Page MenuHomePhabricator
Create Task
Maniphest T412396

Pass through information about the client from the CDN to MediaWiki to Logstash
Open, Needs TriagePublic
Actions

Description

MediaWiki is logging IP and user agent for security-sensitive events (such as login attempts) in Logstash. This is not that useful today - it's common that an attacker is rotating through many IPs and fake browser UAs, and we can easily sample the attack (because some aspect of it causes a big spike) but we'd want to identify all the requests (because there might be other aspects of it) and with just IP/UA that can be hard.

The CDN keeps track of less obvious / harder to game information about clients via the backend API headers and JA3N/JA4H hashes, and it would be useful to have those in Logstash (assuming there are no privacy concerns). That would require 1) passing the relevant headers through to MediaWiki, 2) adding them to the security log context (T395204).

Sending these headers from the CDN is something we'd probably want to do anyway for the API gateway.

Acceptance criteria

  • x_is_browser_likely_script and x_is_browser_likely_browser are logged via at least WebRequest::getSecurityLogContext(), if not on all logs

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
debug: Add X-Provenance header to Logstashoperations/mediawiki-configmaster+11 -0
debug: Add some CDN Backend API headers to Logstashoperations/mediawiki-configmaster+15 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Dec 11 2025, 12:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2025, 12:59 PM
Tgr added a project: MediaWiki-Platform-Team.Dec 15 2025, 1:57 PM
Krinkle added a parent task: T398815: WE5.1.2 Verifiable MediaWiki sessions.Dec 16 2025, 4:15 PM
Krinkle moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.
Krinkle edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
kostajh updated the task description. (Show Details)Dec 19 2025, 9:15 AM
kostajh subscribed.
OWresch-WMF moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Tue, Jan 13, 11:11 AM
kostajh added a project: SRE.Tue, Jan 13, 2:42 PM
  1. passing the relevant headers through to MediaWiki

Who from SRE could help with this?

ssingh added subscribers: CDanis, Vgutierrez, ssingh.Tue, Jan 13, 3:27 PM
In T412396#11516901, @kostajh wrote:
  1. passing the relevant headers through to MediaWiki

Who from SRE could help with this?

I am taking the liberty of adding @CDanis and @Vgutierrez for their comments, in case they want to add something here.

gerritbot added a comment.Wed, Jan 14, 11:09 AM

Change #1226815 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] debug: Add some CDN Backend API headers to Logstash

https://gerrit.wikimedia.org/r/1226815

gerritbot added a project: Patch-For-Review.Wed, Jan 14, 11:09 AM
gerritbot added a comment.Wed, Jan 14, 2:25 PM

Change #1226815 merged by jenkins-bot:

[operations/mediawiki-config@master] debug: Add some CDN Backend API headers to Logstash

https://gerrit.wikimedia.org/r/1226815

Stashbot added a comment.Wed, Jan 14, 2:25 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-14T14:25:43Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1226815|debug: Add some CDN Backend API headers to Logstash (T412396)]]

Stashbot added a comment.Wed, Jan 14, 2:28 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-14T14:28:13Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1226815|debug: Add some CDN Backend API headers to Logstash (T412396)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Maintenance_bot removed a project: Patch-For-Review.Wed, Jan 14, 2:31 PM
Vgutierrez added a comment.Wed, Jan 14, 2:32 PM

the headers described on https://wikitech.wikimedia.org/wiki/CDN/Backend_api and x-ja3n/x-ja4h should be hitting MediaWiki already

Stashbot added a comment.Wed, Jan 14, 2:36 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-14T14:36:05Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1226815|debug: Add some CDN Backend API headers to Logstash (T412396)]] (duration: 10m 21s)

Tgr claimed this task.Wed, Jan 14, 3:58 PM
Tgr moved this task from OKR Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.

We should also update some of the dashboards (at least the login one) with some of this data.

Tgr added a comment.Wed, Jan 14, 4:02 PM
In T412396#11521361, @Vgutierrez wrote:

the headers described on https://wikitech.wikimedia.org/wiki/CDN/Backend_api and x-ja3n/x-ja4h should be hitting MediaWiki already

Yeah, thanks, I misunderstood some past discussion. Most of the data is in Logstash now (X-Provenance still TBD as it has more structure).

gerritbot added a comment.Wed, Jan 14, 4:51 PM

Change #1226903 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] debug: Add X-Provenance header to Logstash

https://gerrit.wikimedia.org/r/1226903

gerritbot added a project: Patch-For-Review.Wed, Jan 14, 4:51 PM
gerritbot added a comment.Mon, Jan 19, 9:14 PM

Change #1226903 merged by jenkins-bot:

[operations/mediawiki-config@master] debug: Add X-Provenance header to Logstash

https://gerrit.wikimedia.org/r/1226903

Stashbot mentioned this in T414711: Add an autopatroller protection level to English Wikiquote.Mon, Jan 19, 9:14 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-19T21:14:22Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1227493|enwikiquote: Add autopatroller protection option (T414711)]], [[gerrit:1226903|debug: Add X-Provenance header to Logstash (T412396)]], [[gerrit:1226366|Urwikiquote: restore flipped icon (T413592)]]

Stashbot mentioned this in T413592: Urdu Wikiquote update wordmark.Mon, Jan 19, 9:14 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-19T21:16:22Z] <tgr@deploy2002> seawolf35gerrit, pppery, tgr: Backport for [[gerrit:1227493|enwikiquote: Add autopatroller protection option (T414711)]], [[gerrit:1226903|debug: Add X-Provenance header to Logstash (T412396)]], [[gerrit:1226366|Urwikiquote: restore flipped icon (T413592)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Mon, Jan 19, 9:24 PM

Mentioned in SAL (#wikimedia-operations) [2026-01-19T21:24:20Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1227493|enwikiquote: Add autopatroller protection option (T414711)]], [[gerrit:1226903|debug: Add X-Provenance header to Logstash (T412396)]], [[gerrit:1226366|Urwikiquote: restore flipped icon (T413592)]] (duration: 09m 58s)

Maintenance_bot removed a project: Patch-For-Review.Mon, Jan 19, 9:31 PM
Tgr added a comment.Mon, Jan 19, 10:00 PM

Code-wise this is done. Should probably update some dashboards.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits