[MediaWiki-commits] [Gerrit] transparency: make it HTTPS only and enable HSTS - change (operations/puppet)
BBlack has submitted this change and it was merged.
Change subject: transparency: make it HTTPS only and enable HSTS
..
transparency: make it HTTPS only and enable HSTS
Make https://transparency.wikimedia.org/ HTTPS only, and enable
HSTS with max-age=7 days. I also deleted the unused 404 code.
Bug: T40516
Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
---
M manifests/role/transparency.pp
M templates/apache/sites/transparency.wikimedia.org.erb
2 files changed, 6 insertions(+), 6 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/transparency.pp b/manifests/role/transparency.pp
index 77dd7f3..9b177b9 100644
--- a/manifests/role/transparency.pp
+++ b/manifests/role/transparency.pp
@@ -6,6 +6,7 @@
class role::transparency {
include ::apache
include ::apache::mod::rewrite
+include ::apache::mod::headers
$repo_dir = '/srv/org/wikimedia/TransparencyReport'
$docroot = ${repo_dir}/build
diff --git a/templates/apache/sites/transparency.wikimedia.org.erb
b/templates/apache/sites/transparency.wikimedia.org.erb
index 82f9393..44abf7c 100644
--- a/templates/apache/sites/transparency.wikimedia.org.erb
+++ b/templates/apache/sites/transparency.wikimedia.org.erb
@@ -1,5 +1,5 @@
# vim:ft=apache: ts=4 sw=4
-# Apache configuration for http://transparency.wikimedia.org
+# Apache configuration for https://transparency.wikimedia.org
# This file is managed by Puppet.
VirtualHost *:80
ServerName transparency.wikimedia.org
@@ -15,10 +15,9 @@
allow from all
/Directory
-# Serve 404s for all requests until the launch, at 2014-Aug-06 08:30 UTC.
-# This code can be removed any time after that. --OL
RewriteEngine on
-RewriteCond %{ENV:REDIRECT_STATUS} !=404
-RewriteCond %{TIME} %= Time.utc(2014, 'Aug', 6, 8,
30).strftime('%Y%m%d%H%M%S') %
-RewriteRule .* - [L,R=404]
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
[R=301,E=ProtoRedirect]
+Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header always set Strict-Transport-Security max-age=604800
/VirtualHost
--
To view, visit https://gerrit.wikimedia.org/r/199517
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com
Gerrit-Reviewer: BBlack bbl...@wikimedia.org
Gerrit-Reviewer: JanZerebecki jan.wikime...@zerebecki.de
Gerrit-Reviewer: jenkins-bot
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] transparency: make it HTTPS only and enable HSTS - change (operations/puppet)
Chmarkine has uploaded a new change for review.
https://gerrit.wikimedia.org/r/199517
Change subject: transparency: make it HTTPS only and enable HSTS
..
transparency: make it HTTPS only and enable HSTS
Make https://transparency.wikimedia.org/ HTTPS only, and enable
HSTS with max-age=7 days. I also deleted the unused 404 code.
Bug: T40516
Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
---
M manifests/role/transparency.pp
M templates/apache/sites/transparency.wikimedia.org.erb
2 files changed, 6 insertions(+), 6 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/17/199517/1
diff --git a/manifests/role/transparency.pp b/manifests/role/transparency.pp
index 77dd7f3..9b177b9 100644
--- a/manifests/role/transparency.pp
+++ b/manifests/role/transparency.pp
@@ -6,6 +6,7 @@
class role::transparency {
include ::apache
include ::apache::mod::rewrite
+include ::apache::mod::headers
$repo_dir = '/srv/org/wikimedia/TransparencyReport'
$docroot = ${repo_dir}/build
diff --git a/templates/apache/sites/transparency.wikimedia.org.erb
b/templates/apache/sites/transparency.wikimedia.org.erb
index 82f9393..44abf7c 100644
--- a/templates/apache/sites/transparency.wikimedia.org.erb
+++ b/templates/apache/sites/transparency.wikimedia.org.erb
@@ -1,5 +1,5 @@
# vim:ft=apache: ts=4 sw=4
-# Apache configuration for http://transparency.wikimedia.org
+# Apache configuration for https://transparency.wikimedia.org
# This file is managed by Puppet.
VirtualHost *:80
ServerName transparency.wikimedia.org
@@ -15,10 +15,9 @@
allow from all
/Directory
-# Serve 404s for all requests until the launch, at 2014-Aug-06 08:30 UTC.
-# This code can be removed any time after that. --OL
RewriteEngine on
-RewriteCond %{ENV:REDIRECT_STATUS} !=404
-RewriteCond %{TIME} %= Time.utc(2014, 'Aug', 6, 8,
30).strftime('%Y%m%d%H%M%S') %
-RewriteRule .* - [L,R=404]
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
[R=301,E=ProtoRedirect]
+Header always merge Vary X-Forwarded-Proto env=ProtoRedirect
+Header always set Strict-Transport-Security max-age=604800
/VirtualHost
--
To view, visit https://gerrit.wikimedia.org/r/199517
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I14f5cf359c9754c3f7359827b34859aa41d5ac76
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Chmarkine chmark...@hotmail.com
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
