Page MenuHomePhabricator

Restbase insecure POST requests to MW api.php
Closed, ResolvedPublic

Description

We have a decently-high rate of POST requests over HTTP (should be HTTPS) coming into our text-lb endpoints from restbase100x.eqiad.wmnet. Insecure POST traffic will eventually be blocked, so this needs fixing first. The requests look like:

 34 RxRequest    c POST
 34 RxURL        c /w/api.php
 34 RxProtocol   c HTTP/1.1
 34 RxHeader     c x-request-id: 272dbc55-3466-11e5-a95c-bdae65acf6b0
 34 RxHeader     c host: commons.wikimedia.org
 34 RxHeader     c content-type: application/x-www-form-urlencoded
 34 RxHeader     c content-length: 174
 34 RxHeader     c Connection: keep-alive
 96 RxRequest    c POST
 96 RxURL        c /w/api.php
 96 RxProtocol   c HTTP/1.1
 96 RxHeader     c x-request-id: 2955ff80-3466-11e5-a483-7b152de49283
 96 RxHeader     c host: en.wiktionary.org
 96 RxHeader     c content-type: application/x-www-form-urlencoded
 96 RxHeader     c content-length: 173
 96 RxHeader     c Connection: keep-alive
 79 RxRequest    c POST
 79 RxURL        c /w/api.php
 79 RxProtocol   c HTTP/1.1
 79 RxHeader     c x-request-id: 296a7807-3466-11e5-8510-97b6c23551ce
 79 RxHeader     c host: sh.wikipedia.org
 79 RxHeader     c content-type: application/x-www-form-urlencoded
 79 RxHeader     c content-length: 173
 79 RxHeader     c Connection: keep-alive
104 RxRequest    c POST
104 RxURL        c /w/api.php
104 RxProtocol   c HTTP/1.1
104 RxHeader     c x-request-id: 29af1c09-3466-11e5-898e-7f5686f90730
104 RxHeader     c host: www.wikidata.org
104 RxHeader     c content-type: application/x-www-form-urlencoded
104 RxHeader     c content-length: 174
104 RxHeader     c Connection: keep-alive
 94 RxRequest    c POST
 94 RxURL        c /w/api.php
 94 RxProtocol   c HTTP/1.1
 94 RxHeader     c x-request-id: 29f1ec65-3466-11e5-9625-9f1f68e3a7b6
 94 RxHeader     c host: www.wikidata.org
 94 RxHeader     c content-type: application/x-www-form-urlencoded
 94 RxHeader     c content-length: 174
 94 RxHeader     c Connection: keep-alive
122 RxRequest    c POST
122 RxURL        c /w/api.php
122 RxProtocol   c HTTP/1.1
122 RxHeader     c x-request-id: 2bc2fc12-3466-11e5-bba7-38f311c87ffc
122 RxHeader     c host: www.wikidata.org
122 RxHeader     c content-type: application/x-www-form-urlencoded
122 RxHeader     c content-length: 174
122 RxHeader     c Connection: keep-alive

Event Timeline

BBlack created this task.Jul 27 2015, 1:51 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: Traffic, acl*sre-team, RESTBase.
BBlack added a subscriber: BBlack.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptJul 27 2015, 1:51 PM

We discussed this on IRC, and decided to switch RESTBase directly to api.srv.eqiad.wmnet for now. This means that we'll need to explicitly override the host: header in our API requests to match the domain. For now that entry point is HTTP-only, but switching to HTTPS once available will be just a small config change.

GWicke triaged this task as Normal priority.Jul 27 2015, 5:06 PM
GWicke set Security to None.
GWicke added a comment.EditedJul 29 2015, 12:25 AM

This will be significantly cleaner to configure with request templates. Once that feature is merged, we could replace https://github.com/wikimedia/restbase/blob/master/mods/action.js#L111-L114 with a request template supplied by the config. For production, that template could look somewhat like this:

apiRequest:
  uri: http://api.svc.eqiad.wmnet/w/api.php
  headers:
    host: '{domain}'

We can then hook that up in https://github.com/wikimedia/restbase/blob/master/mods/action.js#L153 to provide a starting point for the API request.

Pchelolo claimed this task.Jul 29 2015, 5:45 PM

https://github.com/wikimedia/restbase/pull/288 to address this was now merged, but is not deployed yet. It's part of a larger deploy, and will require matching config updates and careful testing.

GWicke closed this task as Resolved.EditedAug 6 2015, 8:20 PM

Since yesterday's deploy RESTBase is now directly using http://api.svc.eqiad.wmnet/, without going through Varnish. The config for the backend request currently lives in puppet.

BBlack moved this task from Triage to Done on the Traffic board.Aug 7 2015, 4:41 AM