Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/lib/middleware/anonymous_cache.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

402 lines
12 KiB
Ruby
Raw Normal View History

FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
# frozen_string_literal: true
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 10:28:52 -04:00
require "mobile_detection"
require "crawler_detection"
require "guardian"
require "http_language_parser"
BUGFIX: mobile ui was being cached for anon views
2014-01-08 22:08:42 -05:00
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
module Middleware
class AnonymousCache
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
def self.cache_key_segments
@@cache_key_segments ||= {
m: "key_is_mobile?",
c: "key_is_crawler?",
SECURITY: Ensure user-agent-based responses are cached separately (#16475)
2022-04-14 09:25:52 -04:00
o: "key_is_old_browser?",
d: "key_is_modern_mobile_device?",
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
b: "key_has_brotli?",
t: "key_cache_theme_ids",
FIX: Include resolved locale in anonymous cache key (#10289) This only applies when set_locale_from_accept_language_header is enabled
2020-07-22 13:00:07 -04:00
ca: "key_compress_anon",
l: "key_locale",
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
}
end
# Compile a string builder method that will be called to create
# an anonymous cache key
def self.compile_key_builder
method = +"def self.__compiled_key_builder(h)\n \""
cache_key_segments.each do |k, v|
DEV: Prefer \A and \z over ^ and $ in regexes (#19936)
2023-01-20 13:52:49 -05:00
raise "Invalid key name" unless k =~ /\A[a-z]+\z/
raise "Invalid method name" unless v =~ /\Akey_[a-z_\?]+\z/
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
method << "|#{k}=#\{h.#{v}}"
end
method << "\"\nend"
DEV: Fix rubocop issues (#14715)
2021-10-27 04:39:28 -04:00
eval(method) # rubocop:disable Security/Eval
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
@@compiled = true
end
def self.build_cache_key(helper)
compile_key_builder unless defined?(@@compiled)
__compiled_key_builder(helper)
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
def self.anon_cache(env, duration)
env["ANON_CACHE_DURATION"] = duration
end
SECURITY: Don't reuse CSP nonce between anonymous requests
2023-07-28 07:53:44 -04:00
def self.clear_all_cache!
if Rails.env.production?
raise "for perf reasons, clear_all_cache! cannot be used in production."
end
Discourse.redis.keys("ANON_CACHE_*").each { |k| Discourse.redis.del(k) }
end
def self.disable_anon_cache
@@disabled = true
end
def self.enable_anon_cache
@@disabled = false
end
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
# This gives us an API to insert anonymous cache segments
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
class Helper
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
RACK_SESSION = "rack.session"
USER_AGENT = "HTTP_USER_AGENT"
ACCEPT_ENCODING = "HTTP_ACCEPT_ENCODING"
DISCOURSE_RENDER = "HTTP_DISCOURSE_RENDER"
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
DEV: Consolidate Redis evalsha logic into DiscourseRedis::EvalHelper (#15957)
2022-02-15 11:06:12 -05:00
REDIS_STORE_SCRIPT = DiscourseRedis::EvalHelper.new <<~LUA
local current = redis.call("incr", KEYS[1])
redis.call("expire",KEYS[1],ARGV[1])
return current
LUA
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
def initialize(env, request = nil)
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
@env = env
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
@request = request || Rack::Request.new(@env)
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
end
FIX: move crawler blocking into anon cache This refinement of previous fix moves the crawler blocking into anonymous cache This ensures we never poison the cache incorrectly when blocking crawlers
2018-07-03 21:14:43 -04:00
def blocked_crawler?
@request.get? && !@request.xhr? && !@request.path.ends_with?("robots.txt") &&
FIX: never block /srv/status which is used for health checks This route is also very cheap so blocking it is not required It is still rate limited and so on elsewhere
2018-07-17 22:33:06 -04:00
!@request.path.ends_with?("srv/status") &&
FIX: don't block api requests when whitelisted_crawler_user_agents is set
2018-09-14 15:34:21 -04:00
@request[Auth::DefaultCurrentUserProvider::API_KEY].nil? &&
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY].nil? &&
FIX: Ensure anon-cached values are never returned for API requests (#20021) Under some situations, we would inadvertently return a public (unauthenticated) result to an authenticated API request. This commit adds the `Api-Key` header to our anonymous cache bypass logic.
2023-01-26 08:26:29 -05:00
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY].nil? &&
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
CrawlerDetection.is_blocked_crawler?(@env[USER_AGENT])
FIX: move crawler blocking into anon cache This refinement of previous fix moves the crawler blocking into anonymous cache This ensures we never poison the cache incorrectly when blocking crawlers
2018-07-03 21:14:43 -04:00
end
DEV: Fix Lint/BooleanSymbol (#24747)
2023-12-06 07:19:09 -05:00
# rubocop:disable Lint/BooleanSymbol
BUGFIX: fix broken spec
2014-01-08 23:11:04 -05:00
def is_mobile=(val)
@is_mobile = val ? :true : :false
end
FIX: Anonymous cache regression
2019-12-05 15:07:22 -05:00
def is_mobile?
BUGFIX: mobile ui was being cached for anon views
2014-01-08 22:08:42 -05:00
@is_mobile ||=
begin
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
session = @env[RACK_SESSION]
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
# don't initialize params until later
# otherwise you get a broken params on the request
BUGFIX: anon cache was mucking with params
2014-01-09 00:49:12 -05:00
params = {}
BUGFIX: mobile ui was being cached for anon views
2014-01-08 22:08:42 -05:00
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
MobileDetection.resolve_mobile_view!(@env[USER_AGENT], params, session) ? :true : :false
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
end
@is_mobile == :true
end
FIX: Anonymous cache regression
2019-12-05 15:07:22 -05:00
alias_method :key_is_mobile?, :is_mobile?
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
def key_has_brotli?
FEATURE: brotli cdn bypass for assets Allow CDNS that strip out brotli encoding to use brotli regardless
2016-12-04 21:57:09 -05:00
@has_brotli ||=
begin
@env[ACCEPT_ENCODING].to_s =~ /br/ ? :true : :false
end
@has_brotli == :true
end
DEV: Fix Lint/BooleanSymbol (#24747)
2023-12-06 07:19:09 -05:00
# rubocop:enable Lint/BooleanSymbol
FEATURE: brotli cdn bypass for assets Allow CDNS that strip out brotli encoding to use brotli regardless
2016-12-04 21:57:09 -05:00
FIX: Include resolved locale in anonymous cache key (#10289) This only applies when set_locale_from_accept_language_header is enabled
2020-07-22 13:00:07 -04:00
def key_locale
FEATURE: new site setting to set locale from cookie for anonymous users. (#18377) This new hidden default-disabled site setting `set_locale_from_cookie` will set locale from anonymous user's cookie value.
2022-09-27 04:56:06 -04:00
if locale = Discourse.anonymous_locale(@request)
locale
FIX: Include resolved locale in anonymous cache key (#10289) This only applies when set_locale_from_accept_language_header is enabled
2020-07-22 13:00:07 -04:00
else
"" # No need to key, it is the same for all anon users
end
end
DEV: Fix Lint/BooleanSymbol (#24747)
2023-12-06 07:19:09 -05:00
# rubocop:disable Lint/BooleanSymbol
FIX: Anonymous cache regression
2019-12-05 15:07:22 -05:00
def is_crawler?
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
@is_crawler ||=
begin
user_agent = @env[USER_AGENT]
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
if @env[DISCOURSE_RENDER] == "crawler" ||
CrawlerDetection.crawler?(user_agent, @env["HTTP_VIA"])
Track Discourse user agent pageviews as crawler Since 5bfe051e, Discourse user agents are marked as non-crawlers (to avoid accidental blacklisting). This makes sure pageviews for these agents are tracked as crawler hits.
