check_reverse_dns: don't force mw-lb.miraheze.org (#3281)

There is no technical reason that a custom domain couldn't point to some
other miraheze.org subdomain. All possible subdomains will always exist
and resolve to our servers. This uses regex to ensure that the CNAME is
of the format <subdomain>.miraheze.org . The alert really comes into
play if somebody has changed their DNS after the domain was setup for
their wiki. And if they just changed what subdomain the record points
to, I don't think it's worth chasing the user up about it. As for new
domains, I always check the records beforehand (and anybody else
handling SSL requests should too), and thus this check should not be
relied on when adding SSL certs. We should be checking records before
adding SSL, and only contacting users after if they changed it after,
and for some reason the new configuration won't work. (non-miraheze.org
CNAME, or improper A records, or somthing similar, or not pointed at
all)

---------

Co-authored-by: CosmicAlpha <[email protected]>

modules/monitoring/files/check_reverse_dns.py

@@ -101,7 +101,10 @@ def check_records(hostname):
  except resolver.NoAnswer:
  cname = None
 
- if cname == 'mw-lb.miraheze.org.':
+ if (
+ re.match(".+\.miraheze\.org", cname) and
+ not re.match("(issue-tracker|static|donate|reports)\.miraheze\.org", cname)
+ ):
  return 'CNAME'
  elif cname is None and cname_check_impossible:
  return 'CNAMEFLAT'