[05:56:44] question - does our nginx now how to JS? [07:24:00] ok, I know now that it does not - is there a way to add a module to our nginx? for specific roles e.g.? [07:40:50] zpapierski: yea, you could make a new profile that uses the nginx module and additionally also installs nginx-module-njs or whichever package [07:41:38] or add another variant to the nginx module class. for example now there is class { 'nginx' : variane => 'light' [07:47:04] thx, will try [09:43:27] <_joe_> zpapierski: uhm I'm not fond of the idea of adding too much intelligence to a specific nginx installation [09:43:55] <_joe_> but let's see what comes out of it first :) [09:44:11] likewis [09:44:11] e [09:44:14] but auth-request in nginx is a bit simplistic [09:44:43] and it won't handle oauth2 out of the box [09:45:03] <_joe_> so, today and tomorrow I'm not supposed to be working, but I will take a look at what can be done with other web proxies as well [09:46:12] oh, don't worry, it may take some time - I need to set up mediawiki and nginx locally first. owner based consumers for oauth2 are a no-go when it comes to authorization code grant [09:46:16] <_joe_> btw, usually people use lua in nginx most of the time [09:47:24] <_joe_> zpapierski: do you need to support authenticating with oauth2 directly or being able to verify if someone has a valid jwt token would be enough? [09:47:34] most (if not all) examples where js based for auth2 - e.g. https://github.com/nginxinc/NGINX-Demos/tree/master/oauth2-token-introspection-oss [09:47:39] hmm, good question [09:48:25] valid as in not expired? without veifying actual users scopes? [09:48:45] <_joe_> context is - envoy (the proxy with which we're mostly replacing nginx with) has a jwt authn filter [09:50:10] <_joe_> but I'm not 100% sure how it works rn [09:50:24] afaik, nginx can do that too, but, I too do not know exactly how it works :) [09:51:01] honestly, I'm a bit familiar with oauth2 grants (especially authorization code grant) and that's basically it [09:51:13] learning as I go :) [09:51:37] since it seems that mediawiki supports that one, this is the reason I went with it [09:52:34] anyway, this is why I'm setting up a local test env - doing this with production oauth and puppet on remote hosts is a little bit cumbersome [15:55:09] _joe_: fyi, we are going to deploy kask for session store on today next SWAT window. any concerns about that? [15:57:16] <_joe_> Pchelolo: I'm off today, but I think akosiaris is around to follow it [15:58:20] oh, enjoy the day off [15:58:26] akosiaris: ^^ [15:59:33] Pchelolo: yes I am around and will be for sessionstore [16:00:12] great, thank you. See you in a few hours [21:54:19] 10serviceops, 10Operations, 10Thumbor, 10User-jijiki: Upgrade Thumbor to Buster - https://phabricator.wikimedia.org/T216815 (10AntiCompositeNumber) Is there still work that needs to be done to prepare for this, or is it just waiting for someone to get around to handling the necessary configuration changes,...