> Collateral damage isn't really a concern with the Beta Cluster, it's meant specifically for Wikimedia developers.

And quality assurance. My team's QA engineer uses a VPN, and he had to request to be unblocked.

Note that this exercise of IP range whack-a-mole is nothing new to VPS tools. I maintain two VPS projects (XTools, WS Export) that constantly suffer from aggressive web crawlers and disruptive automation. We've been doing the manual IP block thing for years :(

I suggest the IP denylist be applied to all of WMCS <https://phabricator.wikimedia.org/T226688>. We're able to get by for XTools and WS Export because XFF headers were specially enabled for this counter-abuse purpose. However most VPS tools and all of Toolforge don't have such luxury. If there are bots pounding away, there's no means to stop them currently (unless they are good bots with an identifiable UA). Even if we could detect them, it seems better to reduce the repetitive effort and give all of WMCS the same treatment.

I'll also note that some farms of web crawlers can't feasibly be blocked whack-a-mole style. This is the situation we're currently dealing with over at <https://phabricator.wikimedia.org/T384711#10759017>.

~ MA

On Thu, Apr 24, 2025 at 4:48 PM Gergo Tisza <gtisza@wikimedia.org> wrote:

Collateral damage isn't really a concern with the Beta Cluster, it's meant specifically for Wikimedia developers.

Maybe we could just put the whole thing behind idp.wikimedia.org? I think that can be done at the Apache level. Making it more different from production is not great, but having to spend constant human effort on IP blocks is less great.
_______________________________________________
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/