[MediaWiki-commits] [Gerrit] tlsproxy: only enable TFO on default_server - change (operations/puppet)
Ema has submitted this change and it was merged.
Change subject: tlsproxy: only enable TFO on default_server
..
tlsproxy: only enable TFO on default_server
socket-related options should not be specified in more than one listen
directive. Only include fastopen=N on default_server, similarly to how
we deal with backlog=N and similar options.
Bug: T108827
Change-Id: I50d27cfadbd161782da2daeb57f696dea331a6e2
---
M modules/tlsproxy/templates/localssl.erb
1 file changed, 4 insertions(+), 4 deletions(-)
Approvals:
Ema: Verified; Looks good to me, approved
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index 6b67bb9..553c7eb 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -9,8 +9,8 @@
# SSL proxying
server {
- listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2 fastopen=<%=
@fastopen_pending_max %>;
- listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2 fastopen=<%= @fastopen_pending_max %>;
+ listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " : ""
%>ssl http2;
+ listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport fastopen=#{fastopen_pending_max} " : "" %>ssl http2;
ssl on;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
@@ -62,8 +62,8 @@
}
<% if @redir_port -%>
server {
- listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %> fastopen=<%=
@fastopen_pending_max %>;
- listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %> fastopen=<%= @fastopen_pending_max %>;
+ listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on fastopen=#{fastopen_pending_max} "
: "" %>;
+ listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport fastopen=#{fastopen_pending_max} " : "" %>;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
error_log /var/log/nginx/<%= @name %>.error.log;
--
To view, visit https://gerrit.wikimedia.org/r/295810
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I50d27cfadbd161782da2daeb57f696dea331a6e2
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema
Gerrit-Reviewer: BBlack
Gerrit-Reviewer: Ema
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] tlsproxy: only enable TFO on default_server - change (operations/puppet)
Ema has uploaded a new change for review.
https://gerrit.wikimedia.org/r/295810
Change subject: tlsproxy: only enable TFO on default_server
..
tlsproxy: only enable TFO on default_server
socket-related options should not be specified in more than one listen
directive. Only include fastopen=N on default_server, similarly to how
we deal with backlog=N and similar options.
Bug: T108827
Change-Id: I50d27cfadbd161782da2daeb57f696dea331a6e2
---
M modules/tlsproxy/templates/localssl.erb
1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/10/295810/1
diff --git a/modules/tlsproxy/templates/localssl.erb
b/modules/tlsproxy/templates/localssl.erb
index 6b67bb9..553c7eb 100644
--- a/modules/tlsproxy/templates/localssl.erb
+++ b/modules/tlsproxy/templates/localssl.erb
@@ -9,8 +9,8 @@
# SSL proxying
server {
- listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on " : "" %>ssl http2 fastopen=<%=
@fastopen_pending_max %>;
- listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport " : "" %>ssl http2 fastopen=<%= @fastopen_pending_max %>;
+ listen [::]:443 <%= @default_server ? "default_server deferred
backlog=16384 reuseport ipv6only=on fastopen=#{fastopen_pending_max} " : ""
%>ssl http2;
+ listen 443 <%= @default_server ? "default_server deferred backlog=16384
reuseport fastopen=#{fastopen_pending_max} " : "" %>ssl http2;
ssl on;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
@@ -62,8 +62,8 @@
}
<% if @redir_port -%>
server {
- listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on " : "" %> fastopen=<%=
@fastopen_pending_max %>;
- listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport " : "" %> fastopen=<%= @fastopen_pending_max %>;
+ listen [::]:<%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport ipv6only=on fastopen=#{fastopen_pending_max} "
: "" %>;
+ listen <%= @redir_port %> <%= @default_server ? "default_server
deferred backlog=4096 reuseport fastopen=#{fastopen_pending_max} " : "" %>;
server_name <%= ([@server_name] + @server_aliases).join(" ") %>;
error_log /var/log/nginx/<%= @name %>.error.log;
--
To view, visit https://gerrit.wikimedia.org/r/295810
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I50d27cfadbd161782da2daeb57f696dea331a6e2
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ema
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
