On Tue, Aug 18, 2020 at 9:03 AM Bryan Davis wrote:
>
> TL;DR:
> * HTTP -> HTTPS redirection is live (finally!)
> * Currently allowing a "POST loophole"
> * "POST loophole" will be closed on 2021-02-01
>
> Today we merged a small change [0] to the front proxy used by Cloud
> VPS projects [1]. This change brings automatic HTTP -> HTTPS
> redirection to the "domain proxy" service and a
> Strict-Transport-Security header with a 1 day duration.
>
> The current configuration is conservative. We will only redirect GET
> and HEAD requests to HTTPS to avoid triggering bugs in the handling of
> redirects during POST requests. This "POST loophole" is the same
> process that we followed when converting the production wiki farm and
> Toolforge to HTTPS.
>
> When we announced similar changes for Toolforge in 2019 [2] we forgot
> to set a timeline for closing the POST loophole. This time we are
> wiser! We will close the POST loophole and make all HTTP requests,
> regardless of the verb used, redirect to HTTPS on 2021-02-01. This 6
> month transition period should give us all a chance to find and update
> URLs to use https and to fix any dependent software that might break
> if a redirect was sent for a POST request.
>
> If you find issues in your projects resulting from this change, please
> do let us know. The tracking task for this change is T120486 [3]. We
> also provide support in the #wikimedia-cloud channel on Freenode and
> via the cloud@lists.wikimedia.org mailing list [4].
>
>
> [0]: https://gerrit.wikimedia.org/r/c/operations/puppet/+/620122/
> [1]:
> https://wikitech.wikimedia.org/wiki/Help:Using_a_web_proxy_to_reach_Cloud_VPS_servers_from_the_internet
> [2]:
> https://phabricator.wikimedia.org/phame/post/view/132/migrating_tools.wmflabs.org_to_https/
> [3]: https://phabricator.wikimedia.org/T120486
> [4]: https://lists.wikimedia.org/mailman/listinfo/cloud
TL;DR:
* "POST loophole" closed per prior announcement on 2020-08-18
* 366 day Strict-Transport-Security header sent with all HTTPS responses
I am very happy to announce that today we have closed the "POST
loophole" for our *.wmflabs.org & *.wmcloud.org proxy layer [5]. This
is a follow up to the announcement of partial TLS enforcement by the
Cloud VPS front proxies on 2020-08-18.
There is a possibility that closing the POST loophole will break some
clients accessing services running in Cloud VPS behind the front
proxies. Specifically, POST actions sent to HTTP (not HTTPS) URLs will
now return a 301 Moved Permanently response to the same URL with the
scheme changed to https. The HTTP specifications are ambiguous about
how this response should be handled which means that implementations
in various browsers and libraries may or may not re-POST the original
payload to the new URL. The best fix we can suggest for this is
updating links and forms to always use HTTPS URLs.
If you find issues in your projects resulting from this change, please
do let us know. The tracking task for this change is T120486 [6]. We
also provide support in the #wikimedia-cloud channel on Freenode and
via the cloud@lists.wikimedia.org mailing list [7].
[5]: https://gerrit.wikimedia.org/r/661140
[6]: https://phabricator.wikimedia.org/T120486
[7]: https://lists.wikimedia.org/mailman/listinfo/cloud
Bryan, on behalf of the Cloud VPS admin team
--
Bryan Davis Technical Engagement Wikimedia Foundation
Principal Software Engineer Boise, ID USA
[[m:User:BDavis_(WMF)]] irc: bd808
___
Wikimedia Cloud Services announce mailing list
cloud-annou...@lists.wikimedia.org (formerly labs-annou...@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud-announce
___
Wikimedia Cloud Services mailing list
Cloud@lists.wikimedia.org (formerly lab...@lists.wikimedia.org)
https://lists.wikimedia.org/mailman/listinfo/cloud
