Page MenuHomePhabricator
Create Task
Maniphest T417864

haproxy: capture x-wmf-* headers in webrequest data set
Closed, ResolvedPublic
Actions

Description

The webrequest analytics data set should include ratelimit information exposed by the REST gateway using the x-wmf-* headers (see T417780). In particular, the following headers will be exposed:

  • x-wmf-ratelimit-class
  • x-wmf-user-id postponed until we have clarity on privacy concerns

From this slack thread :
On the HAProxy / HaproxyKafka side this could be summarized (roughly) as:

  • Read response headers (coming from API) and save it to a variable
  • Edit the log format to include the new variable
  • Remove the response header to avoid sending it to the client
  • Edit HaproxyKafka (edit/recompile/repackage/distribute across all nodes) to correctly read the new log format (read the new fields and include them in the document sent to Kafka)

There is a concern about sending a user identifier in webrequest (user_id).
As of now no user identifying cookie flows in this dataset
It would be good to have a confirmation from the security team that this is ok.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
varnish: add trusted_req and rl_class fields to x-analyticsoperations/puppetproduction+56 -0
cache::haproxy: save x-ratelimit-class content for webrequestoperations/puppetproduction+6 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Feb 19 2026, 9:37 AM
daniel moved this task from Incoming (Needs Triage) to Radar (other teams work) on the MW-Interfaces-Team board.
JAllemandou added a project: Traffic.Feb 19 2026, 1:23 PM
JAllemandou updated the task description. (Show Details)Feb 19 2026, 1:56 PM
daniel updated the task description. (Show Details)Feb 19 2026, 2:20 PM

Let's postpone capturing x-wmf-user-id. x-wmf-ratelimit-class is the urgent one.

Note that x-wmf-user-id still needs to be tripped!

Clement_Goubert merged a task: T414349: Log rate limits from rest-gateway in webrequests.Feb 19 2026, 2:56 PM
Clement_Goubert added subscribers: akosiaris, Joe, hnowlan and 2 others.
Clement_Goubert added a comment.Feb 19 2026, 2:59 PM

In the merged task, I was proposing not creating a new header, but instead adding to the existing X-Requestctl header using the same convention we use for haproxy applied rules, so something like X-Requestctl: rgw:${x-wmf-ratelimit-class}.

MShilova_WMF subscribed.Feb 19 2026, 6:35 PM
KCVelaga_WMF subscribed.Feb 23 2026, 7:47 AM
Vgutierrez subscribed.Feb 24 2026, 4:34 PM
In T417864#11632385, @Clement_Goubert wrote:

In the merged task, I was proposing not creating a new header, but instead adding to the existing X-Requestctl header using the same convention we use for haproxy applied rules, so something like X-Requestctl: rgw:${x-wmf-ratelimit-class}.

I don't think this is a good idea.. X-Requestctl reports the requestctl rules that matched against a request, "polluting" it with rest gateway rate-limit classes could be confusing

Fabfur subscribed.Feb 25 2026, 10:13 AM
gerritbot added a comment.Feb 25 2026, 3:55 PM

Change #1243870 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] cache::haproxy: save x-wmf-ratelimit-class content for webrequest

https://gerrit.wikimedia.org/r/1243870

gerritbot added a project: Patch-For-Review.Feb 25 2026, 3:55 PM
Fabfur added a comment.Feb 25 2026, 4:18 PM

@daniel it could be helpful to have some (also fake) example of values for X-WMF-Ratelimit-Class headers, to do some optimization in the pipeline, do you have some ?

