| Fae | |
| Jun 5 2020, 11:43 AM |
| F31936961: Screenshot_2020-07-16_09-50-16.png | |
| Jul 16 2020, 8:54 AM |
It seems possible to access Phabricator from a Tor session for global IP block exempt accounts, but it seems inconsistent. Either it works transparently, exactly the same as a non-Tor session, or the page for error 500 is returned even when logged in to mediawiki and main wikimedia sites using SUL.
Is this a known error, and is there a work-around to enable SUL accounts with global IP block exempt accounts to access Phabricator consistently from Tor?
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | jbond | T253632 update profile::waf::apache2::administrative to use the new abuse_networks hiera key | |||
| Resolved | None | T254568 Accessing Phabricator from Tor (some ranges blocked but not others) |
Backing this up, an hour later, without changing browser, Phabricator did appear rather than the error 500 and this session for this added comment is via Tor & OAuth.
I have no idea what the difference is apart from time past after logging in on Commons and Mediawiki.
Playing with the Tor browser this morning, a work-around could be to for users to keep trying new Tor circuits until they stop getting the Error 500 message. This appears to work for me.
This seems to indicate that somewhere in the Phabricator set-up, some Tor IP ranges are getting blocked while others are allowed. If it has been a security decision to, say, block open Tor ranges from Russia, but allow ranges (apparently) from other countries, there seems little harm in confirming that as a fact, so that advice to volunteers using Tor to contribute can adjust their configuration.
@sbassett Where can Operations find information on where and how these blocks are configured? (also: T229620#5386233 , T218589)
Yes, still an issue. See example attempting to edit my talk page on meta using TOR a few minutes ago.
Yes, still an issue. See example attempting to edit my talk page on meta using TOR a few minutes ago.
@Fae, Thanks for the update, Looking at your initial message again i think there may have been some confusions on my side. so please bear with me as i try to clarify :)
It seems possible to access Phabricator from a Tor session for global IP block exempt accounts,
As far as i know the Global IP block has no affect on access to phabricator. However I'm not sure how SAL authentication works here i.e. i dont know if a user with a global IP block is able to create a SAL session. if not then obviously they would not be able to use there SAL account to authenticate to phabricator.
but it seems inconsistent. Either it works transparently, exactly the same as a non-Tor session, or the page for error 500 is returned even when logged in to mediawiki and main wikimedia sites using SUL.
The mechanism used to block access to phabricator is different and therefore by its nature inconsistent with the the Global IP block. Some time ago we suffered from an attacker spamming phabricator. To hamper this activity we added an ACL to block access to theses services, this access list was quite large and did include some ranges used by TOR but was completely unrelated to the Global IP block list used by SUL . This access list used by phabricator has now been removed however the functionality to add new ranges remains and currently there is no plan to unify the list used for this blocking with the list maintained in the SAL Global IP block
Thanks for the explanation. I'll raise separate tasks for TOR issues on other projects if they become an issue.
A short soak test by trying 10 different TOR circuits using the browser I'm editing this comment from, shows no error 500s, so I think it's done. Thanks for investigating.
Optimistically resolving as T253632 is resolved. Please reopen if this is still an issue - thanks!