search

jquery / infrastructure-puppet

Puppet configuration for jQuery Infrastructure servers.
MIT License
6 stars 9 forks source link

confirm jQuery CDN is accessible to Tor clients #18

Closed Krinkle closed 10 months ago

Krinkle commented 12 months ago

We have received anecdotal reports from jQuery CDN users that StackPath/Highwinds may be blocking Tor clients.

It is not uncommon for CDN providers to offer WAF protection to avoid abuse, e.g. when serving a blog open to comments, or some other kind of dynamic service with an abuse vector. I'm guessing Highwinds has a blocklist of sorts that includes IPs of customers who happen to run Tor relays at home.

I was not able to find any kind of WAF or traffic filtering rules in Highwinds StrikeTracker, nor could I find anything about it in the Highwinds StrikeTracker support pages. However, the general StackPath support pages do mention their WAF service, and indeed that offers a preset for TOR exit nodes. I'm guessing a version of this rule is implicitly turned on for Highwinds, without any ability to turn off, or at least not in a way we can control ourselves.

https://support.stackpath.com/hc/en-us/articles/360001091666-Review-and-Allowlist-CDN-WAF-IP-Blocks

Depending on the timeline for switching from StackPath Highwinds to Fastly, it might not be worth escalating with StackPath. Instead, we can make sure that post-switch we can check and make sure Fastly does not block access to jQuery CDN from home IPs that use Tor.

Ref https://github.com/jquery/codeorigin.jquery.com/issues/95, \cc @vincejv.

Krinkle commented 10 months ago

The https://releases.jquery.com domain and legacy https://codeorigin.jquery.com domain have been switched over to Fastly.

I don't run a Tor exit node myself, but as I understand it, merely using Tor would make my IP address (from the POV of the server) will effectively be that of the exit node part of the chain for my Tor session. As long as I pick a chain that has an exit node with an uptime of more than 10 days, that's presumably enough time for any WAF blocks to come into effect.

I tested the following URLs:

And to check the exit node and uptime, I used https://check.torproject.org/.

I tested it through three different chains. In all three cases, none of the requests timed out failed or failed in any way. Both through Fastly and through StackPath.

  1. uptime: 8 days.
  2. uptime: 69 days.
  3. uptime: 43 days.
metrics.torproject.org screenshot metrics.torproject.org screenshot metrics.torproject.org screenshot
Krinkle commented 10 months ago

Closing for now. If anyone finds themselves blocked again for any reason, feel free to reach out by creating an issue at https://github.com/jquery/codeorigin.jquery.com/.