deployment-prep/deployment-cache.yaml -

	confd::srv_dns: deployment-prep.eqiad.wmflabs
	mtail::service_ensure: absent
	profile::cache::haproxy::acls:
	tls:
	- criterion: var(txn.xwd_count)
	name: missing_xwd
	operator: -m int eq
	value: '0'
	- criterion: fc_http_major
	name: h2
	operator: eq
	value: '2'
	- criterion: ssl_fc_is_resumed
	name: ssl_session_reused
	operator: eq
	value: '1'
	- criterion: ssl_fc_cipher
	name: ssl_auth_rsa
	operator: -m reg
	value: ^ECDHE-RSA
	profile::cache::haproxy::add_headers:
	tls:
	- direction: request
	name: X-Client-IP
	value: '%[src]'
	- direction: request
	name: X-Client-Port
	value: '%[src_port]'
	- direction: request
	name: X-Forwarded-Proto
	value: https
	- direction: request
	name: X-Connection-Properties
	value: H2=%[var(req.h2)]; SSR=%[ssl_fc_is_resumed]; SSL=%[ssl_fc_protocol]; C=%[ssl_fc_cipher];
	EC=UNKNOWN;
	- direction: request
	name: X-Analytics-TLS
	value: vers=%[ssl_fc_protocol];keyx=unknown;auth=%[var(req.auth)];ciph=%[var(req.ciph)];prot=%[var(req.h2s)];sess=%[var(req.sess)]
	profile::cache::haproxy::available_unified_certificates:
	lets-encrypt:
	cert_paths:
	- /etc/acmecerts/unified/live/rsa-2048.chained.crt.key
	- /etc/acmecerts/unified/live/ec-prime256v1.chained.crt.key
	critical_threshold: 15
	server_names:
	- '*.wikimedia.beta.wmflabs.org'
	- beta.wmflabs.org
	- upload.beta.wmflabs.org
	- m.wikidata.beta.wmflabs.org
	- wikidata.beta.wmflabs.org
	- m.wikifunctions.beta.wmflabs.org
	- wikifunctions.beta.wmflabs.org
	- '*.wikibooks.beta.wmflabs.org'
	- '*.wikimedia.beta.wmflabs.org'
	- '*.wikinews.beta.wmflabs.org'
	- '*.wikipedia.beta.wmflabs.org'
	- '*.wikiquote.beta.wmflabs.org'
	- '*.wikisource.beta.wmflabs.org'
	- '*.wikiversity.beta.wmflabs.org'
	- '*.wikivoyage.beta.wmflabs.org'
	- '*.wiktionary.beta.wmflabs.org'
	- '*.m.wikibooks.beta.wmflabs.org'
	- '*.m.wikimedia.beta.wmflabs.org'
	- '*.m.wikinews.beta.wmflabs.org'
	- '*.m.wikipedia.beta.wmflabs.org'
	- '*.m.wikiquote.beta.wmflabs.org'
	- '*.m.wikisource.beta.wmflabs.org'
	- '*.m.wikiversity.beta.wmflabs.org'
	- '*.m.wikivoyage.beta.wmflabs.org'
	- '*.m.wiktionary.beta.wmflabs.org'
	- '*.zero.wikipedia.beta.wmflabs.org'
	warning_threshold: 21
	profile::cache::haproxy::del_headers:
	tls:
	- direction: response
	name: X-Analytics
	- acl: missing_xwd
	direction: response
	name: Backend-Timing
	- acl: missing_xwd
	direction: response
	name: X-ATS-Timestamp
	- acl: missing_xwd
	direction: response
	name: X-Envoy-Upstream-Service-Time
	- acl: missing_xwd
	direction: response
	name: X-OpenStack-Request-ID
	- acl: missing_xwd
	direction: response
	name: X-Powered-By
	- acl: missing_xwd
	direction: response
	name: X-Request-Id
	- acl: missing_xwd
	direction: response
	name: X-Timestamp
	- acl: missing_xwd
	direction: response
	name: X-Trans-Id
	- acl: missing_xwd
	direction: response
	name: X-Varnish
	profile::cache::haproxy::do_ocsp: true
	profile::cache::haproxy::h2settings:
	header_table_size: 4096
	initial_window_size: 65535
	max_concurrent_streams: 100
	profile::cache::haproxy::redirection_timeout:
	client: 3
	client_fin: 1
	connect: 0
	http_request: 3
	keep_alive: 3
	server: 0
	tunnel: 0
	profile::cache::haproxy::timeout:
	client: 120
	client_fin: 120
	connect: 3
	http_request: 3600
	keep_alive: 120
	server: 180
	tunnel: 3600
	profile::cache::haproxy::tls13_ciphers: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
	profile::cache::haproxy::tls_cachesize: 512000
	profile::cache::haproxy::tls_ciphers: -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256
	profile::cache::haproxy::tls_port: 443
	profile::cache::haproxy::tls_session_lifetime: 86400
	profile::cache::haproxy::unified_acme_chief: true
	profile::cache::haproxy::varnish_socket:
	address: /run/varnish-privileged.socket
	prefix: unix
	profile::cache::haproxy::vars:
	tls:
	- direction: request
	name: txn.xwd_count
	value: req.hdr_cnt(X-Wikimedia-Debug)
	- acl: h2
	direction: request
	name: req.h2
	value: int(1)
	- acl: '!h2'
	direction: request
	name: req.h2
	value: int(0)
	- acl: h2
	direction: request
	name: req.h2s
	value: str(h2)
	- acl: '!h2'
	direction: request
	name: req.h2s
	value: str(h1)
	- acl: '!ssl_session_reused'
	direction: request
	name: req.sess
	value: str(new)
	- acl: ssl_session_reused
	direction: request
	name: req.sess
	value: str(reused)
	- direction: request
	name: req.ciph
	value: ssl_fc_cipher,regsub('^ECDHE-ECDSA-',''),regsub('^ECDHE-RSA-',''),regsub('^TLS_',''),regsub('_','-','g'),regsub('^CHACHA20-POLY1305$','CHACHA20-POLY1305-SHA256')
	- acl: ssl_auth_rsa
	direction: request
	name: req.auth
	value: str(RSA)
	- acl: '!ssl_auth_rsa'
	direction: request
	name: req.auth
	value: str(ECDSA)
	profile::cache::haproxy::version: haproxy26
	profile::cache::purge::backend_addr: 127.0.0.1:3128
	profile::cache::purge::frontend_addr: /run/varnish-privileged.socket
	profile::cache::varnish::frontend::listen_uds:
	- /run/varnish-frontend-0.socket
	- /run/varnish-frontend-1.socket
	- /run/varnish-frontend-2.socket
	- /run/varnish-frontend-3.socket
	- /run/varnish-frontend-4.socket
	- /run/varnish-frontend-5.socket
	- /run/varnish-frontend-6.socket
	- /run/varnish-frontend-7.socket
	profile::cache::varnish::frontend::thread_pool_max: 5000
	profile::cache::varnish::frontend::uds_group: root
	profile::cache::varnish::frontend::uds_mode: '700'
	profile::cache::varnish::frontend::uds_owner: haproxy
	public_tls_unified_cert_vendor: lets-encrypt

deployment-prep/deployment-cache.yaml - cloud/instance-puppet - Gitiles