Page MenuHomePhabricator

Accessing Phabricator from Tor (some ranges blocked but not others)
Open, MediumPublic

Description

It seems possible to access Phabricator from a Tor session for global IP block exempt accounts, but it seems inconsistent. Either it works transparently, exactly the same as a non-Tor session, or the page for error 500 is returned even when logged in to mediawiki and main wikimedia sites using SUL.

Is this a known error, and is there a work-around to enable SUL accounts with global IP block exempt accounts to access Phabricator consistently from Tor?

Event Timeline

Backing this up, an hour later, without changing browser, Phabricator did appear rather than the error 500 and this session for this added comment is via Tor & OAuth.

I have no idea what the difference is apart from time past after logging in on Commons and Mediawiki.

Playing with the Tor browser this morning, a work-around could be to for users to keep trying new Tor circuits until they stop getting the Error 500 message. This appears to work for me.

This seems to indicate that somewhere in the Phabricator set-up, some Tor IP ranges are getting blocked while others are allowed. If it has been a security decision to, say, block open Tor ranges from Russia, but allow ranges (apparently) from other countries, there seems little harm in confirming that as a fact, so that advice to volunteers using Tor to contribute can adjust their configuration.

jbond triaged this task as Medium priority.Jun 8 2020, 11:25 AM
jbond added a subscriber: jbond.
sbassett added a subscriber: sbassett.

Removing Security-Team as this is now managed by SRE.

@sbassett Where can Operations find information on where and how these blocks are configured? (also: T229620#5386233 , T218589)

@Dzahn - @herron and @chasemp would have the most domain knowledge about this right now, as they initially worked on T218784. @JBennett should also be able to provide any broad security and legal information you might need.

T253632 should be seen as a parent task of this.

Also see T257507#6294524

Dzahn renamed this task from Accessing Phabricator from Tor to Accessing Phabricator from Tor (some ranges blocked but not others).Jul 9 2020, 8:32 PM

@Fae I have no removed the blocked referred to in T253632 are you able to confirm if this is still an issue?

@Fae I have no removed the blocked referred to in T253632 are you able to confirm if this is still an issue?

Yes, still an issue. See example attempting to edit my talk page on meta using TOR a few minutes ago.

Yes, still an issue. See example attempting to edit my talk page on meta using TOR a few minutes ago.

@Fae, Thanks for the update, Looking at your initial message again i think there may have been some confusions on my side. so please bear with me as i try to clarify :)

It seems possible to access Phabricator from a Tor session for global IP block exempt accounts,

As far as i know the Global IP block has no affect on access to phabricator. However I'm not sure how SAL authentication works here i.e. i dont know if a user with a global IP block is able to create a SAL session. if not then obviously they would not be able to use there SAL account to authenticate to phabricator.

but it seems inconsistent. Either it works transparently, exactly the same as a non-Tor session, or the page for error 500 is returned even when logged in to mediawiki and main wikimedia sites using SUL.

The mechanism used to block access to phabricator is different and therefore by its nature inconsistent with the the Global IP block. Some time ago we suffered from an attacker spamming phabricator. To hamper this activity we added an ACL to block access to theses services, this access list was quite large and did include some ranges used by TOR but was completely unrelated to the Global IP block list used by SUL . This access list used by phabricator has now been removed however the functionality to add new ranges remains and currently there is no plan to unify the list used for this blocking with the list maintained in the SAL Global IP block

Thanks for the explanation. I'll raise separate tasks for TOR issues on other projects if they become an issue.

A short soak test by trying 10 different TOR circuits using the browser I'm editing this comment from, shows no error 500s, so I think it's done. Thanks for investigating.