-
Notifications
You must be signed in to change notification settings - Fork 88
/
misc-frontend.inc.vcl.erb
128 lines (113 loc) · 4.77 KB
/
misc-frontend.inc.vcl.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
include "geoip.inc.vcl";
sub cluster_fe_vcl_switch {
// We need to be able to tell that this domain is an alt domain down the
// line.
set req.http.X-IS-ALT-DOMAIN = "1";
}
sub cluster_fe_recv_pre_purge {
if (std.ip(req.http.X-Client-IP, "192.0.2.1") ~ phabricator_abusers && (req.http.Host == "phabricator.wikimedia.org" || req.http.Host == "phab.wmfusercontent.org")) {
return (synth(403, "Requests from your IP have been blocked, please contact noc@wikimedia.org"));
}
}
sub cluster_fe_recv {
// STS-preload checker doesn't like [45]xx responses, but 3xx is OK, so
// re-use the TLS-redirector code and send them to the wikimedia site.
if (req.http.Host == "wmfusercontent.org") {
set req.http.Location = "https://www.wikimedia.org";
return (synth(301, "STS Preload Redirect"));
}
}
sub cluster_fe_recv_tail {
if (req.method != "GET" && req.method != "HEAD") {
// We only deal with GET and HEAD
return (pass);
}
// don't cache authorized requests
if (req.http.Authorization) {
return (pass);
}
// Don't cache cookie requests. Cache requests with google analytics cookies and our
// own global WMF-Last-Access, WMF-Last-Access-Global GeoIP, CP, and NetworkProbeLimit cookies.
set req.http.NC-Cookie = regsuball(req.http.Cookie, "(?i)(^|;\s*)(_ga[-_a-z]*|_utm[-_a-z]*|_pk_(id|ses)\.[^=]*|WMF-Last-Access(-Global)?|GeoIP|CP|NetworkProbeLimit)=[^;]*", "");
set req.http.NC-Cookie = regsub(req.http.NC-Cookie, "^;?\s*", "");
if (req.http.NC-Cookie != "") {
unset req.http.NC-Cookie;
return (pass);
}
unset req.http.NC-Cookie;
}
sub cluster_fe_hash { }
sub cluster_fe_ratelimit {
// TODO: move all these rules to requestctl if possible.
// For now, add the requestctl header for them too,
// so that we have some more insight into which rule is kicking in
// Set the header to the empty string if not present.
if (!req.http.X-Requestctl) {
set req.http.X-Requestctl = "";
}
// Requests in violation of the User-Agent policy
if (req.http.User-Agent ~ "^python-requests" && req.http.Host == "query.wikidata.org") {
// UA-policy violations: 10/10s (1/s long term, with 10 burst)
if (vsthrottle.is_denied("wdqs-ua-policy:" + req.http.X-Client-IP, 10, 10s)) {
set req.http.X-Requestctl = req.http.X-Requestctl + ",static_wdqs_ua_policy";
return (synth(429, "Too many requests. Please comply with the User-Agent policy to get a higher rate limit: https://meta.wikimedia.org/wiki/User-Agent_policy"));
}
}
// vscode-phabricator is too aggressive in caching users https://phabricator.wikimedia.org/T270482 (private task)
if (req.http.User-Agent ~ "^vscode-phabricator" && req.http.Host == "phabricator.wikimedia.org") {
// UA-policy violations: 30/10s (3/s long term, with 30 burst)
if (vsthrottle.is_denied("vscode-phab-ua-policy:" + req.http.X-Client-IP, 30, 10s)) {
set req.http.X-Requestctl = req.http.X-Requestctl + ",static_vscode_phab_ua_policy";
return (synth(429, "vscode-phabricator fetches users too aggressively: https://phabricator.wikimedia.org/T271528"));
}
}
<%- if @etcd_filters -%>
// These are the ratelimits generated from etcd
// They're only applied to external clients
if (std.ip(req.http.X-Client-IP, "192.0.2.1") !~ wikimedia_nets) {
include "requestctl-filters.inc.vcl";
}
<%- end -%>
}
sub cluster_fe_hit {
call cluster_fe_ratelimit_hit;
}
sub cluster_fe_ratelimit_hit {
<%- if @etcd_filters -%>
// These are the ratelimits generated from etcd
// They're only applied to external clients
if (std.ip(req.http.X-Client-IP, "192.0.2.1") !~ wikimedia_nets) {
include "requestctl-filters-hit.inc.vcl";
}
<%- end -%>
}
sub cluster_fe_miss {
call cluster_fe_ratelimit;
}
sub cluster_fe_pass {
call cluster_fe_ratelimit;
}
sub cluster_fe_backend_fetch {
// When we receive NEL reports, attach some GeoIP data as backend request headers.
if (bereq.http.Host == "intake-logging.wikimedia.org") {
call nel_geoip_bereq;
}
set bereq.http.X-Varnish-Cluster = "misc";
}
sub cluster_fe_backend_response_early { }
sub cluster_fe_backend_response {
// hit_for_pass on objects >= 256K. Do *not* cache objects without CL
if (std.integer(beresp.http.Content-Length, 262144) >= 262144 || beresp.http.Content-Length ~ "^[0-9]{9}") {
// HFP
set beresp.http.X-CDIS = "pass";
return(pass(beresp.ttl));
}
}
sub cluster_fe_deliver { }
sub cluster_fe_err_synth {
if (resp.reason == "STS Preload Redirect") {
set resp.http.Location = req.http.Location;
set resp.http.Content-Length = "0"; // T64245
return(deliver);
}
}