bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hello, Ricardo Wurmus skribis: > IT had installed some DoS attack protection thing for the DMZ with > different thresholds based on past access patterns. > > Upon my request they have now disabled this completely for our IPs > corresponding to ci.guix.gnu.org and its sibling node. I’m late to the party but this is excellent news, thank you! I guess we can close the issue now, right? Ludo’.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hello, Ricardo Wurmus writes: [...] > IT had installed some DoS attack protection thing for the DMZ with > different thresholds based on past access patterns. Probably some of us is using access patterns the "thing" considers DoS :-) > Upon my request they have now disabled this completely for our IPs > corresponding to ci.guix.gnu.org and its sibling node. Thanks a lot! We should probably consider this (disable any firewall protection) as a requirement when one or more of our public facing hosts firewalling is not under our direct control. Now we only have berlin and bayfront as public facing hosts... but for example milan.guix-1 is connected by our build farm via its public IP (ehrm, time to set up wireguard for that, too). Anyway, AFAIU this "thing" in berlin network is no more an issue, we do not need a new bug report IMO. Thank you! [...] -- Giovanni Biscuolo Xelera IT Infrastructures signature.asc Description: PGP signature
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Giovanni Biscuolo writes: > Anyway the DoS Attack protection of the network hosting ci.guix.gnu.org > /seems/ problematic: how could it be that home IP resposible of a DoS > attack? Was it a false positive or was it some temporary problem from > the originating IP network? IT had installed some DoS attack protection thing for the DMZ with different thresholds based on past access patterns. Upon my request they have now disabled this completely for our IPs corresponding to ci.guix.gnu.org and its sibling node. -- Ricardo
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi! Ludovic Courtès writes: > Ricardo Wurmus skribis: > >> Ludovic Courtès writes: >> >>> I confirm that I still get the problem right now from my home network, >>> without even really trying: […] >> >> Is that through Tor or just your ISP? > > It’s just my ISP, no Tor involved. I can share privately my home IP > address if that helps investigate the problem; let me know. Given that Altadil told that the service now can be accessed through Tor again, can we close this specific bug now? It would be good to have some feedback from the NOC, just to know /how/ it was resolved (or was just a temporary tech issue), for example that they do not have a policy to blacklist Tor and whitelist it on demand (I'm just guessing). What Ludovic found, anyway, is another issue and we should investigate if it is worth a new bug report. I've tested now with the same wget -qO- --debug http://ci.guix.gnu.org | tail and all seems fine from my ISP (now) Anyway the DoS Attack protection of the network hosting ci.guix.gnu.org /seems/ problematic: how could it be that home IP resposible of a DoS attack? Was it a false positive or was it some temporary problem from the originating IP network? We should carefully track this network issues since they have a great impact on user experience. Thanks! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures signature.asc Description: PGP signature
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Ricardo Wurmus skribis: > Ludovic Courtès writes: > >> I confirm that I still get the problem right now from my home network, >> without even really trying: […] > > Is that through Tor or just your ISP? It’s just my ISP, no Tor involved. I can share privately my home IP address if that helps investigate the problem; let me know. Ludo’.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Ludovic Courtès writes: > I confirm that I still get the problem right now from my home network, > without even really trying: […] Is that through Tor or just your ISP? -- Ricardo
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi, Ricardo Wurmus skribis: > Ludovic Courtès writes: > >> Hello! >> >> Ricardo Wurmus skribis: >> >>> I don’t know. I’m on holidays now, but I’ve opened yet another ticket >>> to get a definitive answer to my more elaborate variant of “WTF?”. >> >> Did you eventually get feedback from them? > > I got one response to ask for more information, which I supplied. > Nothing since. I requested a response just now. I confirm that I still get the problem right now from my home network, without even really trying: --8<---cut here---start->8--- $ wget -qO- --debug http://ci.guix.gnu.org |tail DEBUG output created by Wget 1.21.3.24-2b723 on linux-gnu. Reading HSTS entries from /home/ludo/.wget-hsts URI encoding = ‘UTF-8’ Caching ci.guix.gnu.org => 141.80.181.40 Created socket 3. Releasing 0x017a8e00 (new refcount 1). ---request begin--- GET / HTTP/1.1 Host: ci.guix.gnu.org User-Agent: Wget/1.21.3.24-2b723 Accept: */* Accept-Encoding: identity Connection: Keep-Alive ---request end--- ---response begin--- HTTP/1.1 200 OK Content-Length: 4401 Connection: Close Cache-Control: no-cache Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN ---response end--- URI content encoding = ‘utf-8’ Closed fd 3 Saving HSTS entries to /home/ludo/.wget-hsts Attack Detected Blocked because of DoS Attack Your computer has been blocked because a DoS attack originating from your system was detected. For more information, contact the system administrator. --8<---cut here---end--->8--- Ludo’.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi Ricardo, Ricardo Wurmus writes: > Ludovic Courtès writes: > >> Hello! >> >> Ricardo Wurmus skribis: >> >>> I don’t know. I’m on holidays now, but I’ve opened yet another ticket >>> to get a definitive answer to my more elaborate variant of “WTF?”. >> >> Did you eventually get feedback from them? > > I got one response to ask for more information, which I supplied. > Nothing since. I requested a response just now. > >> If not, we can start looking for a way to move public-facing services >> elsewhere. (It may not be trivial because bayfront, which is the other >> node we’ve traditionally used for that, is super busy these days.) > > Yeah, I’d really like this to be fixed. It worked pretty well for > years, so these seemingly unnecessary changes and the way they are > applied without any recourse (and without anyone being able to confirm > that they have in fact changed somehing) really bother me. Agreed; I think it's premature to jump ship when we've had such a long and fruitful relationship; let's show some patience and tenacity toward a resolution. -- Thanks, Maxim
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Ludovic Courtès writes: > Hello! > > Ricardo Wurmus skribis: > >> I don’t know. I’m on holidays now, but I’ve opened yet another ticket >> to get a definitive answer to my more elaborate variant of “WTF?”. > > Did you eventually get feedback from them? I got one response to ask for more information, which I supplied. Nothing since. I requested a response just now. > If not, we can start looking for a way to move public-facing services > elsewhere. (It may not be trivial because bayfront, which is the other > node we’ve traditionally used for that, is super busy these days.) Yeah, I’d really like this to be fixed. It worked pretty well for years, so these seemingly unnecessary changes and the way they are applied without any recourse (and without anyone being able to confirm that they have in fact changed somehing) really bother me. But if our public services keep getting restricted I agree that we should look for an alternative way to host them. -- Ricardo
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hello! Ricardo Wurmus skribis: > I don’t know. I’m on holidays now, but I’ve opened yet another ticket > to get a definitive answer to my more elaborate variant of “WTF?”. Did you eventually get feedback from them? If not, we can start looking for a way to move public-facing services elsewhere. (It may not be trivial because bayfront, which is the other node we’ve traditionally used for that, is super busy these days.) Thanks again for your support… Ludo’.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Tobias Geerinckx-Rice writes: > On 13 August 2023 00:25:51 UTC, "Ludovic Courtès" wrote: >>I think it’s worse than this. I noticed that ci.guix.gnu.org (same >>machine) would occasionally time out on my side, without Tor, starting >>from this week (I was on vacation before, so I don’t know exactly when >>it started). From a browser, I get this “DoS attack” HTML page: > > Oh, wow. This is new to me. > > It's frustrating that $IT keeps adding new significant hurdles with > apparently 0 communications, and that our only option is often 'ask > rekado, again, to ask things, again'. That's not right. > > Ricardo, do you think there's a chance this trend will improve (without you > burning out)? I don’t know. I’m on holidays now, but I’ve opened yet another ticket to get a definitive answer to my more elaborate variant of “WTF?”. > Otherwise, I'd like to suggest wireguarding berlin's impressive > hardware resources to bayfront or to a new head node not hosted at the > MDC, or something similarly provocative. Just give up on hosting > public services there, like we already migrated the home page. This > isn't meaningful redundancy. Good plan. Sorry about this. It’s frustrating, and I’m stocking up on towels to throw. -- Ricardo
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
On 13 August 2023 00:25:51 UTC, "Ludovic Courtès" wrote: >I think it’s worse than this. I noticed that ci.guix.gnu.org (same >machine) would occasionally time out on my side, without Tor, starting >from this week (I was on vacation before, so I don’t know exactly when >it started). From a browser, I get this “DoS attack” HTML page: Oh, wow. This is new to me. It's frustrating that $IT keeps adding new significant hurdles with apparently 0 communications, and that our only option is often 'ask rekado, again, to ask things, again'. That's not right. Ricardo, do you think there's a chance this trend will improve (without you burning out)? Otherwise, I'd like to suggest wireguarding berlin's impressive hardware resources to bayfront or to a new head node not hosted at the MDC, or something similarly provocative. Just give up on hosting public services there, like we already migrated the home page. This isn't meaningful redundancy. Kind regards, T G-R Sent on the go. Excuse or enjoy my brevity.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi, (Cc: guix-sysadmin.) Tobias Geerinckx-Rice skribis: > On 2023-08-04 18:57, Altadil via Bug reports for GNU Guix wrote: [...] >> The result is an error message saying: "The connection has timed out". >> It looks like a general block of Tor rather than a block of specific >> IPs, since attempting with different Tor circuits does not change the > > The Guix project does not block Tor. If the datacentre has decided to > block Tor like it blocked most of Russia, there is little we can do > but ask them to reconsider. I think it’s worse than this. I noticed that ci.guix.gnu.org (same machine) would occasionally time out on my side, without Tor, starting from this week (I was on vacation before, so I don’t know exactly when it started). From a browser, I get this “DoS attack” HTML page: The HTML doesn’t contain clues as to where it originates from. --8<---cut here---start->8--- $ wget -qO- http://ci.guix.gnu.org | tail Attack Detected Blocked because of DoS Attack Your computer has been blocked because a DoS attack originating from your system was detected. For more information, contact the system administrator. --8<---cut here---end--->8--- Some firewall-ish network equipment must be sitting right before our machine. It’s a problem because fetching narinfos and nars is likely to count as a “DoS attack”. Could it be some change at the MDC? Thanks, Ludo’.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
On 2023-08-04 21:21, Tobias Geerinckx-Rice via Bug reports for GNU Guix wrote: The Guix project does not block Tor. If the datacentre has decided to block Tor like it blocked most of Russia, there is little we can do but ask them to reconsider. Didn't mean to sound quite so fatalistic. We could always migrate issues. to a different machine, like guix.gnu.org was, but it's not very satisfying. Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity.
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi Altadil, On 2023-08-04 18:57, Altadil via Bug reports for GNU Guix wrote: it is no longer possible to get to the bug database at https://issues.guix.gnu.org/ when using Tor Browser. I forgot to mention this on IRC, but issues. is ‘simply’ a nicer unified frontend to the venerable GNU Debbugs instance. You can use its own[1] interface[2] as a work-around. The result is an error message saying: "The connection has timed out". It looks like a general block of Tor rather than a block of specific IPs, since attempting with different Tor circuits does not change the The Guix project does not block Tor. If the datacentre has decided to block Tor like it blocked most of Russia, there is little we can do but ask them to reconsider. Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity. [1]: https://debbugs.gnu.org/cgi/pkgreport.cgi?package=guix [2]: https://debbugs.gnu.org/cgi/pkgreport.cgi?package=guix-patches
bug#65056: https://issues.guix.gnu.org/ cannot be accessed through Tor
Hi, it is no longer possible to get to the bug database at https://issues.guix.gnu.org/ when using Tor Browser. The result is an error message saying: "The connection has timed out". It looks like a general block of Tor rather than a block of specific IPs, since attempting with different Tor circuits does not change the result. Best regards, Altadil