Page MenuHomePhabricator
Create Task
Maniphest T135046

Allowlist Cloud VPS instances that need XFF header passed through the web proxy
Closed, ResolvedPublic
Actions

Description

Currently, labs instances with a webserver can see the IP address of a user. Default webserver installs in labs don't record access logs, but it would be easy for an instance owner to start logging the XFF header for requests, and keep IP<->Account information on the host, which is considered private under the WMF privacy policy.

Since labs instances have their own privacy policies, this isn't a violation of the WMF policy. However, it would be nice to not give instances the option.

It appears that only one instance is known to actually need that data. Let's whitelist that, and any others that specifically need the XFF data, and remove the header for other instances.

Details

SubjectRepoBranchLines +/-
dynamicproxy: add support for dynamic XFF per FQDNoperations/puppetproduction+13 -6
cloud: novaproxy: fix default value for String typed hiera keysoperations/puppetproduction+2 -2
cloud: refactor novaproxy roleoperations/puppetproduction+83 -86
Customize query in gerrit

Related Objects

Event Timeline

csteipp created this task.May 11 2016, 8:45 PM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptMay 11 2016, 8:45 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald Transcript
yuvipanda added a comment.May 11 2016, 8:47 PM

(the one instance is UTRS).

We can do this by maintaining a whitelist of IPs / domains in puppet, and adding an if in nginx for that. That should be fast enough and simple.

We should announce this and then Make It So.

Krenair subscribed.May 11 2016, 9:13 PM

Labs instances can get public IPs though

ZhouZ added a project: WMF-Legal.May 11 2016, 9:16 PM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptMay 11 2016, 9:16 PM
ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.May 11 2016, 9:16 PM
ZhouZ subscribed.
chasemp triaged this task as High priority.May 31 2016, 3:39 PM
stwalkerster added subscribers: FastLizard4, stwalkerster.EditedJun 19 2016, 9:43 PM

account-creation-assistance also currently has (and continues to need - T61662 ) access to the XFF data from the web proxy.

zhuyifei1999 subscribed.Jun 20 2016, 5:45 AM
yuvipanda added a comment.Aug 23 2016, 6:51 AM

We can easily just whitelist utrs and account-creation-assistance, and blacklist all others. Need to announce tho...

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:42 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-VPS.Mar 24 2019, 10:32 AM
bd808 subscribed.Feb 25 2020, 5:47 PM

Current status of this is that T61662: Pass XFF headers through the proxy configured by Special:NovaProxy started passing the XFF headers to all upstream servers behind the domainproxy deployment of dynamicproxy (*.wmflabs.org). XFF headers are not passed to upstream servers behind the urlproxy (tools.wmflabs.org/*.toolforge.org).

In retrospect, the fix for T61662 should not have happened this way.

Andrew assigned this task to aborrero.Mar 10 2020, 4:27 PM
JFishback_WMF added a project: Privacy Engineering.Mar 23 2020, 11:49 PM
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.
JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.
gerritbot added a comment.Mar 24 2020, 4:00 PM

Change 583098 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] dynamicproxy: add support for dynamic XFF per FQDN

https://gerrit.wikimedia.org/r/583098

gerritbot added a project: Patch-For-Review.Mar 24 2020, 4:00 PM
gerritbot added a comment.Mar 25 2020, 12:03 PM

Change 583316 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: refactor novaproxy role

https://gerrit.wikimedia.org/r/583316

Stashbot added a comment.Mar 25 2020, 12:18 PM

Mentioned in SAL (#wikimedia-cloud) [2020-03-25T12:18:46Z] <arturo> disable puppet in the 2 VMs to try refactoring the puppet role https://gerrit.wikimedia.org/r/c/operations/puppet/+/583316 (T135046)

gerritbot added a comment.Mar 25 2020, 12:19 PM

Change 583316 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: refactor novaproxy role

https://gerrit.wikimedia.org/r/583316

gerritbot added a comment.Mar 25 2020, 12:27 PM

Change 583318 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: novaproxy: fix default value for String typed hiera keys

https://gerrit.wikimedia.org/r/583318

gerritbot added a comment.Mar 25 2020, 12:30 PM

Change 583318 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: novaproxy: fix default value for String typed hiera keys

https://gerrit.wikimedia.org/r/583318

Stashbot added a comment.Mar 25 2020, 12:34 PM

Mentioned in SAL (#wikimedia-cloud) [2020-03-25T12:34:53Z] <arturo> enable puppet in the 2 VMs. Role is now role::wmcs::novaproxy. Hiera was updated accordingly too (T135046)

Stashbot added a comment.Mar 25 2020, 12:51 PM

Mentioned in SAL (#wikimedia-cloud) [2020-03-25T12:51:57Z] <arturo> disable puppet in the 2 VMs again for testing XFF changes https://gerrit.wikimedia.org/r/c/operations/puppet/+/583098 (T135046)

aborrero added a comment.Mar 25 2020, 1:41 PM

Ready for review & merge: https://gerrit.wikimedia.org/r/c/operations/puppet/+/583098

The patch will drop the XFF header for all backends except the ones we specify, so we need to collect them first add them to a hiera list (in horizon):

profile::wmcs::novaproxy::xff_fqdns:
 - myfqdn1.wmflabs.org <-- will recv XFF
 - myfqdn2.wmflabs.org <-- will recv XFF

From the backlog I get that only accounts.wmflabs.org needs it?

Krenair added a comment.Mar 25 2020, 1:44 PM

This might be something that requires cloud-announce posts and a window of
time for people to submit their things to be added.

stwalkerster added a subscriber: AmandaNP.Mar 25 2020, 2:43 PM

It would be useful to get accounts-dev.wmflabs.org whitelisted too, so we don't have to test stuff on the "prod" tool. I'm not too fussed if that's not possible though.

I think UTRS needs this as well? @DeltaQuad can confirm on that one.

aborrero added a comment.Apr 1 2020, 12:18 PM
In T135046#5998275, @Krenair wrote:

This might be something that requires cloud-announce posts and a window of
time for people to submit their things to be added.

Done: https://lists.wikimedia.org/pipermail/cloud-announce/2020-April/000272.html

We will introduce the change on 2020-04-15. Until then, I hope we collect a list of stuff that requires whitelisting. As of today this list is:

  • accounts.wmflabs.org
  • accounts-dev.wmflabs.org
AmandaNP added a comment.Apr 2 2020, 12:15 AM

As mentioned above, UTRS does need this also on both:
utrs-beta.wmflabs.org
utrs.wmflabs.org

MusikAnimal subscribed.Apr 14 2020, 5:44 PM

Hello! I help maintain XTools, which as I think you know already is subject to significant disruptive automation, web crawlers (that ignore robots.txt), and more rarely just overzealous users, any of which can hog up all the db connections and result in downtime. The service is something people heavily depend on, so I have put significant work into being able to keep out this disruption.

I will admit, I never really thought about getting the IP from the XFF header... that would have saved me an immense amount of time, and going by that would mean a lot less false positives. Instead, I'm going by user agent and other heuristics (see /var/www/config/request_blacklist.yml on xtools-prod06). This actually largely works well, but some bots I just can't block because they have the same UA as innocent humans. Worse, Chrome will soon be freezing user agents (e.g. T242825)... and that accounts for most users, bots included. So in about a year or so going by UAs just won't work anymore.

There are still a LOT of bots scraping XTools. I made a log-only system that exposes possible crawlers (it looks for rapid requests that change the interface language, meaning it's clicking on all the links in the language dropdown -- something humans don't do). You can review /var/www/var/log/crawler.log to see what we're dealing with everyday.

There is the nuclear option of just putting everything behind a login wall, and that can be considered. It is a last resort, though, because many outside researchers use XTools. We would much prefer to not make them go through account creation. We also need to figure out why login sessions don't persist (T224382), but I digress.

So, I'm wondering if XTools could be whitelisted, too, given it's popularity and issues with disruptive automation? Incidentally, all maintainers are staff, and one volunteer who has signed the NDA for non-public information.

Another idea -- perhaps it's possible to pass the instances a one-way hash of the IP? As long as it's unique, that'd be enough for our purposes and also maintain the user's privacy. As I understand it, this is similar to what Anti-Harassment is planning to do for temporary accounts in MediaWiki.

aborrero added a comment.Apr 14 2020, 5:48 PM

@MusikAnimal your use case seems sensible. We can keep it whitelisted.

Stashbot added a comment.Apr 15 2020, 9:21 AM

Mentioned in SAL (#wikimedia-cloud) [2020-04-15T09:21:00Z] <arturo> disable to puppet for a controlled merge of https://gerrit.wikimedia.org/r/c/operations/puppet/+/583098 (T135046)

aborrero added a comment.Apr 15 2020, 9:23 AM

Applied this change to hiera in horizon:

https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/refs/heads/master%5E%21/#F0

diff --git a/project-proxy/_.yaml b/project-proxy/_.yaml
index 705d0a0..9b64aaa 100644
--- a/project-proxy/_.yaml
+++ b/project-proxy/_.yaml

@@ -4,3 +4,10 @@
 - proxy-02.project-proxy.eqiad.wmflabs
 profile::wmcs::novaproxy::block_ref_re: koeri.boun.edu.tr
 profile::wmcs::novaproxy::use_ssl: true
+profile::wmcs::novaproxy::xff_fqdns:
+- accounts.wmflabs.org
+- accounts-dev.wmflabs.org
+- utrs-beta.wmflabs.org
+- utrs.wmflabs.org
+- xtools.wmflabs.org
+- xtools-dev.wmflabs.org
gerritbot added a comment.Apr 15 2020, 9:23 AM

Change 583098 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] dynamicproxy: add support for dynamic XFF per FQDN

https://gerrit.wikimedia.org/r/583098

aborrero closed this task as Resolved.Apr 15 2020, 9:43 AM

I spot checked the apache logs for the affected projects, and only the account project seems to dump the XFF header in the logs. In case you need it, they do something like:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

The change is now live, thanks you all!

Maintenance_bot removed a project: Patch-For-Review.Apr 15 2020, 10:11 AM
MusikAnimal added a comment.EditedApr 15 2020, 8:05 PM

@aborrero Looks like the google-api-proxy project needs to be whitelisted, too. See T250312: HTTP 403 Error when using google-api-proxy on VPS. See the puppet role. Right now all requests to the proxy are getting 403s. It looks like it's simply checking the incoming IP to ensure it's internal. I thought you could just do that via the security groups on Horizon? Do we need the puppet role, too?

Resolved, thank you!

MusikAnimal mentioned this in T250312: HTTP 403 Error when using google-api-proxy on VPS.Apr 15 2020, 8:09 PM
Stashbot added a comment.Apr 15 2020, 8:22 PM

Mentioned in SAL (#wikimedia-cloud) [2020-04-15T20:22:54Z] <bd808> Added google-api-proxy.wmflabs.org & googlevision-api-proxy.wmflabs.org to profile::wmcs::novaproxy::xff_fqdns (T135046, T250312)

aborrero mentioned this in T266680: Cloud VPS Proxy does not set X-Forwarded-For.Oct 29 2020, 2:03 PM
MusikAnimal added a comment.Apr 1 2021, 9:39 PM

@aborrero For the same reasons as T135046#6056334, I am requesting that XFF headers be allowed for the wikisource VPS project, maintained by Community-Tech. We have had a long battle with fighting disruptive bots, and sometimes they use human UAs and I can't feasibly block them without collateral damage. Could this be arranged? Let me know if I should open a new task. Thank you!

bd808 added a comment.Apr 1 2021, 9:40 PM
In T135046#6966632, @MusikAnimal wrote:

@aborrero For the same reasons as T135046#6056334, I am requesting that XFF headers be allowed for the wikisource VPS project, maintained by Community-Tech. We have had a long battle with fighting disruptive bots, and sometimes they use human UAs and I can't feasibly block them without collateral damage. Could this be arranged? Let me know if I should open a new task. Thank you!

Yes, open a new task.

MusikAnimal mentioned this in T279111: Request to enable XFF headers for wikisource VPS project.Apr 1 2021, 9:57 PM
bd808 mentioned this in T320585: 2012 draft of a user agreement to disclose IPs and passwords; status?.Oct 12 2022, 1:03 AM
MusikAnimal mentioned this in T334439: Request to enable XFF headers for new XTools hostnames.Apr 11 2023, 1:29 AM
bd808 renamed this task from Whitelist labs instances that need XFF header passed through the web proxy to Allowlist Cloud VPS instances that need XFF header passed through the web proxy.Jun 28 2023, 5:06 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits