Page MenuHomePhabricator
Create Task
Maniphest T319423

Block non-browser requests that use generic user agent (UA) headers
Open, Needs TriagePublic
Actions

Description

When we want to modify or deprecate APIs, it is useful to know who is using it. Since we do not require any kind of authentication to use our APIs, the only way is often to look at the User-Agent header. This however only works if the User-Agent header is set to a useful value, rather than a generic library name.

We have required the User-Agent to be set to a useful value since 2010, but this was never really enforced. The only way to get clients to provide a useful UA string appears to be by blocking generic UAs.

Some examples:

  • "-": ~1300/sec
  • "Ruby": 100/sec
  • "curl/" prefix: 240/sec
  • "okhttp/" prefix: 240/sec
  • "MyApp/01": 1/sec (example value from the LWP manpage). This isn't a lot, but it seems to be the primary user of /api/rest_v1/page/pdf/, which we want to deprecate.

These requests should be blocked with a helpful error message pointing to the policy page.

NOTE: If we block the generic curl UA, we'll probably block our own manual debugging calls. The error message returned to the user should include instructiosn for setting up a .curlrc file to avoid this.

Event Timeline

daniel created this task.Oct 5 2022, 2:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 5 2022, 2:47 PM
daniel updated the task description. (Show Details)Oct 5 2022, 2:56 PM
daniel added a subscriber: Joe.
daniel updated the task description. (Show Details)Oct 5 2022, 3:02 PM
daniel updated the task description. (Show Details)
daniel updated the task description. (Show Details)Oct 5 2022, 3:04 PM
Aklapper awarded a token.Oct 5 2022, 4:14 PM
daniel updated the task description. (Show Details)Oct 5 2022, 7:19 PM
daniel updated the task description. (Show Details)
daniel updated the task description. (Show Details)Oct 7 2022, 11:59 AM
VirginiaPoundstone moved this task from Incoming to Needs Grooming on the API Platform board.Oct 7 2022, 6:58 PM
Dzahn subscribed.Oct 7 2022, 9:05 PM
LSobanski added a project: serviceops.Oct 19 2022, 1:11 PM
CDanis subscribed.Oct 19 2022, 1:23 PM
daniel renamed this task from Block non-browser requests that use generic agents to Block non-browser requests that use generic user agent (UA) headers.Nov 9 2022, 5:39 PM
Dzahn unsubscribed.Nov 9 2022, 5:51 PM
daniel added a comment.Nov 9 2022, 5:55 PM

We have rate limits in place for some generic UA strings:

https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/varnish/templates/wikimedia-frontend.vcl.erb#715

Joe added a comment.Nov 10 2022, 7:49 AM

FWIW we're banning more generic UAs via dynamic requestctl rules; our rule of thumb is to start rate-limiting requests from a specific UA only when it starts creating an issue to the infrastructure. In general, banning generic UAs will have the effect to force people to either identify themselves, or use browser-like UAs instead.

Joe edited projects, added Traffic; removed serviceops.Nov 10 2022, 7:50 AM
VirginiaPoundstone moved this task from Needs Grooming to Radar on the API Platform board.Nov 29 2022, 8:45 PM
daniel added a comment.Mar 13 2023, 1:56 PM
In T319423#8385567, @Joe wrote:

FWIW we're banning more generic UAs via dynamic requestctl rules; our rule of thumb is to start rate-limiting requests from a specific UA only when it starts creating an issue to the infrastructure. In general, banning generic UAs will have the effect to force people to either identify themselves, or use browser-like UAs instead.

I would assume that most of the requests are made in good faith, so block would lead to more clients supplying contact info. The block message should of course link to the policy page.

VirginiaPoundstone moved this task from Radar to RESTBase Deprecation Roadmap on the API Platform board.Apr 26 2023, 1:22 PM
VirginiaPoundstone edited projects, added API Platform (RESTBase Deprecation Roadmap); removed API Platform.
99of9 subscribed.Apr 27 2024, 6:15 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits