fontaine’s/a a href='http://fr.wikisource.org/wiki/Fables_de_La_Fontaine,_livres_I-III'emFables/em/a. We immediately noticed the peculiarity with the request: all four original works (and likely their French translations as well) were old enough to have fallen into the a href='https://en.wikipedia.org/wiki/Public_domain'public domain/a. When we alerted the company to this point, it rescinded the takedown notice./p +pA publishing company sent us a takedown request concerning four famous works on a href='https://wikisource.org/'Wikisource/a: French translations of a href='https://en.wikipedia.org/wiki/Jane_Austen'Jane Austen's/a a href='//fr.wikisource.org/wiki/Les_Cinq_Filles_de_Mrs_Bennet'emPride and Prejudice/em/a and a href='//fr.wikisource.org/wiki/Persuasion'emPersuasion/em/a, a French translation of a href='https://en.wikipedia.org/wiki/Arthur_Conan_Doyle'Arthur Conan Doyle's/a a href='https://fr.wikisource.org/wiki/Les_Aventures_de_Sherlock_Holmes'emThe Adventures of Sherlock Holmes/em/a, and a href='https://en.wikipedia.org/wiki/Jean_de_la_Fontaine'Jean de la Fontaine’s/a a href='//fr.wikisource.org/wiki/Fables_de_La_Fontaine,_livres_I-III'emFables/em/a. We immediately noticed the peculiarity with the request: all four original works (and likely their French translations as well) were old enough to have fallen into the a href='https://en.wikipedia.org/wiki/Public_domain'public domain/a. When we alerted the company to this point, it rescinded the takedown notice./p /div /div @@ -265,16 +265,16 @@ ul lia href=https://meta.wikimedia.org/wiki/Wikimedia_Foundation_Transparency_Report;Wiki Version/a/li lia href=/data/data_aug2014.odsDownload Data/a/li - lia href=http://wikimediafoundation.org/wiki/Privacy_policy;Privacy Policy/a/li + lia href=//wikimediafoundation.org/wiki/Privacy_policyPrivacy Policy/a/li lia href=https://meta.wikimedia.org/wiki/Data_retention_guidelines;Data Retention Guidelines/a/li /ul /div div class=col-md-2 ul - lia href=http://wikimediafoundation.org;About Us/a/li + lia href=//wikimediafoundation.orgAbout Us/a/li lia href=https://blog.wikimedia.org/;Blog/a/li -
[MediaWiki-commits] [Gerrit] Wikitech -- use Header set instead of Header append - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/149626 Change subject: Wikitech -- use Header set instead of Header append .. Wikitech -- use Header set instead of Header append Per I3f317856 and I3b28b725, the consensus is to use Header set Strict-Transport-Security instead of Header append Strict-Transport-Security. Change-Id: Ic122c688cfa52d3a4c4ca94b64f3820c3ae832ad --- M templates/apache/sites/wikitech.wikimedia.org.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/26/149626/1 diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb b/templates/apache/sites/wikitech.wikimedia.org.erb index 0a82573..cca9597 100644 --- a/templates/apache/sites/wikitech.wikimedia.org.erb +++ b/templates/apache/sites/wikitech.wikimedia.org.erb @@ -47,7 +47,7 @@ SSLCertificateKeyFile /etc/ssl/private/%= @certificate %.key SSLCACertificatePath /etc/ssl/certs/ -Header append Strict-Transport-Security max-age=31536000 +Header set Strict-Transport-Security max-age=31536000 RedirectMatch ^/$ https://%= @webserver_hostname %/wiki/ -- To view, visit https://gerrit.wikimedia.org/r/149626 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic122c688cfa52d3a4c4ca94b64f3820c3ae832ad Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] icinga-admin -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/149267 Change subject: icinga-admin -- update cipher suite list to support PFS .. icinga-admin -- update cipher suite list to support PFS This patch changes cipher suite list for icinga-admin.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: I3440b8878cb534f09b960471b60ad2e4b4bd0c73 --- M templates/apache/sites/icinga.wikimedia.org.erb 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/67/149267/1 diff --git a/templates/apache/sites/icinga.wikimedia.org.erb b/templates/apache/sites/icinga.wikimedia.org.erb index ff6f872..2340165 100644 --- a/templates/apache/sites/icinga.wikimedia.org.erb +++ b/templates/apache/sites/icinga.wikimedia.org.erb @@ -70,8 +70,8 @@ VirtualHost *:443 ServerName icinga-admin.wikimedia.org SSLEngine On -SSLProtocol -ALL +SSLv3 +TLSv1 -SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/private/icinga-admin.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/icinga-admin.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/149267 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3440b8878cb534f09b960471b60ad2e4b4bd0c73 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] planet.wikimedia.org -- fix https redirects to http - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/149311 Change subject: planet.wikimedia.org -- fix https redirects to http .. planet.wikimedia.org -- fix https redirects to http Currently https://planet.wikimedia.org redirects to http://meta.wikimedia.org/wiki/Planet_Wikimedia. This patch makes https URLs redirect to https. Bug: 68554 Change-Id: Idb11165b42f14ab5a2511683a70a602649cd2263 --- M modules/planet/templates/apache/planet.erb 1 file changed, 5 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/11/149311/1 diff --git a/modules/planet/templates/apache/planet.erb b/modules/planet/templates/apache/planet.erb index fca91b3..fe8686b 100644 --- a/modules/planet/templates/apache/planet.erb +++ b/modules/planet/templates/apache/planet.erb @@ -11,8 +11,11 @@ SSLCertificateChainFile /etc/ssl/certs/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.chained.pem SSLCertificateKeyFile /etc/ssl/private/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.key -RewriteEngine on -RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301] +DocumentRoot /var/www/planet + +Redirect /atom.xml https://en.planet.%= scope.lookupvar('planet::planet_domain_name') %/atom.xml +Redirect /rss10.xml https://en.planet.%= scope.lookupvar('planet::planet_domain_name') %/rss10.xml +Redirect /rss20.xml https://en.planet.%= scope.lookupvar('planet::planet_domain_name') %/rss20.xml RedirectTemp / https://%= scope.lookupvar('planet::planet_meta_link') % /VirtualHost -- To view, visit https://gerrit.wikimedia.org/r/149311 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Idb11165b42f14ab5a2511683a70a602649cd2263 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] tendril -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/148618 Change subject: tendril -- update cipher suite list to support PFS .. tendril -- update cipher suite list to support PFS This patch changes cipher suite list for tendril.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: I2e4d202fe322cd7e569f0f9d6112d22b82170924 --- M modules/tendril/templates/apache/tendril.wikimedia.org.erb 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/18/148618/1 diff --git a/modules/tendril/templates/apache/tendril.wikimedia.org.erb b/modules/tendril/templates/apache/tendril.wikimedia.org.erb index a413f3b..4fd9d93 100644 --- a/modules/tendril/templates/apache/tendril.wikimedia.org.erb +++ b/modules/tendril/templates/apache/tendril.wikimedia.org.erb @@ -7,8 +7,8 @@ VirtualHost *:443 ServerName %= @site_name % SSLEngine On - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLProtocol +ALL -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/private/tendril.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/tendril.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/148618 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I2e4d202fe322cd7e569f0f9d6112d22b82170924 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] planet -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/148624 Change subject: planet -- update cipher suite list to support PFS .. planet -- update cipher suite list to support PFS This patch changes cipher suite list for planet.wikimedia.org and *.planet.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9 --- M modules/planet/templates/apache/planet-language.erb M modules/planet/templates/apache/planet.erb 2 files changed, 4 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/24/148624/1 diff --git a/modules/planet/templates/apache/planet-language.erb b/modules/planet/templates/apache/planet-language.erb index 9e31fdf..45a9917 100644 --- a/modules/planet/templates/apache/planet-language.erb +++ b/modules/planet/templates/apache/planet-language.erb @@ -15,8 +15,8 @@ ServerName %= @name %.planet.%= scope.lookupvar('planet::planet_domain_name') % SSLEngine on -SSLProtocol -ALL +SSLv3 +TLSv1 -SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.pem SSLCertificateChainFile /etc/ssl/certs/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.chained.pem diff --git a/modules/planet/templates/apache/planet.erb b/modules/planet/templates/apache/planet.erb index 56ba1cd..fca91b3 100644 --- a/modules/planet/templates/apache/planet.erb +++ b/modules/planet/templates/apache/planet.erb @@ -4,8 +4,8 @@ VirtualHost *:443 ServerName planet.%= scope.lookupvar('planet::planet_domain_name') % SSLEngine on -SSLProtocol -ALL +SSLv3 +TLSv1 -SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.pem SSLCertificateChainFile /etc/ssl/certs/star.planet.%= scope.lookupvar('planet::planet_domain_name') %.chained.pem -- To view, visit https://gerrit.wikimedia.org/r/148624 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia698be9cca4f3df13c76ff544bba58a05f12efa9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] svn -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/148631 Change subject: svn -- update cipher suite list to support PFS .. svn -- update cipher suite list to support PFS This patch changes cipher suite list for svn.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: I130dd511ca2e92a5717573f00df1ceaa01a94d52 --- M modules/subversion/files/apache/svn.wikimedia.org 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/31/148631/1 diff --git a/modules/subversion/files/apache/svn.wikimedia.org b/modules/subversion/files/apache/svn.wikimedia.org index 3687cbb..90795e5 100644 --- a/modules/subversion/files/apache/svn.wikimedia.org +++ b/modules/subversion/files/apache/svn.wikimedia.org @@ -50,8 +50,8 @@ DocumentRoot /srv/org/wikimedia/svn SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLProtocol +ALL -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/svn.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/svn.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/148631 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I130dd511ca2e92a5717573f00df1ceaa01a94d52 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] blog -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147739 Change subject: blog -- update cipher suite list to support PFS .. blog -- update cipher suite list to support PFS This patch changes cipher suite list for blog.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: I9fc796c6ba9dc99c3f16237bd29ee312a925edce --- M files/apache/sites/blog.wikimedia.org 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/39/147739/1 diff --git a/files/apache/sites/blog.wikimedia.org b/files/apache/sites/blog.wikimedia.org index fbafd6c..05737a2 100644 --- a/files/apache/sites/blog.wikimedia.org +++ b/files/apache/sites/blog.wikimedia.org @@ -58,8 +58,8 @@ DocumentRoot /srv/org/wikimedia/blog/ SSLEngine on -SSLProtocol -ALL +SSLv3 +TLSv1 -SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/blog.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/blog.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/147739 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9fc796c6ba9dc99c3f16237bd29ee312a925edce Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] ishmael -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147740 Change subject: ishmael -- update cipher suite list to support PFS .. ishmael -- update cipher suite list to support PFS This patch changes cipher suite list for ishmael.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: I3d664fa92028f4580f828412657e4c11571a708f --- M modules/ishmael/templates/apache/ishmael.wikimedia.org.erb 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/40/147740/1 diff --git a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb index 3bf43ef..add40da 100644 --- a/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb +++ b/modules/ishmael/templates/apache/ishmael.wikimedia.org.erb @@ -7,8 +7,8 @@ VirtualHost *:443 ServerName %= @site_name % SSLEngine On - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLProtocol +ALL -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/private/ishmael.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/ishmael.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/147740 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3d664fa92028f4580f828412657e4c11571a708f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] use protocol relative url for image links on stats homepage - change (analytics/wikistats)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147876 Change subject: use protocol relative url for image links on stats homepage .. use protocol relative url for image links on stats homepage https://stats.wikimedia.org/ contains mixed content. It loads images from http://upload.wikimedia.org. So I changed all occurrence of http://upload.wikimedia.org; with //upload.wikimedia.org, and http://wikimediafoundation.org/favicon.ico; with //wikimediafoundation.org/favicon.ico. Change-Id: I31ef9823a5cb3bd92f49bb7f8ba06555a57c5321 --- M portal/index.html 1 file changed, 47 insertions(+), 47 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/analytics/wikistats refs/changes/76/147876/1 diff --git a/portal/index.html b/portal/index.html index b3044ae..5e73671 100644 --- a/portal/index.html +++ b/portal/index.html @@ -4,8 +4,8 @@ meta http-equiv=Content-type content=text/html; charset=iso-8859-1 meta name=robots content=index,follow script language=javascript type=text/javascript src=../WikipediaStatistics11.js/script - link rel=shortcut icon href=http://wikimediafoundation.org/favicon.ico; / - link rel=apple-touch-icon href=http://wikimediafoundation.org/favicon.ico; / + link rel=shortcut icon href=//wikimediafoundation.org/favicon.ico / + link rel=apple-touch-icon href=//wikimediafoundation.org/favicon.ico / titleWikistats: Wikimedia Statistics/title script src=jquery-1.1.3.1.pack.js type=text/javascript/script @@ -54,7 +54,7 @@ table tr - td valign=middlenbsp;img src='http://upload.wikimedia.org/wikipedia/commons/thumb/8/81/Wikimedia-logo.svg/25px-Wikimedia-logo.svg.png'/td + td valign=middlenbsp;img src='//upload.wikimedia.org/wikipedia/commons/thumb/8/81/Wikimedia-logo.svg/25px-Wikimedia-logo.svg.png'/td td valign=middle align=lefth1Wikimedia Statistics/h1/td /tr /table @@ -93,27 +93,27 @@ Detailed trends for each project.br Tables and charts cover the entire history. table border=0 width=300 - trtd valign=bottom align=left width=40a href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'img src='http://upload.wikimedia.org/wikipedia/commons/thumb/6/63/Wikipedia-logo.png/40px-Wikipedia-logo.png' width='40' height='40' border='0' alt='Wikipedia'border=0 //abra href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'bWikipedia/b/a/td - td valign=bottom align=left width=40a href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'img src='http://upload.wikimedia.org/wikipedia/commons/thumb/4/4a/Commons-logo.svg/40px-Commons-logo.svg.png' width='40' height='48' alt='Commons' title='Free media repository' border=0 //abra href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'bCommons/b/a/td - td valign=bottom align=left width=40a href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'img src='http://upload.wikimedia.org/wikipedia/commons/e/e4/Wikidata-logo-en-135px.png' width='50' height='50' alt='Wikidata' title='Wikidata' border=0 //abrba href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'Wikidata/a/b/td - td valign=bottom align=left width=40a href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'img src='http://upload.wikimedia.org/wikipedia/commons/b/b7/Wikivoyage-Logo-v3-en-highlight.png' width='40' height='40' alt='Wikivoyage' title='Wikivoyage' border=0 //anbsp;a href='http://www.wikivoyage.org/' title='Wikivoyage'/abrba href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'Wikivoyage/a/b/td/tr + trtd valign=bottom align=left width=40a href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'img src='//upload.wikimedia.org/wikipedia/commons/thumb/6/63/Wikipedia-logo.png/40px-Wikipedia-logo.png' width='40' height='40' border='0' alt='Wikipedia'border=0 //abra href='http://en.wikipedia.org/wikistats/EN/Sitemap.htm'bWikipedia/b/a/td + td valign=bottom align=left width=40a href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'img src='//upload.wikimedia.org/wikipedia/commons/thumb/4/4a/Commons-logo.svg/40px-Commons-logo.svg.png' width='40' height='48' alt='Commons' title='Free media repository' border=0 //abra href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaCOMMONS.htm'bCommons/b/a/td + td valign=bottom align=left width=40a href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'img src='//upload.wikimedia.org/wikipedia/commons/e/e4/Wikidata-logo-en-135px.png' width='50' height='50' alt='Wikidata' title='Wikidata' border=0 //abrba href='http://stats.wikimedia.org/wikispecial/EN/TablesWikipediaWIKIDATA.htm'Wikidata/a/b/td + td valign=bottom align=left width=40a href='http://en.wikipedia.org/wikistats/wikivoyage/EN/Sitemap.htm'img
[MediaWiki-commits] [Gerrit] rt -- update cipher suite list to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147715 Change subject: rt -- update cipher suite list to support PFS .. rt -- update cipher suite list to support PFS This patch changes cipher suite list for rt.wikimedia.org to support Forward Secrecy. Bug: 53259 Change-Id: Ibe65118feb952a147cdfdd0b074c0ef995393b91 --- M templates/rt/rt4.apache.erb 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/15/147715/1 diff --git a/templates/rt/rt4.apache.erb b/templates/rt/rt4.apache.erb index f3e78d8..09bbb4e 100644 --- a/templates/rt/rt4.apache.erb +++ b/templates/rt/rt4.apache.erb @@ -14,8 +14,8 @@ ServerName %=@site% SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLProtocol +ALL -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/rt.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/rt.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/147715 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibe65118feb952a147cdfdd0b074c0ef995393b91 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] update SSL ciphers for Ganglia to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147110 Change subject: update SSL ciphers for Ganglia to support PFS .. update SSL ciphers for Ganglia to support PFS I used the cipher suite list from Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c. Bug: 53259 Change-Id: Ifacd5e4a3a3fdb5b832afec947c2c213797429d9 --- M templates/apache/sites/ganglia.wikimedia.org.erb 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/10/147110/1 diff --git a/templates/apache/sites/ganglia.wikimedia.org.erb b/templates/apache/sites/ganglia.wikimedia.org.erb index 9c9c22a..a0143b0 100644 --- a/templates/apache/sites/ganglia.wikimedia.org.erb +++ b/templates/apache/sites/ganglia.wikimedia.org.erb @@ -26,8 +26,8 @@ ServerAdmin r...@wikimedia.org SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile %= ganglia_ssl_cert % SSLCertificateKeyFile %= ganglia_ssl_key % -- To view, visit https://gerrit.wikimedia.org/r/147110 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ifacd5e4a3a3fdb5b832afec947c2c213797429d9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] update SSL ciphers for noc.wikimedia.org to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/147123 Change subject: update SSL ciphers for noc.wikimedia.org to support PFS .. update SSL ciphers for noc.wikimedia.org to support PFS I used the cipher suite list from Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c. Bug: 53259 Change-Id: Ie4910dcb158157db6f05c2d3917ade7deb3f75ba --- M files/apache/sites/noc.wikimedia.org 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/23/147123/1 diff --git a/files/apache/sites/noc.wikimedia.org b/files/apache/sites/noc.wikimedia.org index 286ff1d..9030c1b 100644 --- a/files/apache/sites/noc.wikimedia.org +++ b/files/apache/sites/noc.wikimedia.org @@ -43,8 +43,8 @@ UserDir public_html SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA +SSLProtocol +ALL -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/noc.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/noc.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/147123 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie4910dcb158157db6f05c2d3917ade7deb3f75ba Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] update SSL ciphers for contacts.wm.org to support PFS - change (operations/puppet)
Chmarkine has uploaded a new change for review. https://gerrit.wikimedia.org/r/146510 Change subject: update SSL ciphers for contacts.wm.org to support PFS .. update SSL ciphers for contacts.wm.org to support PFS I used the cipher suite list from I39b389b63ae6b8848abb20431091263717192582. Even though I think contacts.wikimedia.org is for internal use only, I guess it's still better to enable Forward Secrecy on it. Bug: 53259 Change-Id: Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c --- M files/apache/sites/contacts.wikimedia.org 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/10/146510/1 diff --git a/files/apache/sites/contacts.wikimedia.org b/files/apache/sites/contacts.wikimedia.org index e10a97f..7a75561 100644 --- a/files/apache/sites/contacts.wikimedia.org +++ b/files/apache/sites/contacts.wikimedia.org @@ -12,8 +12,8 @@ DocumentRoot /srv/org/wikimedia/contacts/ SSLEngine On -SSLProtocol -ALL +SSLv3 +TLSv1 -SSLCipherSuite AES128-GCM-SHA256:RC4-SHA:RC4-MD5:DES-CBC3-SHA:AES128-SHA:AES256-SHA + SSLProtocol +ALL -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/certs/contacts.wikimedia.org.pem SSLCertificateKeyFile /etc/ssl/private/contacts.wikimedia.org.key -- To view, visit https://gerrit.wikimedia.org/r/146510 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic18e2a27e0e25fe3ee287c5d56834a77ba78c35c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Chmarkine chmark...@hotmail.com ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits