Page MenuHomePhabricator
Create Task
Maniphest T107030

Restbase insecure POST requests to MW api.php
Closed, ResolvedPublic
Actions

Description

We have a decently-high rate of POST requests over HTTP (should be HTTPS) coming into our text-lb endpoints from restbase100x.eqiad.wmnet. Insecure POST traffic will eventually be blocked, so this needs fixing first. The requests look like:

 34 RxRequest    c POST
 34 RxURL        c /w/api.php
 34 RxProtocol   c HTTP/1.1
 34 RxHeader     c x-request-id: 272dbc55-3466-11e5-a95c-bdae65acf6b0
 34 RxHeader     c host: commons.wikimedia.org
 34 RxHeader     c content-type: application/x-www-form-urlencoded
 34 RxHeader     c content-length: 174
 34 RxHeader     c Connection: keep-alive
 96 RxRequest    c POST
 96 RxURL        c /w/api.php
 96 RxProtocol   c HTTP/1.1
 96 RxHeader     c x-request-id: 2955ff80-3466-11e5-a483-7b152de49283
 96 RxHeader     c host: en.wiktionary.org
 96 RxHeader     c content-type: application/x-www-form-urlencoded
 96 RxHeader     c content-length: 173
 96 RxHeader     c Connection: keep-alive
 79 RxRequest    c POST
 79 RxURL        c /w/api.php
 79 RxProtocol   c HTTP/1.1
 79 RxHeader     c x-request-id: 296a7807-3466-11e5-8510-97b6c23551ce
 79 RxHeader     c host: sh.wikipedia.org
 79 RxHeader     c content-type: application/x-www-form-urlencoded
 79 RxHeader     c content-length: 173
 79 RxHeader     c Connection: keep-alive
104 RxRequest    c POST
104 RxURL        c /w/api.php
104 RxProtocol   c HTTP/1.1
104 RxHeader     c x-request-id: 29af1c09-3466-11e5-898e-7f5686f90730
104 RxHeader     c host: www.wikidata.org
104 RxHeader     c content-type: application/x-www-form-urlencoded
104 RxHeader     c content-length: 174
104 RxHeader     c Connection: keep-alive
 94 RxRequest    c POST
 94 RxURL        c /w/api.php
 94 RxProtocol   c HTTP/1.1
 94 RxHeader     c x-request-id: 29f1ec65-3466-11e5-9625-9f1f68e3a7b6
 94 RxHeader     c host: www.wikidata.org
 94 RxHeader     c content-type: application/x-www-form-urlencoded
 94 RxHeader     c content-length: 174
 94 RxHeader     c Connection: keep-alive
122 RxRequest    c POST
122 RxURL        c /w/api.php
122 RxProtocol   c HTTP/1.1
122 RxHeader     c x-request-id: 2bc2fc12-3466-11e5-bba7-38f311c87ffc
122 RxHeader     c host: www.wikidata.org
122 RxHeader     c content-type: application/x-www-form-urlencoded
122 RxHeader     c content-length: 174
122 RxHeader     c Connection: keep-alive

Related Objects
Search...

Event Timeline

BBlack created this task.Jul 27 2015, 1:51 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: Traffic, acl*sre-team, RESTBase.
BBlack subscribed.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 27 2015, 1:51 PM
BBlack added a parent task: T105794: Insecure POST traffic.Jul 27 2015, 1:52 PM
GWicke subscribed.Jul 27 2015, 5:05 PM

We discussed this on IRC, and decided to switch RESTBase directly to api.srv.eqiad.wmnet for now. This means that we'll need to explicitly override the host: header in our API requests to match the domain. For now that entry point is HTTP-only, but switching to HTTPS once available will be just a small config change.

GWicke triaged this task as Medium priority.Jul 27 2015, 5:06 PM
GWicke set Security to None.
GWicke added a comment.EditedJul 29 2015, 12:25 AM

This will be significantly cleaner to configure with request templates. Once that feature is merged, we could replace https://github.com/wikimedia/restbase/blob/master/mods/action.js#L111-L114 with a request template supplied by the config. For production, that template could look somewhat like this:

apiRequest:
  uri: http://api.svc.eqiad.wmnet/w/api.php
  headers:
    host: '{domain}'

We can then hook that up in https://github.com/wikimedia/restbase/blob/master/mods/action.js#L153 to provide a starting point for the API request.

GWicke added a subtask: T86737: Generalize request templating for service requests.Jul 29 2015, 12:26 AM
GWicke edited subscribers, added: Pchelolo, mobrovac; removed: Aklapper.
MZMcBride subscribed.Jul 29 2015, 4:00 AM
Pchelolo claimed this task.Jul 29 2015, 5:45 PM
GWicke added a comment.Jul 31 2015, 12:24 AM

https://github.com/wikimedia/restbase/pull/288 to address this was now merged, but is not deployed yet. It's part of a larger deploy, and will require matching config updates and careful testing.

Pchelolo closed subtask T86737: Generalize request templating for service requests as Resolved.Aug 5 2015, 11:40 AM
GWicke closed this task as Resolved.EditedAug 6 2015, 8:20 PM

Since yesterday's deploy RESTBase is now directly using http://api.svc.eqiad.wmnet/, without going through Varnish. The config for the backend request currently lives in puppet.

BBlack moved this task from Backlog to Done on the Traffic board.Aug 7 2015, 4:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL