Page MenuHomeMiraheze
Create Task
Maniphest T4016

Encrypt all traffic inside Miraheze Cluster
Closed, InvalidPublic
Actions

Description

Inside the Miraheze Cluster, there is no such thing as a private network. While some traffic is encrypted, for example SSH, Parsoid (TLS) and connections between cache proxies and MediaWiki servers (via TLS/stunnel), various forms of traffic is still unencrypted. Good examples are MediaWiki <-> Redis and MediaWiki/Redis/Phabricator <-> MariaDB.

Especially since we don't have private networking yet, it's not in line with our view on securing communications.

Unfortunately, encryption in software is still not a standard thing (and not without performance impact either). For example, Redis does not support TLS and MariaDB only supports OpenSSL (or the less popular yaSSL, which is the default) if compiled manually, Matomo (-> MariaDB) offers support for ssl_* configuration inside config.inc.php and with regards to MediaWiki (-> MariaDB) I have no idea - while Phabricator (-> MariaDB) definitely doesn't support it.

Creating a VPN between Miraheze servers in the NL Cluster is one way to go; vpncloud.rs seems reasonable to do and doesn't require complex changes to current IP configuration.. On the other hand, stunnel (for Redis) is very easy to do and ProxySQL may even bring performance improvements instead of degradation!

Sub-tasks will be created as necessary.

Related Objects
Search...

Event Timeline

Southparkfan triaged this task as Normal priority.Jan 16 2019, 19:33
Southparkfan created this task.
Herald added subscribers: revi, CnocBride, Reception123. · View Herald TranscriptJan 16 2019, 19:33
John subscribed.Jan 16 2019, 19:43

MariaDB<->MediaWiki is SSL.

Paladox subscribed.Jan 16 2019, 19:56
John moved this task from Backlog to Operations on the Goal-2019-Jan-Jun board.Jan 16 2019, 20:05
Southparkfan mentioned this in T4018: Evaluate usage of ProxySQL on MediaWiki servers.Jan 16 2019, 21:37
Paladox added a subtask: T4179: Encrypt LizardFS traffic.Mar 5 2019, 22:36
John closed subtask T4127: Install and puppetize VPNCloud as Resolved.Jun 5 2019, 18:34
John changed the status of subtask T4127: Install and puppetize VPNCloud from Resolved to Declined.
John edited projects, added Goal-2019-Jul-Dec; removed Goal-2019-Jan-Jun.Jun 5 2019, 18:36
RhinosF1 subscribed.Sep 8 2019, 22:53
Paladox closed subtask T4179: Encrypt LizardFS traffic as Declined.Dec 24 2019, 13:48
Herald removed a subscriber: RhinosF1. · View Herald TranscriptDec 24 2019, 13:48
Paladox added a project: Goal-2020-Jan-Jun.Dec 31 2019, 15:59

Per @Southparkfan

Southparkfan removed a project: Goal-2019-Jul-Dec.Jan 29 2020, 23:21
Southparkfan moved this task from Backlog to Site Reliability Engineering on the Goal-2020-Jan-Jun board.
John added a project: Goal-2019-Jul-Dec.Jan 29 2020, 23:48
John moved this task from Radar to New Features/Services on the Site Reliability Engineering board.Apr 13 2020, 14:14
John added a project: Goal-2020-Jul-Dec.Jul 3 2020, 18:18
Southparkfan moved this task from Backlog to Site Reliability Engineering on the Goal-2020-Jul-Dec board.Jul 6 2020, 16:38
Southparkfan removed a project: Goal-2020-Jul-Dec.Nov 21 2020, 19:21
Herald added a subscriber: Unknown Object (User). · View Herald TranscriptNov 21 2020, 19:21
John edited projects, added Infrastructure (SRE); removed Site Reliability Engineering.Jan 30 2021, 11:45
John moved this task from Incoming to Long Term on the Infrastructure (SRE) board.Jan 30 2021, 12:20
John closed subtask T4019: Encrypt Redis traffic as Declined.Feb 25 2021, 16:38
John closed this task as Invalid.Mar 7 2021, 15:57

Tracking tasks are bad - as this task depends on sub tasks being doing rather than something actually being done.

If there are measurable things that need to be done to resolve this idea except for the existing open task, more tasks should be opened.

John closed subtask T4017: Reconfigure TLS settings inside MariaDB as Resolved.Sep 2 2021, 15:46