Page MenuHomePhabricator
Create Task
Maniphest T397841

Implement an hCaptcha IP blinding proxy prototype
Closed, ResolvedPublic
Actions

Description

Implement an IP blinding proxy for use with the hCaptcha API.

This will be a simple nginx-based HTTP proxy that forwards user requests to hcaptcha.com API endpoints, while passing a hash of the client IP address (and hiding the cleartext IP address).

  • decide on how to handle our default-public configuration vs security requirements
  • review prototype implementation
  • deploy
    • nginx proxy
    • secrets fixtures
    • DNS
  • Drop bare requests to / and deny access to / in robots.txt
  • Use real hCaptcha secrets in proxy
  • Drop the referer header (patch)
  • Grafana dashboard for monitoring traffic
  • wikitech page documenting setup and log locations on Wikitech

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
wikimedia.org: add hcaptcha-sentry CNAMEoperations/dnsmaster+1 -0
hcaptcha: Unset Referer headeroperations/puppetproduction+2 -0
profile::hcaptcha::proxy: config improvementsoperations/puppetproduction+43 -31
profile::hcaptcha: don't serve / or robots.txtoperations/puppetproduction+10 -0
Add fake hcaptcha proxy secrets.labs/privatemaster+9 -0
trafficserver, profile::hcaptcha: simplify subdomainsoperations/puppetproduction+7 -8
wikimedia: simplify hcaptcha subsubdomainsoperations/dnsmaster+3 -3
trafficserver, cache: add config for edge routing of hcaptchaoperations/puppetproduction+20 -0
wikimedia: add CNAMEs for hcaptcha domainsoperations/dnsmaster+6 -0
hcaptcha: initial commit for proxy configoperations/puppetproduction+232 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Raine created this task.Jun 25 2025, 1:44 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptJun 25 2025, 1:44 PM
Raine changed the task status from Open to In Progress.Jun 25 2025, 1:44 PM
Raine triaged this task as High priority.
sguebo_WMF moved this task from Backlog to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha account creation trial) board.Jun 25 2025, 7:06 PM
gerritbot added a comment.Jun 27 2025, 5:13 PM

Change #1155221 had a related patch set uploaded (by Kamila Součková; author: Kamila Součková):

[labs/private@master] Add fake hcaptcha proxy secrets.

https://gerrit.wikimedia.org/r/1155221

gerritbot added a project: Patch-For-Review.Jun 27 2025, 5:13 PM

Change #1164432 had a related patch set uploaded (by Kamila Součková; author: Kamila Součková):

[operations/puppet@production] hcaptcha: initial commit for proxy config

https://gerrit.wikimedia.org/r/1164432

sguebo_WMF added a subtask: T382148: Enable hCaptcha on test2wiki.Jul 4 2025, 1:04 AM
Dreamy_Jazz removed a subtask: T382148: Enable hCaptcha on test2wiki.Jul 7 2025, 1:12 PM
Dreamy_Jazz added a parent task: T382148: Enable hCaptcha on test2wiki.
Dreamy_Jazz mentioned this in T382148: Enable hCaptcha on test2wiki.
gerritbot added a comment.Jul 8 2025, 2:44 PM

Change #1155221 merged by Hnowlan:

[labs/private@master] Add fake hcaptcha proxy secrets.

https://gerrit.wikimedia.org/r/1155221

gerritbot added a comment.Jul 9 2025, 3:55 PM

Change #1167669 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/dns@master] wikimedia: add CNAMEs for hcaptcha domains

https://gerrit.wikimedia.org/r/1167669

gerritbot added a comment.Jul 9 2025, 4:04 PM

Change #1167670 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/puppet@production] trafficserver, cache: add config for edge routing of hcaptcha

https://gerrit.wikimedia.org/r/1167670

gerritbot added a comment.Jul 10 2025, 2:40 PM

Change #1164432 merged by Hnowlan:

[operations/puppet@production] hcaptcha: initial commit for proxy config

https://gerrit.wikimedia.org/r/1164432

gerritbot added a comment.Jul 10 2025, 3:29 PM

Change #1167669 merged by Hnowlan:

[operations/dns@master] wikimedia: add CNAMEs for hcaptcha domains

https://gerrit.wikimedia.org/r/1167669

gerritbot added a comment.Jul 10 2025, 3:34 PM

Change #1167670 merged by Hnowlan:

[operations/puppet@production] trafficserver, cache: add config for edge routing of hcaptcha

https://gerrit.wikimedia.org/r/1167670

gerritbot added a comment.Jul 10 2025, 3:49 PM

Change #1167891 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/dns@master] wikimedia: simplify hcaptcha subsubdomains

https://gerrit.wikimedia.org/r/1167891

gerritbot added a comment.Jul 10 2025, 3:55 PM

Change #1167893 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/puppet@production] trafficserver, profile::hcaptcha: simplify subdomains

https://gerrit.wikimedia.org/r/1167893

gerritbot added a comment.Jul 10 2025, 3:56 PM

Change #1167891 merged by Hnowlan:

[operations/dns@master] wikimedia: simplify hcaptcha subsubdomains

https://gerrit.wikimedia.org/r/1167891

gerritbot added a comment.Jul 10 2025, 4:02 PM

Change #1167893 merged by Hnowlan:

[operations/puppet@production] trafficserver, profile::hcaptcha: simplify subdomains

https://gerrit.wikimedia.org/r/1167893

hnowlan updated the task description. (Show Details)Jul 10 2025, 4:07 PM
gerritbot added a comment.Jul 11 2025, 10:37 AM

Change #1168149 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/puppet@production] profile::hcaptcha: don't serve / or robots.txt

https://gerrit.wikimedia.org/r/1168149

Dreamy_Jazz updated the task description. (Show Details)Jul 11 2025, 10:42 AM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz updated the task description. (Show Details)Jul 11 2025, 11:25 AM
Dreamy_Jazz updated the task description. (Show Details)Jul 14 2025, 11:19 AM
gerritbot added a comment.Jul 14 2025, 3:03 PM

Change #1168149 merged by Giuseppe Lavagetto:

[operations/puppet@production] profile::hcaptcha: don't serve / or robots.txt

https://gerrit.wikimedia.org/r/1168149

kostajh updated the task description. (Show Details)Jul 14 2025, 3:12 PM
kostajh updated the task description. (Show Details)Jul 14 2025, 4:04 PM
jijiki changed the status of subtask Restricted Task from Open to In Progress.Jul 16 2025, 10:48 AM
jijiki changed the status of subtask Restricted Task from In Progress to Stalled.Jul 24 2025, 10:42 AM
jijiki claimed this task.Aug 6 2025, 1:56 PM
gerritbot added a comment.Aug 6 2025, 2:00 PM

Change #1176248 had a related patch set uploaded (by Effie Mouzeli; author: Effie Mouzeli):

[operations/puppet@production] profile::hcaptcha::proxy: config improvements

https://gerrit.wikimedia.org/r/1176248

gerritbot added a comment.Aug 11 2025, 11:46 AM

Change #1176248 merged by Clément Goubert:

[operations/puppet@production] profile::hcaptcha::proxy: config improvements

https://gerrit.wikimedia.org/r/1176248

sguebo_WMF updated the task description. (Show Details)Aug 19 2025, 3:01 AM

@jijiki while discussing with @kostajh we agreed to avoid passing the REFERER header. I added it as another checkbox but I'm happy to file a separate ticket if that's better.

Clement_Goubert subscribed.Aug 19 2025, 9:51 AM
gerritbot added a comment.Aug 19 2025, 7:46 PM

Change #1180204 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/puppet@production] hcaptcha: Unset Referer header

https://gerrit.wikimedia.org/r/1180204

kostajh updated the task description. (Show Details)Aug 19 2025, 7:47 PM
kostajh updated the task description. (Show Details)Aug 20 2025, 6:54 AM
gerritbot added a comment.Aug 20 2025, 8:19 AM

Change #1180204 merged by Clément Goubert:

[operations/puppet@production] hcaptcha: Unset Referer header

https://gerrit.wikimedia.org/r/1180204

Clement_Goubert closed subtask Restricted Task as Resolved.Aug 20 2025, 8:27 AM
Clement_Goubert updated the task description. (Show Details)
In T397841#11096808, @sguebo_WMF wrote:

@jijiki while discussing with @kostajh we agreed to avoid passing the REFERER header. I added it as another checkbox but I'm happy to file a separate ticket if that's better.

Merged, will be deployed by puppet runs over the next half-hour.

gerritbot added a comment.Aug 25 2025, 4:02 PM

Change #1181739 had a related patch set uploaded (by Hnowlan; author: Hnowlan):

[operations/dns@master] wikimedia.org: add hcaptcha-sentry CNAME

https://gerrit.wikimedia.org/r/1181739

gerritbot added a comment.Aug 25 2025, 4:35 PM

Change #1181739 merged by Hnowlan:

[operations/dns@master] wikimedia.org: add hcaptcha-sentry CNAME

https://gerrit.wikimedia.org/r/1181739

kostajh closed this task as Resolved.Aug 26 2025, 1:29 PM
kostajh updated the task description. (Show Details)
jijiki added a parent task: Restricted Task.Sep 5 2025, 2:07 PM
jijiki updated the task description. (Show Details)Sep 5 2025, 3:15 PM
Reedy removed a project: Patch-For-Review.Sep 10 2025, 11:58 AM
bd808 added a subtask: T404407: No Puppet resources found on instance deployment-urldownloader04 on project deployment-prep.Sep 12 2025, 4:25 PM
bd808 added a subtask: T404379: No Puppet resources found on instance deployment-urldownloader04 on project deployment-prep.
bd808 added a subtask: T402919: No Puppet resources found on instance deployment-urldownloader04 on project deployment-prep.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits