https://issues.guix.gnu.org/ cannot be accessed through Tor

Hi,

it is no longer possible to get to the bug database at https://issues.guix.gnu.org/when using Tor Browser. The result is an error message saying:?"The connection has timed out".

It looks like a general block of Tor rather than a block of specific IPs, since attempting with different Tor circuits does not change the result.

Best regards,

Altadil

Hi Altadil,

On 2023-08-04 18:57, Altadil via Bug reports for GNU Guix wrote:

I forgot to mention this on IRC, but issues. is ‘simply’ a nicer unified

frontend to the venerable GNU Debbugs instance. You can use its own[1]

interface[2] as a work-around.

The Guix project does not block Tor. If the datacentre has decided to

block Tor like it blocked most of Russia, there is little we can do but

ask them to reconsider.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

[1]: https://debbugs.gnu.org/cgi/pkgreport.cgi?package=guix

[2]: https://debbugs.gnu.org/cgi/pkgreport.cgi?package=guix-patches

On 2023-08-04 21:21, Tobias Geerinckx-Rice via Bug reports for GNU Guix

wrote:

Didn't mean to sound quite so fatalistic. We could always migrate

issues. to a different machine, like guix.gnu.org was, but it's not very

satisfying.

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

Hi,

(Cc: guix-sysadmin.)

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

[...]

I think it’s worse than this. I noticed that ci.guix.gnu.org (same

machine) would occasionally time out on my side, without Tor, starting

from this week (I was on vacation before, so I don’t know exactly when

it started). From a browser, I get this “DoS attack” HTML page:

The HTML doesn’t contain clues as to where it originates from.

Some firewall-ish network equipment must be sitting right before our

machine. It’s a problem because fetching narinfos and nars is likely to

count as a “DoS attack”.

Could it be some change at the MDC?

Thanks,

Ludo’.

severity 65056 serious

quit

On 13 August 2023 00:25:51 UTC, "Ludovic Courtès" <ludo@gnu.org> wrote:

Oh, wow. This is new to me.

It's frustrating that $IT keeps adding new significant hurdles with apparently 0 communications, and that our only option is often 'ask rekado, again, to ask things, again'. That's not right.

Ricardo, do you think there's a chance this trend will improve (without you burning out)?

Otherwise, I'd like to suggest wireguarding berlin's impressive hardware resources to bayfront or to a new head node not hosted at the MDC, or something similarly provocative. Just give up on hosting public services there, like we already migrated the home page. This isn't meaningful redundancy.

Kind regards,

T G-R

Sent on the go. Excuse or enjoy my brevity.

Tobias Geerinckx-Rice <me@tobias.gr> writes:

I don’t know. I’m on holidays now, but I’ve opened yet another ticket

to get a definitive answer to my more elaborate variant of “WTF?”.

Good plan.

Sorry about this. It’s frustrating, and I’m stocking up on towels to

throw.

--

Ricardo

Hello!

Ricardo Wurmus <rekado@elephly.net> skribis:

Did you eventually get feedback from them?

If not, we can start looking for a way to move public-facing services

elsewhere. (It may not be trivial because bayfront, which is the other

node we’ve traditionally used for that, is super busy these days.)

Thanks again for your support…

Ludo’.

Ludovic Courtès <ludo@gnu.org> writes:

I got one response to ask for more information, which I supplied.

Nothing since. I requested a response just now.

Yeah, I’d really like this to be fixed. It worked pretty well for

years, so these seemingly unnecessary changes and the way they are

applied without any recourse (and without anyone being able to confirm

that they have in fact changed somehing) really bother me.

But if our public services keep getting restricted I agree that we

should look for an alternative way to host them.

--

Ricardo

Hi Ricardo,

Ricardo Wurmus <rekado@elephly.net> writes:

Agreed; I think it's premature to jump ship when we've had such a long

and fruitful relationship; let's show some patience and tenacity toward

a resolution.

--

Thanks,

Maxim

Hi,

Ricardo Wurmus <rekado@elephly.net> skribis:

I confirm that I still get the problem right now from my home network,

without even really trying:

Ludo’.

Ludovic Courtès <ludo@gnu.org> writes:

Is that through Tor or just your ISP?

--

Ricardo

Ricardo Wurmus <rekado@elephly.net> skribis:

It’s just my ISP, no Tor involved. I can share privately my home IP

address if that helps investigate the problem; let me know.

Ludo’.

Hi,

it seems https://issues.guix.gnu.orgcan again be accessed when using Tor Browser.

Kind regards,

Altadil

Hi!

Ludovic Courtès <ludo@gnu.org> writes:

Given that Altadil told that the service now can be accessed through Tor

again, can we close this specific bug now?

It would be good to have some feedback from the NOC, just to know /how/

it was resolved (or was just a temporary tech issue), for example that

they do not have a policy to blacklist Tor and whitelist it on demand

(I'm just guessing).

What Ludovic found, anyway, is another issue and we should investigate

if it is worth a new bug report.

I've tested now with the same

wget -qO- --debug http://ci.guix.gnu.org| tail

and all seems fine from my ISP (now)

Anyway the DoS Attack protection of the network hosting ci.guix.gnu.org

/seems/ problematic: how could it be that home IP resposible of a DoS

attack? Was it a false positive or was it some temporary problem from

the originating IP network?

We should carefully track this network issues since they have a great

impact on user experience.

Thanks! Gio'

--

Giovanni Biscuolo

Xelera IT Infrastructures

Giovanni Biscuolo <g@xelera.eu> writes:

IT had installed some DoS attack protection thing for the DMZ with

different thresholds based on past access patterns.

Upon my request they have now disabled this completely for our IPs

corresponding to ci.guix.gnu.org and its sibling node.

--

Ricardo

Hello,

Ricardo Wurmus <rekado@elephly.net> writes:

[...]

Probably some of us is using access patterns the "thing" considers

DoS :-)

Thanks a lot! We should probably consider this (disable any firewall

protection) as a requirement when one or more of our public facing hosts

firewalling is not under our direct control.

Now we only have berlin and bayfront as public facing hosts... but for

example milan.guix-1 is connected by our build farm via its public IP

(ehrm, time to set up wireguard for that, too).

Anyway, AFAIU this "thing" in berlin network is no more an issue, we do

not need a new bug report IMO.

Thank you!

[...]

--

Giovanni Biscuolo

Xelera IT Infrastructures

Altadil via Bug reports for GNU Guix <bug-guix@gnu.org> writes:

Thank you! I'm closing this bug, feel free to reopen it if needed.

Best regards, Gio'

--

Giovanni Biscuolo

Xelera IT Infrastructures

Hello,

Ricardo Wurmus <rekado@elephly.net> skribis:

I’m late to the party but this is excellent news, thank you!

I guess we can close the issue now, right?

Ludo’.