infrastructure/k8s-cluster
1
0
Fork 2
Code Issues 29 Pull requests 10 Projects Releases Packages Wiki Activity

fix: anubis must not OG_PASSTHROUGH #481

Closed
earl-warren wants to merge 1 commit from refs/pull/521/head097a9d207156ea01dc1a2366b49635871e704aa2 into main07a6b46dd9a8aef654452358c985e72d33a23fa2
pull from: refs/pull/521/head097a9d207156ea01dc1a2366b49635871e704aa2
merge into: infrastructure:main07a6b46dd9a8aef654452358c985e72d33a23fa2
Conversation 3 Commits 1 Files changed 3 +3 -7
earl-warren commented 2025-05-29 20:26:34 +00:00
First-time contributor
Copy link

OG_PASSTHROUGH is self defeating in the patterns used to crawl
forgejo because there is a very wide variety of URLs. It is only
effective when a lot of requests are made in a short (24h) period
of time.

Since Matrix and all user agents in need of OpenGraph announce
themselves with proper user agents, it is enough to only route
user agents matching Mozilla|Opera to anubis and let the rest go
directly to Forgejo.

OG_PASSTHROUGH is self defeating in the patterns used to crawl forgejo because there is a very wide variety of URLs. It is only effective when a lot of requests are made in a short (24h) period of time. Since Matrix and all user agents in need of OpenGraph announce themselves with proper user agents, it is enough to only route user agents matching Mozilla|Opera to anubis and let the rest go directly to Forgejo.
earl-warren added 1 commit 2025-05-29 20:26:34 +00:00
fix: anubis must not OG_PASSTHROUGH
Some checks failed
build / lint (pull_request) Has been cancelled
/ test (pull_request) Has been cancelled
build / lint (push) Has been cancelled
097a9d2071 
OG_PASSTHROUGH is self defeating in the patterns used to crawl
forgejo because there is a very wide variety of URLs. It is only
effective when a lot of requests are made in a short (24h) period
of time.

Since Matrix and all user agents in need of OpenGraph announce
themselves with proper user agents, it is enough to only route
user agents matching Mozilla|Opera to anubis and let the rest go
directly to Forgejo.
earl-warren commented 2025-05-29 20:26:35 +00:00
Author
First-time contributor
Copy link

image

using https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/482

$ zstdcat traefik-2025-05-23* | grep forgejo-code | grep -v RunnerService | grep -v 'GET /v2/'  | sed -n -e 's|.*HTTP/..." \([0-9][0-9]*\) .*|\1|p' | sort | uniq -c
 171662 200
    439 201
 617884 202
...

The number of 200 requests is consistent with OpenGraph passthrough being deactivated. Now Anubis is effective. Previously it would have sent an additional ~600,000 requests, one for each challenge (code 202).

![image](/attachments/f478ed00-0c63-4bd3-aab3-f71adbccc74a) using https://invisible.forgejo.org/infrastructure/k8s-cluster/issues/482 ```sh $ zstdcat traefik-2025-05-23* | grep forgejo-code | grep -v RunnerService | grep -v 'GET /v2/' | sed -n -e 's|.*HTTP/..." \([0-9][0-9]*\) .*|\1|p' | sort | uniq -c 171662 200 439 201 617884 202 ... ``` The number of 200 requests is consistent with OpenGraph passthrough being deactivated. Now Anubis is effective. Previously it would have sent an additional ~600,000 requests, one for each challenge (code 202).
image.png
12 KiB
image.png
root closed this pull request 2025-05-29 20:26:35 +00:00
viceice reviewed 2025-05-29 20:26:35 +00:00
viceice left a comment
First-time contributor
Copy link

added by F3

added by F3
flux/apps/base/forgejo-next/forgejo/forgejo.yaml
@ -107,9 +107,7 @@ spec:
- name: 'DIFFICULTY'
value: '1'
- name: 'OG_PASSTHROUGH'
value: 'true'
viceice commented 2025-05-29 20:26:35 +00:00
First-time contributor
Copy link

we should explicit disable it for now

we should explicit disable it for now
earl-warren commented 2025-05-29 20:26:35 +00:00
Author
First-time contributor
Copy link

c3ada98f2f..097a9d2071

agreed

https://invisible.forgejo.org/infrastructure/k8s-cluster/compare/c3ada98f2fb4d8123cc4385b295e21e89af2c8c1..097a9d207156ea01dc1a2366b49635871e704aa2 agreed
viceice approved these changes 2025-05-29 20:26:35 +00:00
Some checks failed
build / lint (pull_request) Has been cancelled
/ test (pull_request) Has been cancelled
build / lint (push) Has been cancelled

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
viceice
Labels
Clear labels   
bug

Something is not working

  
cleanup

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
forgefriends

https://code.forgejo.org/infrastructure/k8s-cluster/src/branch/main/.forgejo/workflows/sync.yml

  
help wanted

Need some help

  
invalid

Something is wrong

  
label workflow

a workflow is associated with this issue and will trigger when labels are updated

  
need more info

   
question

More information is needed

  
refactor

No functional change, reorganization

  
static-site

https://code.forgejo.org/infrastructure/k8s-cluster/src/branch/main/.forgejo/workflows/sync.yml

  
sync

https://code.forgejo.org/infrastructure/k8s-cluster/src/branch/main/.forgejo/workflows/build.yml

  
wontfix

This won't be fixed

No labels
bug
cleanup
duplicate
enhancement
forgefriends
help wanted
invalid
label workflow
need more info
question
refactor
static-site
sync
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/k8s-cluster#481
No description provided.
Delete branch "refs/pull/521/head097a9d207156ea01dc1a2366b49635871e704aa2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?