Page MenuHomePhabricator

Add dashboard.wikiedu.org IP to the ratelimit exemptions
Closed, ResolvedPublic

Description

The Wiki Education Foundation dashboard, http://dashboard.wikiedu.org (198.89.127.88) started running into rate limit problems today, which will only get worse as more students start to use the system.

The edits are coming from many different users, but they all come from the same IP, and since many of these users are newcomers who are subject to the newbie IP-based rate limits, they trigger the rate limit. It sounds like the best way around this may be to add the dashboard to the exception config here: https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/throttle.php

Details

Related Gerrit Patches:

Event Timeline

Ragesoss created this task.Aug 25 2015, 8:16 PM
Ragesoss assigned this task to Tgr.
Ragesoss raised the priority of this task from to Needs Triage.
Ragesoss updated the task description. (Show Details)
Ragesoss added a subscriber: Ragesoss.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2015, 8:16 PM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 25 2015, 8:50 PM

Why is this assigned to @Tgr without him having commented here?

Also, it sounds to me like this should actually be forwarding the user's IP and get a TrustedXFF entry?

@Krenair: he asked me to file this on IRC.

<ragesoss> do you know if there are ip-based exemptions to the ratelimit for newbies?
...
<tgr> as for your original question, https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/throttle.php has the existing exceptions
<tgr> file a task with the IP range and rationale and I can push it in today's SWAT

@Krenair: can you point me to details on TrustedXFF?

I'm looking into it more, and I'm not sure that TrustedXFF fits. It's our app itself that is making these edits, using the OAuth permissions granted by the users, so it's not same as the proxy situation that is described here: https://meta.wikimedia.org/wiki/XFF_project

Tgr added a comment.Aug 25 2015, 9:14 PM

Can this be IP used by humans or other tools that use normal login, or is it only used by OAuth-based tools? What consumers use it exactly, do they do any kind of authentication, and what actions can be done with them? E.g. could a spammer use those tools to post an arbitrary message on a wiki?

Tgr added a comment.Aug 25 2015, 9:19 PM

XFF might or might not work, depending on the tool. T74501 has the details (it's about IP autoblocks but it's the same fundamental problem).

@Tgr: the only edits from this IP are ones for the current version of the main dashboard consumer: https://www.mediawiki.org/wiki/Special:OAuthListConsumers/view/cc03c438ffef19f19b7d60a952327451

It makes several different kinds of edits, but I don't think any of them are significant avenues of potential spam. It posts the content of free text entry fields on course pages (which are subpages of Wikipedia:Wiki_Ed on en.wiki), but Wiki Ed staff monitors these pages regularly, as each new page is from a new instructor in our program and we touch base with each one before allowing them to continue.

There are no ways for a spammer to mass-post an arbitrary message in multiple places at once.

I can look into XFF, but that might take us a bit of time to implement. It'd be really useful to have an IP exception in the meantime.

Tgr added a comment.Aug 25 2015, 9:28 PM
14:23 < tgr> ragesoss: do you think you could make wikiedu dashboard set XFF headers?
14:24 < tgr> if it only does OAuth actions as immediate responses to a user doing something on a web interface, it should be relatively straightforward
14:24 < ragesoss> tgr: I assume it's possible, I'm just not sure how much developer time it will take.
14:25 < ragesoss> tgr: at this point, it's just immediate responses, but it's not going to stay that way.
14:26 < ragesoss> In some cases, for example, an instructor will authorize the dashboard to make automatic posts to student's talk pages if they haven't completed 
                  training by their class deadline, or if one of their edits has been flagged as potential plagiarism.

So it looks like an exception will be needed eventually anyway, and it is better to add it now because making the application set the XFF headers would take time and rate limiting would cause service interruptions in the meantime.

Change 233860 had a related patch set uploaded (by Gergő Tisza):
Exclude Wiki Education Foundation dashboard IP from rate limits

https://gerrit.wikimedia.org/r/233860

Change 233860 merged by jenkins-bot:
Exclude Wiki Education Foundation dashboard IP from rate limits

https://gerrit.wikimedia.org/r/233860

Krenair closed this task as Resolved.Aug 25 2015, 11:39 PM
Krenair moved this task from To deploy to Done on the Wikimedia-Site-requests board.
Ragesoss reopened this task as Open.Feb 10 2016, 8:22 PM

We are preparing to move dashboard.wikiedu.org to a more reliable host, and it will need to change IPs. The new IP will be 45.56.98.206. @Tgr, could you add that to the ratelimit exemptions? Thanks much! We're hoping to make this switch this Friday, if possible.

Restricted Application added subscribers: JEumerus, StudiesWorld. · View Herald TranscriptFeb 10 2016, 8:22 PM
Krenair closed this task as Resolved.Feb 10 2016, 9:32 PM

Needs a new ticket, this was marked resolved.