Page MenuHomePhabricator
Create Task
Maniphest T260520

maps.wikilovesmonuments.org returns a HTTP 429 error (let it access varnish maps_domains)
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
Dzahn
Authored By
Zache
Aug 17 2020, 9:30 AM
Tags
Referenced Files
F32188471: maps.wikkilovesmonuments.org_429_error_2020-08-19.png
Aug 19 2020, 9:48 AM
F32188472: maps.wikkilovesmonuments.org_429_error_2020-08-19_exampl2.png
Aug 19 2020, 9:48 AM
F32188453: Screenshot from 2020-08-19 11-22-17.png
Aug 19 2020, 9:24 AM
Subscribers
Aklapper
AntiCompositeNumber
CDanis
Dzahn
JKatzWMF
TheDJ
Zache

Description

Wiki Loves Monuments montage (https://maps.wikilovesmonuments.org) is blocked as the third party domains are blocked maps.wikimedia.org. See. T244278 and T245145 .

Fixing this is kind of busy as the competition starts at September.

Steps to Reproduce:
Go to URL
-https://maps.wikilovesmonuments.org/map?c=60.5134:22.2633:12

Actual Results:

  • Map layer is gray because tile server respond is 429 Too many requests error

maps.wikkilovesmonuments.org_429_error_2020-08-19_exampl2.png (1×2 px, 253 KB)

maps.wikkilovesmonuments.org_429_error_2020-08-19.png (1×2 px, 213 KB)

Expected Results:

  • Map would be visible

Screenshot from 2020-08-19 11-22-17.png (1×1 px, 618 KB)

Details

SubjectRepoBranchLines +/-
varnish: add wikilovesmonuments to tests for maps accessoperations/puppetproduction+7 -0
varnish: add wikilovesmonuments.org to domains allowed to access maps serversoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Zache created this task.Aug 17 2020, 9:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2020, 9:30 AM
Zache added a comment.EditedAug 17 2020, 9:47 AM

Quickfix could be to use https://monumental.toolforge.org which seems to be whitelisted. This doesn't work for all of the use cases (ie. main site is still broken)

EDIT: Monumental.toolforge.org's login is broken. Maybe becaeuse toolforge.org transition and now the redirect url is wrong. (ie. T251668 and T234617)

Zache added a project: Wiki-Loves-Monuments (2020).Aug 17 2020, 9:48 AM
TheDJ subscribed.Aug 17 2020, 1:23 PM

@Zache for the login issue I have created: T260538: Monumental's OAuth integration is broken due to tools.wmflabs.org -> toolforge.org transition

Zache added a subscriber: AntiCompositeNumber.Aug 19 2020, 9:04 AM

@AntiCompositeNumber @Aklapper This seems to trivial to fix as it is just configuration change in maps.wikimedia.org, however I don't know who to ask. Do you have any ideas who to ping?

Aklapper added a comment.EditedAug 19 2020, 9:24 AM

@Zache: Hard to say as I either don't understand what the problem is or I don't understand how to reproduce it. Here is what I see with the given steps in a (slightly outdated) Chromium 84.0.4147.89:

Screenshot from 2020-08-19 11-22-17.png (1×1 px, 618 KB)

Zache added a comment.Aug 19 2020, 9:48 AM

Thanks, here is some screenshots from my computer.

maps.wikkilovesmonuments.org_429_error_2020-08-19_exampl2.png (1×2 px, 253 KB)

maps.wikkilovesmonuments.org_429_error_2020-08-19.png (1×2 px, 213 KB)

And request headers of single failed request from Chrome's devtools (Chrome 84.0.4147.125, Windows 7)

General

Response headers

  • content-length: 1846
  • content-type: text/html; charset=utf-8
  • date: Wed, 19 Aug 2020 09:38:26 GMT
  • server: Varnish
  • server-timing: cache;desc="int-front"
  • set-cookie: WMF-Last-Access=19-Aug-2020;Path=/;HttpOnly;secure;Expires=Sun, 20 Sep 2020 00:00:00 GMT
  • status: 429
  • strict-transport-security: max-age=106384710; includeSubDomains; preload
  • x-cache: cp3065 int
  • x-cache-status: int-front
  • x-client-ip: 2001:14ba:4f9:2d00:fca8:6213:c88e:d2e

Request headers

  • :authority: maps.wikimedia.org
  • :method: GET
  • :path: /osm-intl/12/2302/1177.png
  • :scheme: https
  • accept: image/webp,image/apng,image/*,*/*;q=0.8
  • accept-encoding: gzip, deflate, br
  • accept-language: en-FI,en;q=0.9,fi-FI;q=0.8,fi;q=0.7,lv-LV;q=0.6,lv;q=0.5,et-EE;q=0.4,et;q=0.3,en-US;q=0.2
  • cache-control: no-cache
  • pragma: no-cache
  • referer: https://maps.wikilovesmonuments.org/map?c=60.5134:22.2633:12
  • sec-fetch-dest: image
  • sec-fetch-mode: no-cors
  • sec-fetch-site: cross-site
  • user-agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Mobile Safari/537.36
Zache updated the task description. (Show Details)Aug 19 2020, 11:24 AM
Zache updated the task description. (Show Details)
AntiCompositeNumber added a project: Traffic.Aug 19 2020, 4:43 PM
AntiCompositeNumber added a subscriber: JKatzWMF.

This is due to mitigation from T244278/https://wikitech.wikimedia.org/wiki/Incident_documentation/20200204-maps. The toolforge.org referrer is whitelisted, so it is allowed to generate new map tiles. Other referrers (like maps.wikilovesmonuments.org) will only be served cached map tiles.

The relevant configuration is https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/varnish/templates/upload-frontend.inc.vcl.erb#176. I don't know what the process would be to add a site to that list. The latest information I have is https://lists.wikimedia.org/pipermail/maps-l/2020-April/001718.html. @JKatzWMF, any updates on 3rd-ish-party maps usage?

Restricted Application added a project: SRE. · View Herald TranscriptAug 19 2020, 4:43 PM
Dzahn renamed this task from maps.wikilovesmonuments.org returns a HTTP 429 error to maps.wikilovesmonuments.org returns a HTTP 429 error (add it to varnish maps_domains).Aug 19 2020, 4:57 PM
CDanis subscribed.Aug 19 2020, 4:58 PM
Dzahn subscribed.Aug 19 2020, 5:11 PM

Looks like the current code can take exactly one "maps_domain" but not a list or array of multiple ones.

It's set in Hiera. Note how it has a different value in cloud/beta/"labs" vs production.

There it is " maps_domain: 'maps.beta.wmflabs.org'"

TheDJ added a comment.Aug 19 2020, 7:00 PM

No, it’s the line below that. Maps domain is what u give access to, referrer is what is used to check what gets access.

Zache added a comment.EditedAug 19 2020, 7:21 PM

So it would be just to add wikilovesmonuments.org to config files regexp?

if (req.http.Host == "<%= @vcl_config.fetch('maps_domain') %>") {
   // below is attempted mitigation of https://phabricator.wikimedia.org/T244278
   if (req.http.referer && req.http.referer !~ "^https?://(([^/]*\.)*(wikipedia|wikimedia|wikibooks|wikinews|wikiquote|wikisource|wikiversity|wikivoyage|wikidata|wikimediafoundation|wiktionary|mediawiki|wmfusercontent|wmflabs|toolforge|wmcloud)\.org|w\.wiki|localhost(:\d*)?)(/|$)") {
      return (synth(429, "Too Many Requests"));
   }
}
Dzahn renamed this task from maps.wikilovesmonuments.org returns a HTTP 429 error (add it to varnish maps_domains) to maps.wikilovesmonuments.org returns a HTTP 429 error (let it access varnish maps_domains).Aug 19 2020, 7:26 PM
gerritbot added a comment.Aug 19 2020, 7:33 PM

Change 621342 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] varnish: add wikimedialovesmonuments to domains allowed to access maps servers

https://gerrit.wikimedia.org/r/621342

gerritbot added a project: Patch-For-Review.Aug 19 2020, 7:33 PM
gerritbot added a comment.Aug 19 2020, 8:12 PM

Change 621347 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] varnish: add wikilovesmonuments to tests for maps access

https://gerrit.wikimedia.org/r/621347

gerritbot added a comment.Aug 20 2020, 6:51 PM

Change 621342 merged by CDanis:
[operations/puppet@production] varnish: add wikilovesmonuments.org to domains allowed to access maps servers

https://gerrit.wikimedia.org/r/621342

gerritbot added a comment.Aug 20 2020, 6:51 PM

Change 621347 merged by CDanis:
[operations/puppet@production] varnish: add wikilovesmonuments to tests for maps access

https://gerrit.wikimedia.org/r/621347

Maintenance_bot removed a project: Patch-For-Review.Aug 20 2020, 7:10 PM
Dzahn added a comment.EditedAug 20 2020, 7:47 PM

@Zache You may try again now. Is the 429 gone?

edit: I see maps on https://maps.wikilovesmonuments.org/map?c=60.5134:22.2633:12

works for me

Dzahn closed this task as Resolved.Aug 20 2020, 7:50 PM
Dzahn claimed this task.
Dzahn triaged this task as High priority.

Thanks to @CDanis for deploying my change.

@Zache @TheDJ Claiming it's resolved. Please feel free to reopen if you still seen an issue.

Zache added a comment.Aug 21 2020, 1:31 AM

Confirming, the map seems to work, thank you for everybody involved!

TOR mentioned this in T261506: wikimedia.pl returns a HTTP 429 error (let it access varnish maps_domains).Aug 28 2020, 3:18 PM
AntiCompositeNumber mentioned this in T261424: Limit maps serving to Wikimedia hosted sites only.Aug 28 2020, 3:25 PM
AntiCompositeNumber added a subtask: T261694: Support maps serving for affiliate sites via an allow list.Sep 1 2020, 1:28 AM
CDanis removed a subtask: T261694: Support maps serving for affiliate sites via an allow list.Oct 6 2020, 2:12 PM
CDanis added a parent task: T261694: Support maps serving for affiliate sites via an allow list.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL