Page MenuHomePhabricator
Create Task
Maniphest T224891

Rate limit requests in violation of User-Agent policy more aggressively
Open, MediumPublic
Actions

Description

Wikimedia's User-Agent policy specifically forbids using generic values for the User-Agent request header.

Apply stricter rate limiting to requests violating the policy.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+13 -4varnish: cache_upload miss/pass rate limit
operations/puppetproduction+2 -2cache_upload: return HTTP 403 to requests violating UA policy
Customize query in gerrit

Event Timeline

ema created this task.Jun 3 2019, 3:04 PM
Restricted Application added a project: SRE. · View Herald TranscriptJun 3 2019, 3:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Jun 3 2019, 3:04 PM
Paladox added a subscriber: Paladox.Jun 3 2019, 3:06 PM
gerritbot added a comment.Jun 3 2019, 3:06 PM

Change 514017 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] cache_upload: return HTTP 403 to requests violating UA policy

https://gerrit.wikimedia.org/r/514017

gerritbot added a project: Patch-For-Review.Jun 3 2019, 3:06 PM
ema moved this task from Triage to Caching on the Traffic board.Jun 3 2019, 3:09 PM
gerritbot added a comment.Jun 4 2019, 2:45 PM

Change 514017 merged by Ema:
[operations/puppet@production] cache_upload: return HTTP 403 to requests violating UA policy

https://gerrit.wikimedia.org/r/514017

Legoktm added a project: User-notice.Jun 4 2019, 3:06 PM

For Tech News: Bots and other scripts that do not set an identifiable User-Agent may find their requests blocked until they identify themselves properly.

Maintenance_bot removed a project: Patch-For-Review.Jun 4 2019, 3:10 PM
TheDJ added a subscriber: TheDJ.Jun 4 2019, 3:24 PM

Not sure if it applies here, but please remember that we allow Api-User-Agent as an alternative to User-Agent for Javascript solutions.

ema renamed this task from Return HTTP 403 to requests in violation of User-Agent policy to Rate limit requests in violation of User-Agent policy more aggressively.Jun 5 2019, 2:48 PM
ema updated the task description. (Show Details)

We (Traffic) have decided to continue allowing requests violating the UA policy. Instead of blocking them, we will apply stricter rate limiting to those.

gerritbot added a comment.Jun 5 2019, 2:52 PM

Change 513596 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] varnish: cache_upload rate limit

https://gerrit.wikimedia.org/r/513596

gerritbot added a project: Patch-For-Review.Jun 5 2019, 2:52 PM
gerritbot added a comment.Jun 6 2019, 11:45 AM

Change 513596 merged by Ema:
[operations/puppet@production] varnish: cache_upload miss/pass rate limit

https://gerrit.wikimedia.org/r/513596

Maintenance_bot removed a project: Patch-For-Review.Jun 6 2019, 12:10 PM
Quiddity added a subscriber: Quiddity.Jun 6 2019, 10:18 PM

TechNews: I've added it to the upcoming edition with this edit, that will be frozen for translation in about 18 hours. Please amend it before then if needed. (And thank you @Legoktm for writing the initial version!). Cheers!

Quiddity moved this task from To Triage to In current Tech/News draft on the User-notice board.Jun 6 2019, 10:20 PM
ema added a comment.Jun 7 2019, 7:42 AM

Thanks @Legoktm and @Quiddity!

Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jun 10 2019, 8:19 PM
ayounsi added a subscriber: ayounsi.Thu, Apr 8, 11:02 AM

Even with the current rate limiting, some crawling are regularly causing issues, wasting precious SRE time.

I'd like to revisit this task to be more strict on user agents, maybe progressively increasing the way we enforce our policy. For example:

  • Keep rate limiting for generic curl and other command line/testing tools
  • Forbid generic scripting UAs (eg. python-requests, empty) from cloud providers
  • Ideally later on, forbid generic scripting UAs from the whole Internet (except WMCS)

A variant could be to only apply the above on the upload cluster, but the less exceptions the better

MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.Thu, Apr 8, 11:13 AM
RhinosF1 added a subscriber: RhinosF1.Thu, Apr 8, 11:14 AM
Majavah added a subscriber: Majavah.Thu, Apr 8, 11:41 AM
Legoktm added a comment.Tue, Apr 13, 7:38 AM
In T224891#6983370, @ayounsi wrote:

Even with the current rate limiting, some crawling are regularly causing issues, wasting precious SRE time.

I'd like to revisit this task to be more strict on user agents, maybe progressively increasing the way we enforce our policy. For example:

  • Keep rate limiting for generic curl and other command line/testing tools
  • Forbid generic scripting UAs (eg. python-requests, empty) from cloud providers
  • Ideally later on, forbid generic scripting UAs from the whole Internet (except WMCS)

Agreed to all that, though I would not exempt WMCS because WMCS can generate significant amounts of traffic much faster by virtue of already being in the cluster and people using WMCS are generally Wikimedians who should be more familiar with our policies than someone who just wants to scrape wiki pages.

I would also add that after a DoS ~2 months ago I spent a while working on advertising the UA policy and our general API usage guidelines: [1], [2].

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL