Page MenuHomeMiraheze

Encrypt all traffic inside Miraheze Cluster
Open, NormalPublic

Description

Inside the Miraheze Cluster, there is no such thing as a private network. While some traffic is encrypted, for example SSH, Parsoid (TLS) and connections between cache proxies and MediaWiki servers (via TLS/stunnel), various forms of traffic is still unencrypted. Good examples are MediaWiki <-> Redis and MediaWiki/Redis/Phabricator <-> MariaDB.

Especially since we don't have private networking yet, it's not in line with our view on securing communications.

Unfortunately, encryption in software is still not a standard thing (and not without performance impact either). For example, Redis does not support TLS and MariaDB only supports OpenSSL (or the less popular yaSSL, which is the default) if compiled manually, Matomo (-> MariaDB) offers support for ssl_* configuration inside config.inc.php and with regards to MediaWiki (-> MariaDB) I have no idea - while Phabricator (-> MariaDB) definitely doesn't support it.

Creating a VPN between Miraheze servers in the NL Cluster is one way to go; vpncloud.rs seems reasonable to do and doesn't require complex changes to current IP configuration.. On the other hand, stunnel (for Redis) is very easy to do and ProxySQL may even bring performance improvements instead of degradation!

Sub-tasks will be created as necessary.

Event Timeline

Southparkfan triaged this task as Normal priority.Jan 16 2019, 19:33
Southparkfan created this task.
John added a subscriber: John.Jan 16 2019, 19:43

MariaDB<->MediaWiki is SSL.

Paladox added a subscriber: Paladox.Jan 16 2019, 19:56
John moved this task from Backlog to Operations on the Goal-2019-Jan-Jun board.Jan 16 2019, 20:05
Paladox added a subtask: Restricted Maniphest Task.Mar 5 2019, 22:36
John changed the status of subtask T4127: Install and puppetize VPNCloud from Resolved to Declined.
RhinosF1 added a subscriber: RhinosF1.Sep 8 2019, 22:53