Giters

CanastaWiki / Canasta

MediaWiki Docker image for Canasta, an all-in-one MediaWiki stack for easy deployment and management of enterprise-ready MediaWiki on production environments.

Home Page:https://www.canasta.wiki

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

More accurately reference CDN servers

cicalese opened this issue · comments

commented

Canasta/_sources/canasta/CanastaDefaultSettings.php

Line 69 in b29b712

$wgCdnServersNoPurge[] = '10.0.0.0/8'; // 10.0.0.0 – 10.255.255.255

$wgCdnServersNoPurge = [];
$wgCdnServersNoPurge[] = '10.0.0.0/8'; // 10.0.0.0 – 10.255.255.255
$wgCdnServersNoPurge[] = '172.16.0.0/12'; // 172.16.0.0 – 172.31.255.255
$wgCdnServersNoPurge[] = '192.168.0.0/16'; // 192.168.0.0 – 192.168.255.255

The specified ranges are overly broad. This is preventing purges from being sent.

commented

It really shouldn't matter if that setting is overly broad (other than the mild security risk if one of those servers are untrusted). What matters is that $wgCdnServers is set correctly.

commented

That makes sense. Is it accurate to say that the title of the task is still correct, but the substance is that $wgCdnServers is not set, rather than $wgCdnServersNoPurge is too broad?

commented

yes.

An argument could be made for not setting $wgCdnServersNoPurge to the entire private IP space like that, but its the $wgCdnServers setting that is critical.

commented

Was this fixed eventually @cicalese @bawolff?

commented

Not as far as I know. I believe that @bawolff patched our instance by adding the following to CanastaDefaultSettings.php:

$wgCdnServers = [];
$wgCdnServers[] = "varnish:80";
commented

I think it also involved setting $wgInternalServer to have an http protocol

commented

It looks like a value of

$wgInternalServer = http://gateway.docker.internal;

might do the trick. Does that look correct, @bawolff ?

commented

It depends on how varnish is configured. The most likely correct value would be $wgServer except http instead of https. It should be whatever caddy is sending varnish as the host value

commented

On our instance, we have caddy disabled. In this case, the IP address for gateway.docker.internal matches that of varnish. It seems that gateway.docker.internal would be correct when used with caddy as well, while specifying varnish in that case (as originally patched in our instance) would not be correct. But, somebody would need to test to be sure that works in the default Canasta case (with caddy).

commented

Or, are you saying that using the IP address rather than the hostname would not allow varnish to operate correctly?

commented

The host name for wgInternalServer is used to determine what to purge on varnish. Unless the varnish vcl has host normalization code It has to match what the host is of incoming requests, or varnish will think the purges are for a different virtual host.