2019-05-08 10:38:55 -04:00
:true
else
FIX: Do not consider mobile app traffic as crawler visits Followup to a4eb523a
2019-11-04 09:16:50 -05:00
if user_agent.downcase.include?("discourse") &&
!user_agent.downcase.include?("mobile")
:true
DEV: Apply syntax_tree formatting to `lib/*`
2023-01-09 07:10:19 -05:00
else
FIX: Do not consider mobile app traffic as crawler visits Followup to a4eb523a
2019-11-04 09:16:50 -05:00
:false
DEV: Apply syntax_tree formatting to `lib/*`
2023-01-09 07:10:19 -05:00
end
Track Discourse user agent pageviews as crawler Since 5bfe051e, Discourse user agents are marked as non-crawlers (to avoid accidental blacklisting). This makes sure pageviews for these agents are tracked as crawler hits.
2019-05-08 10:38:55 -04:00
end
BUGFIX: web crawlers messing with anon caching
2014-04-28 20:48:09 -04:00
end
@is_crawler == :true
BUGFIX: mobile ui was being cached for anon views
2014-01-08 22:08:42 -05:00
end
FIX: Anonymous cache regression
2019-12-05 15:07:22 -05:00
alias_method :key_is_crawler?, :is_crawler?
DEV: Fix Lint/BooleanSymbol (#24747)
2023-12-06 07:19:09 -05:00
# rubocop:enable Lint/BooleanSymbol
BUGFIX: mobile ui was being cached for anon views
2014-01-08 22:08:42 -05:00
SECURITY: Ensure user-agent-based responses are cached separately (#16475)
2022-04-14 09:25:52 -04:00
def key_is_modern_mobile_device?
MobileDetection.modern_mobile_device?(@env[USER_AGENT]) if @env[USER_AGENT]
end
def key_is_old_browser?
CrawlerDetection.show_browser_update?(@env[USER_AGENT]) if @env[USER_AGENT]
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
def cache_key
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
return @cache_key if defined?(@cache_key)
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly
2020-03-19 15:54:42 -04:00
@cache_key =
+"ANON_CACHE_#{@env["HTTP_ACCEPT"]}_#{@env[Rack::RACK_URL_SCHEME]}_#{@env["HTTP_HOST"]}#{@env["REQUEST_URI"]}"
DEV: Provide API for anonymous cache segments (#8455) This can be used from a plugin that needs to establish something new in the anonymous cache. For example `is_ie` for an internet explorer plugin.
2019-12-05 14:57:18 -05:00
@cache_key << AnonymousCache.build_cache_key(self)
@cache_key
end
def key_cache_theme_ids
theme_ids.join(",")
end
def key_compress_anon
GlobalSetting.compress_anon_cache
SECURITY: theme key should be an anon cache breaker
2017-06-15 09:36:27 -04:00
end
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
def theme_ids
FEATURE: Groundwork for user-selectable theme components * Phase 0 for user-selectable theme components - Drops `key` column from the `themes` table - Drops `theme_key` column from the `user_options` table - Adds `theme_ids` (array of ints default []) column to the `user_options` table and migrates data from `theme_key` to the new column. - Removes the `default_theme_key` site setting and adds `default_theme_id` instead. - Replaces `theme_key` cookie with a new one called `theme_ids` - no longer need Theme.settings_for_client
2018-07-12 00:18:21 -04:00
ids, _ = @request.cookies["theme_ids"]&.split("|")
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
id = ids&.split(",")&.map(&:to_i)&.first
DEV: Revert guardian changes (#24742) I took the wrong approach here, need to rethink. * Revert "FIX: Use Guardian.basic_user instead of new (anon) (#24705)" This reverts commit 9057272ee242b3bc977e50977b4142066c36c05d. * Revert "DEV: Remove unnecessary method_missing from GuardianUser (#24735)" This reverts commit a5d4bf6dd28a8304ccd519536f33bd4a13232ed4. * Revert "DEV: Improve Guardian devex (#24706)" This reverts commit 77b6a038bae010c9e9e630a137f9ccd570f60784. * Revert "FIX: Introduce Guardian::BasicUser for oneboxing checks (#24681)" This reverts commit de983796e1b66aa2ab039a4fb6e32cec8a65a098.
2023-12-06 01:37:32 -05:00
if id && Guardian.new.allow_themes?([id])
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
Theme.transform_ids(id)
SECURITY: theme key should be an anon cache breaker
2017-06-15 09:36:27 -04:00
else
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
[]
SECURITY: theme key should be an anon cache breaker
2017-06-15 09:36:27 -04:00
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
end
FEATURE: improve performance of anonymous cache This commit introduces 2 features: 1. DISCOURSE_COMPRESS_ANON_CACHE (true|false, default false): this allows you to optionally compress the anon cache body entries in Redis, can be useful for high load sites with Redis that lives on a separate server to to webs 2. DISCOURSE_ANON_CACHE_STORE_THRESHOLD (default 2), only pop entries into redis if we observe them more than N times. This avoids situations where a crawler can walk a big pile of topics and store them all in Redis never to be used. Our default anon cache time for topics is only 60 seconds. Anon cache is in place to avoid the "slashdot" effect where a single topic is hit by 100s of people in one minute.
2019-09-04 03:18:32 -04:00
def cache_key_count
@cache_key_count ||= "#{cache_key}_count"
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
def cache_key_body
@cache_key_body ||= "#{cache_key}_body"
end
def cache_key_other
@cache_key_other || "#{cache_key}_other"
end
def get?
@env["REQUEST_METHOD"] == "GET"
end
FEATURE: rudimentary view tracking wired in
2015-02-04 00:14:56 -05:00
def has_auth_cookie?
CurrentUser.has_auth_cookie?(@env)
end
FIX: Use a cookie to bypass the anon cache
2015-10-28 17:16:56 -04:00
def no_cache_bypass
request = Rack::Request.new(@env)
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
request.cookies["_bypass_cache"].nil? && (request.path != "/srv/status") &&
request[Auth::DefaultCurrentUserProvider::API_KEY].nil? &&
FIX: Ensure anon-cached values are never returned for API requests (#20021) Under some situations, we would inadvertently return a public (unauthenticated) result to an authenticated API request. This commit adds the `Api-Key` header to our anonymous cache bypass logic.
2023-01-26 08:26:29 -05:00
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY].nil? &&
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY].nil?
end
def force_anonymous!
@env[Auth::DefaultCurrentUserProvider::USER_API_KEY] = nil
FIX: Ensure anon-cached values are never returned for API requests (#20021) Under some situations, we would inadvertently return a public (unauthenticated) result to an authenticated API request. This commit adds the `Api-Key` header to our anonymous cache bypass logic.
2023-01-26 08:26:29 -05:00
@env[Auth::DefaultCurrentUserProvider::HEADER_API_KEY] = nil
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
@env["HTTP_COOKIE"] = nil
FIX: Strip `discourse-logged-in` header during `force_anonymous!` (#14533) When the anonymous cache forces users into anonymous mode, it strips the cookies from their request. However, the discourse-logged-in header from the JS client remained. When the discourse-logged-in header is present without any valid auth_token, the current_user_provider [marks the request as ['logged out'](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/lib/auth/default_current_user_provider.rb#L125-L125), and a [discourse-logged-out header is returned to the client](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/lib/middleware/request_tracker.rb#L209-L211). This causes the JS app to [popup a "you were logged out" modal](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/app/assets/javascripts/discourse/app/components/d-document.js#L29-L29), which is very disruptive. This commit strips the discourse-logged-in header from the request at the same time as the auth cookie.
2021-10-07 07:31:42 -04:00
@env["HTTP_DISCOURSE_LOGGED_IN"] = nil
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
@env["rack.request.cookie.hash"] = {}
@env["rack.request.cookie.string"] = ""
@env["_bypass_cache"] = nil
request = Rack::Request.new(@env)
request.delete_param("api_username")
request.delete_param("api_key")
end
PERF: improve performance once logged in rate limiter hits If "logged in" is being forced anonymous on certain routes, trigger the protection for any requests that spend 50ms queueing This means that ... 1. You need to trip it by having 3 requests take longer than 1 second in 10 second interval 2. Once tripped, if your route is still spending 50m queueuing it will continue to be protected This means that site will continue to function with almost no delays while it is scaling up to handle the new load
2018-04-22 21:54:58 -04:00
def logged_in_anon_limiter
@logged_in_anon_limiter ||=
RateLimiter.new(
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
nil,
FEATURE: new 'Discourse-Render' HTTP header
2019-08-30 14:45:18 -04:00
"logged_in_anon_cache_#{@env["HTTP_HOST"]}/#{@env["REQUEST_URI"]}",
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
GlobalSetting.force_anonymous_min_per_10_seconds,
10,
)
end
PERF: improve performance once logged in rate limiter hits If "logged in" is being forced anonymous on certain routes, trigger the protection for any requests that spend 50ms queueing This means that ... 1. You need to trip it by having 3 requests take longer than 1 second in 10 second interval 2. Once tripped, if your route is still spending 50m queueuing it will continue to be protected This means that site will continue to function with almost no delays while it is scaling up to handle the new load
2018-04-22 21:54:58 -04:00
def check_logged_in_rate_limit!
!logged_in_anon_limiter.performed!(raise_error: false)
end
MIN_TIME_TO_CHECK = 0.05
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
ADP = "action_dispatch.request.parameters"
PERF: improve performance once logged in rate limiter hits If "logged in" is being forced anonymous on certain routes, trigger the protection for any requests that spend 50ms queueing This means that ... 1. You need to trip it by having 3 requests take longer than 1 second in 10 second interval 2. Once tripped, if your route is still spending 50m queueuing it will continue to be protected This means that site will continue to function with almost no delays while it is scaling up to handle the new load
2018-04-22 21:54:58 -04:00
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
def should_force_anonymous?
PERF: improve performance once logged in rate limiter hits If "logged in" is being forced anonymous on certain routes, trigger the protection for any requests that spend 50ms queueing This means that ... 1. You need to trip it by having 3 requests take longer than 1 second in 10 second interval 2. Once tripped, if your route is still spending 50m queueuing it will continue to be protected This means that site will continue to function with almost no delays while it is scaling up to handle the new load
2018-04-22 21:54:58 -04:00
if (queue_time = @env["REQUEST_QUEUE_SECONDS"]) && get?
if queue_time > GlobalSetting.force_anonymous_min_queue_seconds
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
return check_logged_in_rate_limit!
PERF: improve performance once logged in rate limiter hits If "logged in" is being forced anonymous on certain routes, trigger the protection for any requests that spend 50ms queueing This means that ... 1. You need to trip it by having 3 requests take longer than 1 second in 10 second interval 2. Once tripped, if your route is still spending 50m queueuing it will continue to be protected This means that site will continue to function with almost no delays while it is scaling up to handle the new load
2018-04-22 21:54:58 -04:00
elsif queue_time >= MIN_TIME_TO_CHECK
return check_logged_in_rate_limit! if !logged_in_anon_limiter.can_perform?
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
end
end
false
FIX: Use a cookie to bypass the anon cache
2015-10-28 17:16:56 -04:00
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
def cacheable?
SECURITY: Don't reuse CSP nonce between anonymous requests
2023-07-28 07:53:44 -04:00
!!(
GlobalSetting.anon_cache_store_threshold > 0 && !has_auth_cookie? && get? &&
no_cache_bypass
)
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
end
FEATURE: improve performance of anonymous cache This commit introduces 2 features: 1. DISCOURSE_COMPRESS_ANON_CACHE (true|false, default false): this allows you to optionally compress the anon cache body entries in Redis, can be useful for high load sites with Redis that lives on a separate server to to webs 2. DISCOURSE_ANON_CACHE_STORE_THRESHOLD (default 2), only pop entries into redis if we observe them more than N times. This avoids situations where a crawler can walk a big pile of topics and store them all in Redis never to be used. Our default anon cache time for topics is only 60 seconds. Anon cache is in place to avoid the "slashdot" effect where a single topic is hit by 100s of people in one minute.
