[00:53:55] 10Traffic, 10netops, 10Operations, 10Patch-For-Review: Anycast recdns - https://phabricator.wikimedia.org/T186550 (10ayounsi) 05Open→03Resolved Everything in the scope of that task is completed. [00:54:00] 10Traffic, 10netops, 10Operations, 10Patch-For-Review, 10Performance-Team (Radar): Anycast (Auth)DNS - https://phabricator.wikimedia.org/T98006 (10ayounsi) [05:32:28] 10Traffic, 10Operations: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers - https://phabricator.wikimedia.org/T228135 (10Vgutierrez) [05:32:47] 10Traffic, 10Operations: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers - https://phabricator.wikimedia.org/T228135 (10Vgutierrez) p:05Triage→03Normal [05:41:12] 10Traffic, 10Operations: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers - https://phabricator.wikimedia.org/T228135 (10Vgutierrez) Two PRs have been submitted to upstream: * Implement logging of SSL Elliptic Curve used: https://github.com/apache/trafficserver/pull/5724 *... [06:50:12] 10Traffic, 10netops, 10Operations, 10Patch-For-Review: Anycast recdns - https://phabricator.wikimedia.org/T186550 (10MoritzMuehlenhoff) It's my understanding that this reduces the steps necessary to restart our recursors is now reduced to a simple depool/repool and that the previous, complex approach from... [10:30:37] willikins:~ vgutierrez$ curl -v https://en.wikipedia.com -o /dev/null 2>&1|fgrep -i location: [10:30:37] < location: https://en.wikipedia.org/ [10:30:41] bblack: ^^ \o/ [11:33:19] \o/ [11:34:00] don't know what we have to do to make you win your tshirt, it seems like an impossibly hard task [11:34:56] so let me handle the unified TLS certificate with acme-chief [11:35:05] that could introduce some interesting stuff [11:35:24] O:) [11:37:21] BTW, I'm wondering if as a next step we could introduce slowly HSTS for the non canonical domains [13:33:51] 10HTTPS, 10Traffic, 10Operations, 10Goal, 10Patch-For-Review: Create a secure redirect service for large count of non-canonical / junk domains - https://phabricator.wikimedia.org/T133548 (10Vgutierrez) [13:36:35] 10HTTPS, 10Traffic, 10Operations, 10Goal, 10Patch-For-Review: Create a secure redirect service for large count of non-canonical / junk domains - https://phabricator.wikimedia.org/T133548 (10Vgutierrez) ncredir service has been deployed successfully and it's currently serving live traffic for wikipedia.co... [13:40:04] 10Traffic, 10Analytics, 10Operations, 10User-Elukey: TLS certificates for Analytics origin servers - https://phabricator.wikimedia.org/T227860 (10elukey) The idea that I have is to re-use what done for the appservers, namely put nginx in front of httpd to terminate TLS. In theory we could: * generate one... [13:41:26] 10Traffic, 10Analytics, 10Operations, 10User-Elukey: TLS certificates for Analytics origin servers - https://phabricator.wikimedia.org/T227860 (10elukey) [13:41:49] 10Traffic, 10Analytics, 10Analytics-Kanban, 10Operations, 10User-Elukey: TLS certificates for Analytics origin servers - https://phabricator.wikimedia.org/T227860 (10elukey) a:03elukey [14:00:45] 10Traffic, 10Analytics, 10Analytics-Kanban, 10Operations, 10User-Elukey: TLS certificates for Analytics origin servers - https://phabricator.wikimedia.org/T227860 (10Ottomata) Hm, all for it! Although, do you think it would be worth exploring the built in TLS support in the services where they support i... [14:01:41] 10Traffic, 10Analytics, 10Analytics-Kanban, 10Operations, 10User-Elukey: TLS certificates for Analytics origin servers - https://phabricator.wikimedia.org/T227860 (10elukey) >>! In T227860#5337057, @Ottomata wrote: > Hm, all for it! Although, do you think it would be worth exploring the built in TLS sup... [14:06:53] ema: what about if we give him the damn tshirt but with a printed ciphered message [14:07:07] the moment he brokes something we would give him the TLS keypair to decipher it [14:07:22] probably he knows all openssl commands on the fly [14:07:26] already [14:10:53] :) [14:17:29] 10Traffic, 10Operations: Setup a new PKI software as an alternative to the puppet CA for managing services certificates - https://phabricator.wikimedia.org/T194031 (10Ottomata) I wouldn't call [[ https://github.com/wikimedia/cergen | cergen ]] a proper PKI management software, and probably is too painful to us... [14:18:02] vgutierrez: \o/ [16:47:08] 10Traffic, 10Wikimedia-Apache-configuration, 10Operations, 10Patch-For-Review, and 2 others: Visual Editor gets stuck opening article (net::ERR_SPDY_PROTOCOL_ERROR 200/Loading failed for the