Ottomata moved this task from Incoming (new tickets) to Q3 FY25/26 January 1st - March 31th on the Data-Engineering board.Feb 25 2026, 5:29 PM
Ottomata edited projects, added Data-Engineering (Q3 FY25/26 January 1st - March 31th); removed Data-Engineering.
CodeReviewBot added a comment.Feb 26 2026, 8:21 AM

fabfur opened https://gitlab.wikimedia.org/repos/sre/haproxykafka/-/merge_requests/105

Introduce x_wmf_ratelimit_class new variable

CodeReviewBot added a comment.Feb 27 2026, 3:02 PM

fabfur merged https://gitlab.wikimedia.org/repos/sre/haproxykafka/-/merge_requests/105

Introduce x_ratelimit_class new variable

Fabfur added a comment.EditedMar 2 2026, 11:29 AM

Thanks to the @JAllemandou summary, I've wrote down some simple notes to understand the amount of work and the missing pieces, please have a look and eventually comment/fix:

Informationsourceheader nameX-Analitics key nameNotesNeed to be removed at edge?
Ratelimit ClassBackendX-WMF-Ratelimit-Classrl_classCRYes
x-trusted-requestHAProxyX-Trusted-Requesttrusted_reqCRNo (request header)
x-provenance-X-Provenance-NO NEED TO ADD IT TO X-AnalyticsNo
Auth TypeBackend??Will be set in X-Analytics directly in the backend responseNo (not a separate header)
X-Is-BrowserHAProxyX-Is-Browserx_is_browserAlready added to X-Analytics by Varnish when foundNo (request header)

IIUC at the moment the area where I can proceed is the X-Trusted-Request header that needs to be "capture" in the requests by Varnish and appended to X-Analytics (key should be x_trusted_request=... to stick with the current nomenclature.

gerritbot added a comment.Mar 2 2026, 11:37 AM

Change #1247034 had a related patch set uploaded (by Fabfur; author: Fabfur):

[operations/puppet@production] varnish: add headers to x-analytics

https://gerrit.wikimedia.org/r/1247034

gerritbot added a comment.Mar 2 2026, 11:38 AM

Change #1243870 abandoned by Fabfur:

[operations/puppet@production] cache::haproxy: save x-ratelimit-class content for webrequest

Reason:

superseded by 1247034

https://gerrit.wikimedia.org/r/1243870

Tgr added a comment.Mar 2 2026, 2:38 PM

Can be set in X-Analytics directly in the backend response ?

Yes, the plan is to do that for now: T418606: Include session type in x-analytics header

Will probably have to be rethought once we start caching authenticated responses.

JAllemandou claimed this task.Mar 4 2026, 10:16 AM
JAllemandou moved this task from Next Up to In progress on the Data-Engineering (Q3 FY25/26 January 1st - March 31th) board.
gerritbot added a comment.Mar 4 2026, 10:31 AM

Change #1247034 merged by Fabfur:

[operations/puppet@production] varnish: add trusted_req and rl_class fields to x-analytics

https://gerrit.wikimedia.org/r/1247034

Maintenance_bot removed a project: Patch-For-Review.Mar 4 2026, 10:31 AM
Fabfur added a comment.Mar 4 2026, 10:37 AM

The patch has been merged and will be propagated shortly to all cache hosts. This means that the headers X-WMF-Ratelimit-Class and X-Trusted-Request will soon be present in X-Analytics

daniel added a comment.Mar 5 2026, 6:49 PM

With T417780 deployed, you should be seeing data come in now. @Fabfur can you confirm?

Fabfur added a comment.Mar 5 2026, 7:29 PM

Hi @daniel I can confirm I see the x_is_browser, trusted_req and rl_class fields in webrequest (text), good job!

daniel closed this task as Resolved.Mar 5 2026, 8:18 PM
In T417864#11678858, @Fabfur wrote:

Hi @daniel I can confirm I see the x_is_browser, trusted_req and rl_class fields in webrequest (text), good job!

Excellent! I'll close this ticket, then.

HCoplin-WMF mentioned this in T419736: Add new API rate limiting fields from webrequest_logs to Turnilo view.Mar 11 2026, 4:57 PM
Ahoelzl moved this task from In progress to Done on the Data-Engineering (Q3 FY25/26 January 1st - March 31th) board.Fri, Apr 3, 10:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits