Page MenuHomePhabricator
Create Task
Maniphest T398161

FY 25/26 WE 5.4.3: CDN (text) filtering rationalization
Closed, ResolvedPublic
Actions

Description

Right now, filtering of traffic at the edge follows two paths and two paths only:

  • if the request is in our web of trust, we skip all filtering
  • Otherwise, all filtering is applied

We want to move to a different model, where we have more classes of users, instead than just full trust / no trust:

  • We have at least 3 classes of users: trust / known / no trust where known can have various forms:
    • The request has a valid sesssion token (see WE 5.1.2)
    • The request comes from an IP/UA combination we consider "trusted"
    • The request includes other identification methods

So, we want to be able to apply requestctl rules in various points of the process, and to vary which rules we apply to what.

Moreover, we want to be able to detect if a request comes from something looking like a browser, and apply the stricter limits we declare in the Robot Policy for such requests.

In oder to do this we need to:

  • Add the ability for requestctl rules to be selected via some additional tags, or maybe just use specific alternative tags to "cache-text/cache-upload"
  • Change radically how we do filtering at the edge. An early design schematics of how it will look is something like:
    image.png (2×2 px, 525 KB)

Details

Related Changes in Gerrit:
Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJoeT398161 FY 25/26 WE 5.4.3: CDN (text) filtering rationalization
 ResolvedOttomataT394794 Improve spider detection in the webrequest refinery pipeline
 ResolvedRequestKappakayalaT395413 Requesting access to analytics-privatedata-users (and kerberos) for Giuseppe Lavagetto
 OpenJoeT396562 WE 5.4 FY 25/26: Improve automata detection at the edge and pass it to the refinery pipeline
 ResolvedJoeT398213 Include accept-language header in turnilo/superset
 OpenNoneT399057 Introduce allowlists into the CDN (text) filtering
 ResolvedJoeT399058 Ability for the code to apply different sets of rules depending on request
 ResolvedJoeT399534 Allow field removals in conftool schema upgrades
 ResolvedJoeT400119 Block traffic from user-agents not honoring our policy
 ResolvedTgrT400881 Make InstantCommons and other uses of ForeignApiRepo use WMF policy-compliant user agents
 OpenNoneT402959 Find a solution for SPARQL federation that is blocked by stricter user agent policy enforcement
 ResolvedBUG REPORThasharT403089 Cannot update CI Jenkins jobs
 ResolvedBUG REPORT jnucheT403162 Docpub pipelines failing
 ResolvedBUG REPORTSamwilsonT403435 Requests to query.wikidata.org failing due to User-Agent
 ResolvedSLyngshede-WMFT400120 Better mapping of requests coming from datacenters/clouds
 ResolvedVgutierrezT400238 Add ability to validate JWTs in haproxy
 OpenVgutierrezT400270 Browser behaviour detection at the edge
 ResolvedVgutierrezT404826 Integrate code from the private repository into the CDN
 ResolvedssinghT407966 Puppet agent failure detected on instance deployment-cache-upload08 in project deployment-prep
 ResolvedssinghT408148 Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep
 ResolvedJoeT401786 Allow inline patterns in HIDDENPARMA expressions
 OpenNoneT402512 Export development_network_probe data to Puppet servers for CDN deployment
 ResolvedBUG REPORTSLyngshede-WMFT403616 Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep
 ResolvedSLyngshede-WMFT404688 Allow Puppet to pull in XCHEESESCORE git repo

Event Timeline

Joe created this task.Jun 30 2025, 7:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 30 2025, 7:07 AM
Aklapper renamed this task from WE 5.4.3 FY 25/26: CDN (text) filtering rationalization to FY 25/26 WE 5.4.3: CDN (text) filtering rationalization.Jun 30 2025, 7:52 AM
Aklapper added a project: SRE.
Joe claimed this task.Jun 30 2025, 10:53 AM
Joe triaged this task as High priority.
Joe added a subtask: T394794: Improve spider detection in the webrequest refinery pipeline.Jun 30 2025, 3:27 PM
Joe added a comment.Jul 9 2025, 4:39 AM

Quite a bit of the rationalization will depend upon the results of another hypothesis, the one about trusted bots. What we can however build while that's still being designed.

What should build for now is:

  • Allowlist approach both in varnish and haproxy. It can for now be based on x-provenance.
  • Add the ability (feature flag guarded) to validate JWTs (and maybe edge uniques?) in haproxy
  • Browser detection routines
  • Ability for the code to apply different sets of rules depending on allowlists
  • "Moat mode" rules - emergency rules we want to apply to all incoming traffic when we're under attack or in a traffic-induced outage. Ideally these rules will only remain active for 5 minutes, unless someone renews their activation

I'll open subtasks for all of the above.

Scott_French mentioned this in T400100: FY 25/26 WE 5.4.2: Known bots / clients.Jul 21 2025, 7:26 PM
Joe closed subtask T399058: Ability for the code to apply different sets of rules depending on request as Resolved.Jul 29 2025, 10:22 AM
CDanis subscribed.Jul 29 2025, 8:18 PM
Vgutierrez closed subtask T400238: Add ability to validate JWTs in haproxy as Resolved.Aug 4 2025, 10:39 AM
Joe reopened subtask T399058: Ability for the code to apply different sets of rules depending on request as Open.Aug 4 2025, 4:06 PM
Ottomata closed subtask T394794: Improve spider detection in the webrequest refinery pipeline as Resolved.Aug 13 2025, 4:19 PM
gerritbot added a comment.Aug 14 2025, 12:39 PM

Change #1178866 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] C:ip_reputation_vendors::datacenter_vendors: Known datacenter

https://gerrit.wikimedia.org/r/1178866

gerritbot added a project: Patch-For-Review.Aug 14 2025, 12:39 PM
gerritbot added a comment.Aug 15 2025, 12:54 PM

Change #1179136 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache::haproxy add ASN lookup function

https://gerrit.wikimedia.org/r/1179136

Joe closed subtask T399058: Ability for the code to apply different sets of rules depending on request as Resolved.Aug 21 2025, 6:03 AM
gerritbot added a comment.Aug 21 2025, 6:23 AM

Change #1180711 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] varnish: add new requestctl file for deprecations

https://gerrit.wikimedia.org/r/1180711

gerritbot added a comment.Aug 21 2025, 6:24 AM

Change #1180712 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] Add deprecations to varnish

https://gerrit.wikimedia.org/r/1180712

gerritbot added a comment.Aug 22 2025, 9:03 AM

Change #1181090 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:puppetserver::volatile generate datacenter database

https://gerrit.wikimedia.org/r/1181090

gerritbot added a comment.Aug 28 2025, 8:20 AM

Change #1182763 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache:? datacenter lookup

https://gerrit.wikimedia.org/r/1182763

gerritbot added a comment.Aug 28 2025, 9:51 AM

Change #1182782 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache:haproxy add datacenter information to provenance

https://gerrit.wikimedia.org/r/1182782

gerritbot added a comment.Sep 1 2025, 7:31 AM

Change #1181090 merged by Slyngshede:

[operations/puppet@production] P:puppetserver::volatile generate datacenter database

https://gerrit.wikimedia.org/r/1181090

gerritbot added a comment.Sep 1 2025, 7:37 AM

Change #1183599 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:puppetserver::volatile fix group name

https://gerrit.wikimedia.org/r/1183599

gerritbot added a comment.Sep 1 2025, 7:40 AM

Change #1183599 merged by Slyngshede:

[operations/puppet@production] P:puppetserver::volatile fix group name

https://gerrit.wikimedia.org/r/1183599

gerritbot added a comment.Sep 1 2025, 8:05 AM

Change #1183612 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:puppetserver::volatile enable datacenter timer

https://gerrit.wikimedia.org/r/1183612

gerritbot added a comment.Sep 2 2025, 7:34 AM

Change #1183612 merged by Slyngshede:

[operations/puppet@production] P:puppetserver::volatile enable datacenter timer

https://gerrit.wikimedia.org/r/1183612

gerritbot added a comment.Sep 2 2025, 9:07 AM

Change #1184037 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache::haproxy copy datacenter.mmdb

https://gerrit.wikimedia.org/r/1184037

gerritbot added a comment.Sep 3 2025, 10:34 AM

Change #1184497 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache::haproxy add datacenter information to provenance

https://gerrit.wikimedia.org/r/1184497

gerritbot added a comment.Sep 3 2025, 11:39 AM

Change #1184037 merged by Slyngshede:

[operations/puppet@production] P:cache::haproxy copy datacenter.mmdb

https://gerrit.wikimedia.org/r/1184037

bd808 added a subtask: T403616: Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep.Sep 3 2025, 5:24 PM
SLyngshede-WMF closed subtask T403616: Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep as Resolved.Sep 4 2025, 8:53 AM
bd808 reopened subtask T403616: Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep as Open.Sep 4 2025, 6:09 PM
Vgutierrez closed subtask T403616: Puppet agent failure detected on instance deployment-cache-text08 in project deployment-prep as Resolved.Sep 5 2025, 1:28 PM
gerritbot added a comment.Sep 15 2025, 8:48 AM

Change #1182763 merged by Slyngshede:

[operations/puppet@production] P:cache:haproxy add is_datacenter Lua action

https://gerrit.wikimedia.org/r/1182763

gerritbot added a comment.Sep 15 2025, 10:45 AM

Change #1182782 merged by Slyngshede:

[operations/puppet@production] P:cache:haproxy add datacenter information to provenance

https://gerrit.wikimedia.org/r/1182782

gerritbot added a comment.Sep 15 2025, 1:56 PM

Change #1179136 abandoned by Slyngshede:

[operations/puppet@production] P:cache::haproxy add ASN lookup function

Reason:

Replaced by https://gerrit.wikimedia.org/r/c/operations/puppet/+/1182782

https://gerrit.wikimedia.org/r/1179136

gerritbot added a comment.Sep 17 2025, 5:50 AM

Change #1180711 merged by Giuseppe Lavagetto:

[operations/puppet@production] varnish: add new requestctl file for deprecations

https://gerrit.wikimedia.org/r/1180711

Joe closed subtask T400119: Block traffic from user-agents not honoring our policy as Resolved.Sep 17 2025, 6:35 AM
SLyngshede-WMF closed subtask T400120: Better mapping of requests coming from datacenters/clouds as Resolved.Sep 17 2025, 6:57 AM
Joe closed subtask T401786: Allow inline patterns in HIDDENPARMA expressions as Resolved.Sep 17 2025, 9:25 AM
bd808 subscribed.Sep 17 2025, 7:32 PM
gerritbot added a comment.Sep 18 2025, 7:11 AM

Change #1180712 merged by Giuseppe Lavagetto:

[operations/puppet@production] Add deprecations to varnish

https://gerrit.wikimedia.org/r/1180712

gerritbot added a comment.Sep 19 2025, 10:31 AM

Change #1178866 abandoned by Slyngshede:

[operations/puppet@production] C:ip_reputation_vendors::datacenter_vendors: Known datacenters

Reason:

Done using mmdb instead.

https://gerrit.wikimedia.org/r/1178866

BCornwall subscribed.Sep 29 2025, 10:34 PM

https://gerrit.wikimedia.org/r/c/operations/puppet/+/1180712 Seems to have broken varnish tests. Looking through seems to suggest this is because profile::cache::varnish::frontend::use_etcd_req_filters is set to "false" in hieradata/common/profile/cache/varnish/frontend.yaml, causing the test to be getting a 200 instead of a 403.

gerritbot added a comment.Oct 1 2025, 9:00 AM

Change #1192846 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:cache::haproxy copy private repo data

https://gerrit.wikimedia.org/r/1192846

gerritbot added a comment.Oct 9 2025, 7:00 AM

Change #1184497 abandoned by Slyngshede:

[operations/puppet@production] P:cache::haproxy add datacenter information to provenance

https://gerrit.wikimedia.org/r/1184497

gerritbot added a comment.Oct 9 2025, 10:50 AM

Change #1192846 merged by Slyngshede:

[operations/puppet@production] P:cache::haproxy copy private repo data

https://gerrit.wikimedia.org/r/1192846

Maintenance_bot removed a project: Patch-For-Review.Oct 9 2025, 11:32 AM
gerritbot added a comment.Oct 20 2025, 10:58 AM

Change #1197231 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P::cache::haproxy enable x-is-browser everywhere

https://gerrit.wikimedia.org/r/1197231

gerritbot added a project: Patch-For-Review.Oct 20 2025, 10:58 AM
gerritbot added a comment.Oct 20 2025, 11:40 AM

Change #1197231 merged by Slyngshede:

[operations/puppet@production] P::cache::haproxy enable x-is-browser everywhere

https://gerrit.wikimedia.org/r/1197231

Maintenance_bot removed a project: Patch-For-Review.Oct 20 2025, 12:31 PM
Joe closed this task as Resolved.Oct 21 2025, 6:50 AM
BCornwall added a comment.Oct 21 2025, 3:30 PM

Should the broken tests as mentioned in T398161#11227347 be brought up in a new ticket?

SLyngshede-WMF closed subtask T404688: Allow Puppet to pull in XCHEESESCORE git repo as Resolved.Oct 21 2025, 3:40 PM
BCornwall reopened this task as Open.Oct 23 2025, 6:09 PM

Not resolved due to broken tests.

gerritbot added a comment.Oct 29 2025, 2:24 PM

Change #1199792 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] haproxy,varnish: Report X-Is-Brower back from varnish

https://gerrit.wikimedia.org/r/1199792

gerritbot added a project: Patch-For-Review.Oct 29 2025, 2:24 PM
gerritbot added a comment.Oct 30 2025, 3:04 PM

Change #1199792 merged by Vgutierrez:

[operations/puppet@production] haproxy,varnish: Report X-Is-Browser back from varnish

https://gerrit.wikimedia.org/r/1199792

Maintenance_bot removed a project: Patch-For-Review.Oct 30 2025, 3:32 PM
Joe closed this task as Resolved.Nov 3 2025, 5:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits