Great news -- thanks Bryan!!

/me removes hacky domain proxy HTTPS enforcement config from Cloud VPS projects

On Tue, Aug 18, 2020 at 11:03 AM Bryan Davis <> wrote:
* HTTP -> HTTPS redirection is live (finally!)
* Currently allowing a "POST loophole"
* "POST loophole" will be closed on 2021-02-01

Today we merged a small change [0] to the front proxy used by Cloud
VPS projects [1]. This change brings automatic HTTP -> HTTPS
redirection to the "domain proxy" service and a
Strict-Transport-Security header with a 1 day duration.

The current configuration is conservative. We will only redirect GET
and HEAD requests to HTTPS to avoid triggering bugs in the handling of
redirects during POST requests. This "POST loophole" is the same
process that we followed when converting the production wiki farm and
Toolforge to HTTPS.

When we announced similar changes for Toolforge in 2019 [2] we forgot
to set a timeline for closing the POST loophole. This time we are
wiser! We will close the POST loophole and make all HTTP requests,
regardless of the verb used, redirect to HTTPS on 2021-02-01. This 6
month transition period should give us all a chance to find and update
URLs to use https and to fix any dependent software that might break
if a redirect was sent for a POST request.

If you find issues in your projects resulting from this change, please
do let us know. The tracking task for this change is T120486 [3]. We
also provide support in the #wikimedia-cloud channel on Freenode and
via the mailing list [4].


Bryan, on behalf of the Cloud VPS admin team
Bryan Davis              Technical Engagement      Wikimedia Foundation
Principal Software Engineer                               Boise, ID USA
[[m:User:BDavis_(WMF)]]                                      irc: bd808

Wikimedia Cloud Services announce mailing list (formerly

Wikimedia Cloud Services mailing list (formerly

Isaac Johnson (he/him/his) -- Research Scientist -- Wikimedia Foundation