Page MenuHomePhabricator
Create Task
Maniphest T224891

Rate limit requests in violation of User-Agent policy more aggressively
Open, HighPublic
Actions

Description

Wikimedia's User-Agent policy specifically forbids using generic values for the User-Agent request header.

Apply stricter rate limiting to requests violating the policy.

Details

SubjectRepoBranchLines +/-
R:varnish:instance: Add hiera key to control cloud ratelimitsoperations/puppetproduction+92 -50
R:varnish:instance: Add general public cloud rate limitingoperations/puppetproduction+11 -1
varnish: use 403 instead of 429 where appropriateoperations/puppetproduction+7 -7
varnish: cache_upload miss/pass rate limitoperations/puppetproduction+13 -4
cache_upload: return HTTP 403 to requests violating UA policyoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

ema created this task.Jun 3 2019, 3:04 PM
Restricted Application added a project: SRE. · View Herald TranscriptJun 3 2019, 3:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Jun 3 2019, 3:04 PM
Paladox subscribed.Jun 3 2019, 3:06 PM
gerritbot added a comment.Jun 3 2019, 3:06 PM

Change 514017 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] cache_upload: return HTTP 403 to requests violating UA policy

https://gerrit.wikimedia.org/r/514017

gerritbot added a project: Patch-For-Review.Jun 3 2019, 3:06 PM
ema moved this task from Backlog to Caching on the Traffic board.Jun 3 2019, 3:09 PM
gerritbot added a comment.Jun 4 2019, 2:45 PM

Change 514017 merged by Ema:
[operations/puppet@production] cache_upload: return HTTP 403 to requests violating UA policy

https://gerrit.wikimedia.org/r/514017

Legoktm added a project: User-notice.Jun 4 2019, 3:06 PM

For Tech News: Bots and other scripts that do not set an identifiable User-Agent may find their requests blocked until they identify themselves properly.

Maintenance_bot removed a project: Patch-For-Review.Jun 4 2019, 3:10 PM
TheDJ subscribed.Jun 4 2019, 3:24 PM

Not sure if it applies here, but please remember that we allow Api-User-Agent as an alternative to User-Agent for Javascript solutions.

ema renamed this task from Return HTTP 403 to requests in violation of User-Agent policy to Rate limit requests in violation of User-Agent policy more aggressively.Jun 5 2019, 2:48 PM
ema updated the task description. (Show Details)

We (Traffic) have decided to continue allowing requests violating the UA policy. Instead of blocking them, we will apply stricter rate limiting to those.

gerritbot added a comment.Jun 5 2019, 2:52 PM

Change 513596 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] varnish: cache_upload rate limit

https://gerrit.wikimedia.org/r/513596

gerritbot added a project: Patch-For-Review.Jun 5 2019, 2:52 PM
gerritbot added a comment.Jun 6 2019, 11:45 AM

Change 513596 merged by Ema:
[operations/puppet@production] varnish: cache_upload miss/pass rate limit

https://gerrit.wikimedia.org/r/513596

Maintenance_bot removed a project: Patch-For-Review.Jun 6 2019, 12:10 PM
Quiddity subscribed.Jun 6 2019, 10:18 PM

TechNews: I've added it to the upcoming edition with this edit, that will be frozen for translation in about 18 hours. Please amend it before then if needed. (And thank you @Legoktm for writing the initial version!). Cheers!

Quiddity moved this task from To Triage to In current Tech/News draft on the User-notice board.Jun 6 2019, 10:20 PM
ema added a comment.Jun 7 2019, 7:42 AM

Thanks @Legoktm and @Quiddity!

Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Jun 10 2019, 8:19 PM
ayounsi subscribed.Apr 8 2021, 11:02 AM

Even with the current rate limiting, some crawling are regularly causing issues, wasting precious SRE time.

I'd like to revisit this task to be more strict on user agents, maybe progressively increasing the way we enforce our policy. For example:

  • Keep rate limiting for generic curl and other command line/testing tools
  • Forbid generic scripting UAs (eg. python-requests, empty) from cloud providers
  • Ideally later on, forbid generic scripting UAs from the whole Internet (except WMCS)

A variant could be to only apply the above on the upload cluster, but the less exceptions the better

MoritzMuehlenhoff subscribed.Apr 8 2021, 11:13 AM
RhinosF1 subscribed.Apr 8 2021, 11:14 AM
taavi subscribed.Apr 8 2021, 11:41 AM
Legoktm added a comment.Apr 13 2021, 7:38 AM
In T224891#6983370, @ayounsi wrote:

Even with the current rate limiting, some crawling are regularly causing issues, wasting precious SRE time.

I'd like to revisit this task to be more strict on user agents, maybe progressively increasing the way we enforce our policy. For example:

  • Keep rate limiting for generic curl and other command line/testing tools
  • Forbid generic scripting UAs (eg. python-requests, empty) from cloud providers
  • Ideally later on, forbid generic scripting UAs from the whole Internet (except WMCS)

Agreed to all that, though I would not exempt WMCS because WMCS can generate significant amounts of traffic much faster by virtue of already being in the cluster and people using WMCS are generally Wikimedians who should be more familiar with our policies than someone who just wants to scrape wiki pages.

I would also add that after a DoS ~2 months ago I spent a while working on advertising the UA policy and our general API usage guidelines: [1], [2].

colewhite subscribed.Jun 29 2021, 2:28 AM
Legoktm added a subscriber: CDanis.Jun 29 2021, 2:31 AM

We responded to another set of pages today and most of the offending requests were coming from a public Cloud with no User-agent, so we've banned those requests from the upload cluster: https://gerrit.wikimedia.org/r/702003

I'm not really sure who or which team needs to approve this or whether no one opposes it and someone just needs to do it.

colewhite added a comment.Jun 29 2021, 3:52 AM

Changeset banning empty user agents: https://gerrit.wikimedia.org/r/702027

Result: https://grafana.wikimedia.org/d/000000503/varnish-http-errors?viewPanel=9&orgId=1&from=1624935459179&to=1624938728486

ayounsi raised the priority of this task from Medium to High.Jul 1 2021, 7:45 AM
gerritbot added a comment.Jul 2 2021, 9:42 AM

Change 702896 had a related patch set uploaded (by Ema; author: Ema):

[operations/puppet@production] varnish: use 403 instead of 429 where appropriate

https://gerrit.wikimedia.org/r/702896

gerritbot added a project: Patch-For-Review.Jul 2 2021, 9:42 AM
gerritbot added a comment.Jul 12 2021, 8:37 AM

Change 702896 merged by Ema:

[operations/puppet@production] varnish: use 403 instead of 429 where appropriate

https://gerrit.wikimedia.org/r/702896

BBlack moved this task from Caching to Icebox-Temp on the Traffic board.Oct 8 2021, 5:24 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Oct 8 2021, 8:04 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

jbond subscribed.Nov 22 2021, 2:33 PM
gerritbot added a comment.Nov 23 2021, 2:04 PM

Change 740818 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] R:varnish:instance: Add genral public cloud rate limiting

https://gerrit.wikimedia.org/r/740818

gerritbot added a comment.Nov 23 2021, 2:04 PM

Change 740828 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] R:varnish:instance: Add hiere key to control cloud ratelimits

https://gerrit.wikimedia.org/r/740828

gerritbot added a comment.Nov 23 2021, 2:14 PM

Change 740828 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] R:varnish:instance: Add hiere key to control cloud ratelimits

https://gerrit.wikimedia.org/r/740828

Ladsgroup subscribed.Nov 29 2021, 7:27 PM
gerritbot added a comment.Mar 9 2022, 3:34 PM

Change 740818 merged by Jbond:

[operations/puppet@production] R:varnish:instance: Add general public cloud rate limiting

https://gerrit.wikimedia.org/r/740818

BBlack moved this task from Backlog to Complicated on the Traffic-Icebox board.Apr 7 2022, 9:12 PM
CDanis added a subtask: T313634: Survey the third-party library market for UA policy compliance.Jul 23 2022, 1:30 PM
gerritbot added a comment.Mar 6 2023, 12:09 PM

Change 740828 abandoned by Jbond:

[operations/puppet@production] R:varnish:instance: Add hiera key to control cloud ratelimits

Reason:

replaced by requestctl

https://gerrit.wikimedia.org/r/740828

Pppery removed a project: Patch-For-Review.Nov 9 2023, 11:49 PM
Pppery subscribed.

Anything left to do here?

jbond added a comment.Nov 10 2023, 12:41 PM

@Pppery AFAIK other then blocking empty agent headers on upload (T224891#7182766) no further progress has been made to addresses the comments in T224891#6983370

Pppery unsubscribed.Nov 10 2023, 4:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL