Page MenuHomePhabricator
Create Task
Maniphest T410273

api rate limiting: Assign ratelimit class based on IP range
Closed, ResolvedPublic
Actions

Description

Requests coming from certain IP ranges should be assigned a rate limit class, such as:

  • 1.2.3.* -> "cgnat" (some ISP using a NAT for all clients)

This will allow us to assign higher limits to ISPs and campuses using a NAT, but could also be used as a mechanism to exempt internal traffic or, temporarily, grant higher limits for Wikimedia events (Wikimania, hackathons).

Long term, we want a better solution for CGNATs, potentially based on edge unique cookies. Assessment of using IP ranges in the REST gateway vs. limiting by unique coooke at the edge:

Advantages:

  • Easy and quick to implement
  • Removes blocker for rollout
  • Flexible tool that can be used in the future to address Wikimedia-Events, etc

Disadvantages:

  • Not making use of the edge unique cookie, which would be more targeted
  • The allow-list needs to be maintained manually
  • The data needed to maintain it has to be extracted from the rate limit counters using redioscan on the command line. Could be exposed over http by redioscope, but that would require security vetting etc.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
rest-gateway: assign ratelimit class by network rangeoperations/deployment-chartsmaster+79 -10
rest-gateway: assign ratelimit class by network rangeoperations/deployment-chartsmaster+182 -26
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Nov 17 2025, 1:53 PM
daniel mentioned this in T410143: Exempt network-local traffic from API rate limiting.Nov 17 2025, 1:58 PM
JTweed-WMF moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Nov 17 2025, 3:41 PM
Clement_Goubert added a comment.EditedNov 18 2025, 1:30 PM

Hmm, we should probably also figure out a way to route these to mw-api-int instead of mw-api-ext somehow. I have to think about this.

EDIT: Actually, cf parent, we need to track down what is making requests from 10.192 that are not healthchecks, and WMCS should go to mw-api-ext.

gerritbot added a comment.Nov 18 2025, 8:18 PM

Change #1206956 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: assign ratelimit class by network range

https://gerrit.wikimedia.org/r/1206956

gerritbot added a project: Patch-For-Review.Nov 18 2025, 8:18 PM
daniel updated the task description. (Show Details)Nov 19 2025, 1:34 PM
daniel changed the task status from Open to In Progress.Nov 20 2025, 8:57 PM
DAlangi_WMF moved this task from Needs refinement to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Nov 21 2025, 9:11 AM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:44 AM
OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
daniel closed this task as Declined.Dec 12 2025, 1:07 PM

It looks like exempting local traffic and relying on x-trusted-request: A is sufficient.

gerritbot added a comment.Dec 17 2025, 8:06 PM

Change #1206956 abandoned by Daniel Kinzler:

[operations/deployment-charts@master] rest-gateway: assign ratelimit class by network range

https://gerrit.wikimedia.org/r/1206956

Maintenance_bot removed a project: Patch-For-Review.Dec 17 2025, 8:31 PM
daniel reopened this task as Open.Feb 26 2026, 12:37 PM
daniel edited projects, added MediaWiki-Platform-Team, MW-Interfaces-Team; removed MediaWiki-Platform-Team (Q3 Kanban Board).
daniel updated the task description. (Show Details)
daniel edited subscribers, added: Raine; removed: SLong-WMF, hnowlan.

Re-opening this. Turns out we still need this mechanism to provide flexibility to mitigate issues with identifying clients behind CGNATs as well as for certain types of internal traffic.

daniel edited parent tasks, added: T417778: rest gateway: enforce rate limits (stage one); removed: T410198: Determine the source of internal requests going through the API gateway..Feb 26 2026, 12:39 PM
daniel updated the task description. (Show Details)
gerritbot added a comment.Feb 26 2026, 3:24 PM

Change #1244696 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: assign ratelimit class by network range

https://gerrit.wikimedia.org/r/1244696

gerritbot added a project: Patch-For-Review.Feb 26 2026, 3:24 PM
MShilova_WMF subscribed.Feb 26 2026, 4:09 PM
Clement_Goubert triaged this task as High priority.Feb 26 2026, 5:14 PM
Clement_Goubert edited projects, added ServiceOps new, ServiceOps-SharedInfra; removed serviceops-deprecated.
Clement_Goubert moved this task from Inbox to In Progress on the ServiceOps new board.
Atieno moved this task from Incoming (Needs Triage) to Radar (other teams work) on the MW-Interfaces-Team board.Feb 26 2026, 9:23 PM
gerritbot added a comment.Mar 3 2026, 12:59 PM

Change #1244696 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: assign ratelimit class by network range

https://gerrit.wikimedia.org/r/1244696

Maintenance_bot removed a project: Patch-For-Review.Mar 3 2026, 1:31 PM
daniel closed this task as Resolved.Mar 5 2026, 6:38 PM
daniel claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits