[07:48:30] 10Traffic, 06Operations: Fix apache-2.4 + DHE ciphersuites issue - https://phabricator.wikimedia.org/T133217#2226458 (10MoritzMuehlenhoff) I'm in favour of rebuilding apache2. The overhead isn't that big (jessie has been released a year ago and saw one update in a DSA and two in point releases) and it's a tran... [13:12:40] 10Traffic, 06Operations: Fix apache-2.4 + DHE ciphersuites issue - https://phabricator.wikimedia.org/T133217#2227101 (10BBlack) @MoritzMuehlenhoff - if you think it's not much overhead and want to take on packaging jessie's apache-2.4 built against our openssl-1.0.2, that would be awesome :) [13:15:55] 10Traffic, 06Operations: Fix apache-2.4 + DHE ciphersuites issue - https://phabricator.wikimedia.org/T133217#2227146 (10MoritzMuehlenhoff) Sure, I can do that next week. [15:18:42] 10Traffic, 06Discovery, 10Kartotherian, 10Maps, and 2 others: codfw/eqiad/esams/ulsfo: (4) servers for maps caching cluster - https://phabricator.wikimedia.org/T131880#2227449 (10mark) Let's move forward with repurposing the existing (ex mobile) Varnish servers for maps. :) [15:51:51] 10Traffic, 06Operations, 10Continuous-Integration-Infrastructure (phase-out-gallium): Move gallium to an internal host? - https://phabricator.wikimedia.org/T133150#2227541 (10hashar) [15:52:05] 10netops, 06Operations, 10Continuous-Integration-Infrastructure (phase-out-gallium): install/setup/deploy cobalt as replacement for gallium - https://phabricator.wikimedia.org/T95959#2227542 (10hashar) [15:55:20] 10Traffic, 06Discovery, 10Kartotherian, 10Maps, and 2 others: codfw/eqiad/esams/ulsfo: (4) servers for maps caching cluster - https://phabricator.wikimedia.org/T131880#2227556 (10BBlack) With post-switchover work, a weekend coming, and other misc constraints, @Gehel and I planning to actually do the work o... [16:03:05] 10Traffic, 10netops, 06Operations: Set up LVS for current AuthDNS - https://phabricator.wikimedia.org/T101525#2227600 (10BBlack) [16:03:16] 10Traffic, 10netops, 06Operations: Anycast (Auth)DNS - https://phabricator.wikimedia.org/T98006#2227601 (10BBlack) [16:06:12] 10Traffic, 06Operations, 10Continuous-Integration-Infrastructure (phase-out-gallium): Move gallium to an internal host? - https://phabricator.wikimedia.org/T133150#2227615 (10hashar) We have created a sub project in Phabricator https://phabricator.wikimedia.org/project/view/1966/ First step is for #releng t... [16:06:19] 10netops, 06Operations, 10Continuous-Integration-Infrastructure (phase-out-gallium): install/setup/deploy cobalt as replacement for gallium - https://phabricator.wikimedia.org/T95959#2227618 (10hashar) We have created a sub project in Phabricator https://phabricator.wikimedia.org/project/view/1966/ First st... [16:29:05] 10Traffic, 10MediaWiki-Parser, 06Operations, 06Parsing-Team, and 5 others: Banners fail to show up occassionally on Russian Wikivoyage - https://phabricator.wikimedia.org/T121135#2227723 (10Jdlrobson) Can we safely call this closed from the community perspective @Atsirlin and @Wrh2 ? Any new reports? [16:34:32] 10Traffic, 10MediaWiki-Parser, 06Operations, 06Parsing-Team, and 5 others: Banners fail to show up occassionally on Russian Wikivoyage - https://phabricator.wikimedia.org/T121135#2227751 (10Wrh2) While I haven't noticed the issue in the past week, if there's no harm in doing so I would leave this open for... [16:35:23] 10Traffic, 10MediaWiki-Parser, 06Operations, 06Parsing-Team, and 5 others: Banners fail to show up occassionally on Russian Wikivoyage - https://phabricator.wikimedia.org/T121135#2227780 (10Jdlrobson) No harm, just wanted to check in whether things are looking good. Sounds like they are :) [20:18:34] 07HTTPS, 10Traffic, 06Operations, 13Patch-For-Review: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination - https://phabricator.wikimedia.org/T132521#2228498 (10BBlack) I've missed some meta-tracking (putting bug refs on patches, etc), but status... [20:34:38] 07HTTPS, 10Traffic, 06Operations, 13Patch-For-Review: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination - https://phabricator.wikimedia.org/T132521#2228590 (10BBlack) One more thing I didn't note above: stream.wm.o lacks HSTS on fetch of `/`,... [21:31:52] 07HTTPS, 10Traffic, 06Operations: HTTPS Plans (tracking / high-level info) - https://phabricator.wikimedia.org/T104681#2229022 (10BBlack) [21:41:41] 10Traffic, 10Analytics, 10MediaWiki-extensions-CentralNotice, 06Operations: Generate a list of junk CN cookies being sent by clients - https://phabricator.wikimedia.org/T132374#2229057 (10ori) 05Open>03Resolved a:03ori I captured about 20 minutes' worth of cookie names by running varnishlog on cp1066... [21:47:10] 10Traffic, 10Analytics, 10MediaWiki-extensions-CentralNotice, 06Operations: Generate a list of junk CN cookies being sent by clients - https://phabricator.wikimedia.org/T132374#2229103 (10AndyRussG) Nice!! Thx much!! [21:53:06] 10Traffic, 10Analytics, 10MediaWiki-extensions-CentralNotice, 06Operations: Generate a list of junk CN cookies being sent by clients - https://phabricator.wikimedia.org/T132374#2229110 (10BBlack) Just noting here for posterity: since it sounds like we're potentially getting rid of cookies for future CN cam... [22:13:33] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229282 (10BBlack) [22:14:05] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229301 (10BBlack) [22:14:20] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229282 (10BBlack) [22:22:00] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229282 (10Krenair) Fixed #2. [22:27:30] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229345 (10BBlack) If I had to blindly guess on #1, it's that the config has `SSLCertificateFile` and `SSLCertificateKeyFile`, but lacks `SSLCertificateChainFile`, which should point at a copy of the... [22:49:57] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229407 (10Krenair) a:03Krenair I think I've fixed #1 as well. I did find `SSLCertificateChainFile` in the docs but it's obsolete since apache 2.4.8. Please check. (I also removed the `SSLCACertifi... [22:50:36] bblack, ^ openssl s_client showed this before: [22:50:37] Certificate chain [22:50:38] 0 s:/OU=GT78806307/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=wikitech-static.wikimedia.org [22:50:38] i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 [22:50:58] now it has that and also this: [22:50:59] 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 [22:51:00] i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA [22:53:04] 10Traffic, 10Analytics, 10DNS, 06Operations: Create analytics.wikimedia.org - https://phabricator.wikimedia.org/T132407#2229410 (10Nuria) >It will have to be new apache setup for prod ja, but since they will be hosted on a single domain, the puppetization doesn't need any knowledge of the subdirectories of... [22:53:55] 10netops, 10Analytics-Cluster, 06Analytics-Kanban, 06Operations, 13Patch-For-Review: setup/deploy server analytics1003/WMF4541 - https://phabricator.wikimedia.org/T130840#2229427 (10Nuria) 05Open>03Resolved [23:13:51] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229474 (10BBlack) Fix for #2 works, thanks! The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the deprecated way becau... [23:14:22] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229475 (10BBlack) (edited above - #1 + #2 are fixed) [23:28:34] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229500 (10Krenair) >>! In T133360#2229474, @BBlack wrote: > The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the depre... [23:39:20] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229522 (10BBlack) For all I know the STS header may have been previously-set in mediawiki config somehow, too, no idea on that. But it's outputting the right header now, so #3 fixed as well. ssllab... [23:43:41] 07HTTPS, 10Traffic, 06Operations, 13Patch-For-Review: Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination - https://phabricator.wikimedia.org/T132521#2229538 (10Krenair) [23:43:43] 07HTTPS, 10Traffic, 06Operations: Fix wikitech-static TLS config - https://phabricator.wikimedia.org/T133360#2229537 (10Krenair) 05Open>03Resolved