Jakub Klinkovský authored 3 years ago and Kristian Klausen committed 3 years ago

We've hit this problem at least twice in the past, last time with the new
Vector skin update. With this change it should not be necessary to do
anything manually after an update.

A new editor was introduced in the most recent mediawiki update which
comes with images from a new extension location

Our API endpoint was being abused by a malicious user which send about
20 req/s, as php-fpm uses a pool of workers this easily over burdens
them and also gives the server a constant 100% CPU load.

Applying a rate limit succesfully negates this issue.

Ex: https://wiki.archlinux.org/index.php/Special:Search?search=systemd

The arch wiki box previously had plenty of ram to play around with, but
the current box is significantly smaller. Memcached seems to cache ~ 600
MB on average so 1024 should suit us fine.

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

It seems to work, so we can make the redirect permanent now.

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

The wiki people has been wanting this for some time[1], so let's
implement it.

This change the url from:
https://wiki.archlinux.org/index.php/Main_page
to:
https://wiki.archlinux.org/title/Main_page

[1] https://wiki.archlinux.org/index.php?title=ArchWiki_talk:Requests&oldid=648459#index.php_in_url_address

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Stop uncontrolled requests before reach php backend

Closes: #276

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

Kristian Klausen authored 3 years ago and Jelle van der Waa committed 3 years ago

A extra access_log entry was added with the following commands:
$ cd roles
$ grep -lr access_log | xargs -P 1 -n 1 sed -i '/access_log/ s/\(.*\)\( \)\(\(reduced\|main\);$\)/\1 \3\n\1.json json_\3/'

Kristian Klausen authored 4 years ago and Jelle van der Waa committed 3 years ago

[1] https://github.com/yandex/gixy/blob/641060d6355fbb5bd71695928a2bf14a9bcb8bf2/docs/en/plugins/aliastraversal.md

Fix #291

As mediawiki does not support PHP 8 yet in the current LTS release, we
have to stay with PHP 7.

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

Mediawiki allows the configuration of Referrer policy, which is set to
the same value as archlinux.org, retaining the referrer for https://
links as they might be beneficial as promotion. Set the X-Frame-Options
header to deny framing.

It should make it easier to change how the certificates is issued.
Ex: If we want to switch to ECDSA certificates in the future or replace
certbot with something else.

The box now is much smaller than the box we had the wiki on before and so we used a lot of workers because it didn't matter.
The new box had too much memory pressure and so we had to decrease this.
In a load test, it lead to much better performance under high HTTP load.

Allow bounce handling from mail.archlinux.org, the new email server

- home directory needs 751 - nginx accesses it to serve static files
- cache and sessions directories are used only by PHP -> 750
- uploads is public -> 755

Note that the "fix home permissions" task was duplicated. Other tasks
fixing permissions were moved above.

This is much cleaner because the nginx role does not have to set the
fastcgi_cache variable to "false" by default, which was overridden by
host_vars/apollo.archlinux.org to "wiki", but the value was still
hardcoded in the config.

At first, I was wondering that the cache "zone" name should be
generalized to improve the configuration (from the original per-host to
per-service), but that would be an overkill since the fastcgi cache is
used only for the wiki...

This role actually uses a handler from nginx to reload nginx.service.

Otherwise the timer may be started before mysqld and the service would
fail at the first start.

archwiki-runjobs.service is one-shot and timer-activated, it is not
supposed to be enabled.

fail2ban is no longer a dependency of the archwiki role.

Frederik Schwan authored 4 years ago and Sven-Hendrik Haase committed 4 years ago

also use systemd instead of service module

Disallow all pages with /index.php? as this excludes wiki history pages
which are shown as
https://wiki.archlinux.org/index.php?title=Lala&action=history to allow
us to remove the lockdown plugin.