2019-09-04 03:18:32 -04:00
def compress(val)
if val && GlobalSetting.compress_anon_cache
require "lz4-ruby" if !defined?(LZ4)
LZ4.compress(val)
else
val
end
end
def decompress(val)
if val && GlobalSetting.compress_anon_cache
require "lz4-ruby" if !defined?(LZ4)
LZ4.uncompress(val)
else
val
end
end
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
def cached(env = {})
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
if body = decompress(Discourse.redis.get(cache_key_body))
if other = Discourse.redis.get(cache_key_other)
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
other = JSON.parse(other)
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
if req_params = other[1].delete(ADP)
env[ADP] = req_params
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
[other[0], other[1], [body]]
end
end
end
def cache_duration
@env["ANON_CACHE_DURATION"]
end
# NOTE in an ideal world cache still serves out cached content except for one magic worker
# that fills it up, this avoids a herd killing you, we can probably do this using a job or redis tricks
# but coordinating this is tricky
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
def cache(result, env = {})
FEATURE: improve performance of anonymous cache This commit introduces 2 features: 1. DISCOURSE_COMPRESS_ANON_CACHE (true|false, default false): this allows you to optionally compress the anon cache body entries in Redis, can be useful for high load sites with Redis that lives on a separate server to to webs 2. DISCOURSE_ANON_CACHE_STORE_THRESHOLD (default 2), only pop entries into redis if we observe them more than N times. This avoids situations where a crawler can walk a big pile of topics and store them all in Redis never to be used. Our default anon cache time for topics is only 60 seconds. Anon cache is in place to avoid the "slashdot" effect where a single topic is hit by 100s of people in one minute.
2019-09-04 03:18:32 -04:00
return result if GlobalSetting.anon_cache_store_threshold == 0
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
status, headers, response = result
if status == 200 && cache_duration
FEATURE: improve performance of anonymous cache This commit introduces 2 features: 1. DISCOURSE_COMPRESS_ANON_CACHE (true|false, default false): this allows you to optionally compress the anon cache body entries in Redis, can be useful for high load sites with Redis that lives on a separate server to to webs 2. DISCOURSE_ANON_CACHE_STORE_THRESHOLD (default 2), only pop entries into redis if we observe them more than N times. This avoids situations where a crawler can walk a big pile of topics and store them all in Redis never to be used. Our default anon cache time for topics is only 60 seconds. Anon cache is in place to avoid the "slashdot" effect where a single topic is hit by 100s of people in one minute.
2019-09-04 03:18:32 -04:00
if GlobalSetting.anon_cache_store_threshold > 1
DEV: Consolidate Redis evalsha logic into DiscourseRedis::EvalHelper (#15957)
2022-02-15 11:06:12 -05:00
count = REDIS_STORE_SCRIPT.eval(Discourse.redis, [cache_key_count], [cache_duration])
FEATURE: improve performance of anonymous cache This commit introduces 2 features: 1. DISCOURSE_COMPRESS_ANON_CACHE (true|false, default false): this allows you to optionally compress the anon cache body entries in Redis, can be useful for high load sites with Redis that lives on a separate server to to webs 2. DISCOURSE_ANON_CACHE_STORE_THRESHOLD (default 2), only pop entries into redis if we observe them more than N times. This avoids situations where a crawler can walk a big pile of topics and store them all in Redis never to be used. Our default anon cache time for topics is only 60 seconds. Anon cache is in place to avoid the "slashdot" effect where a single topic is hit by 100s of people in one minute.
2019-09-04 03:18:32 -04:00
# technically lua will cast for us, but might as well be
# prudent here, hence the to_i
if count.to_i < GlobalSetting.anon_cache_store_threshold
headers["X-Discourse-Cached"] = "skip"
return status, headers, response
end
end
Not initializing variable for looping if unused in loop
2014-08-14 17:54:55 -04:00
headers_stripped =
headers.dup.delete_if { |k, _| %w[Set-Cookie X-MiniProfiler-Ids].include? k }
FEATURE: add a header to denote an anonymous req was cached (X-Discourse-Cached)
2015-06-15 20:30:06 -04:00
headers_stripped["X-Discourse-Cached"] = "true"
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
parts = []
response.each { |part| parts << part }
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
if req_params = env[ADP]
headers_stripped[ADP] = {
"action" => req_params["action"],
"controller" => req_params["controller"],
}
end
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
Discourse.redis.setex(cache_key_body, cache_duration, compress(parts.join))
Discourse.redis.setex(cache_key_other, cache_duration, [status, headers_stripped].to_json)
FEATURE: anon cache reports data to loggers This allows custom plugins such as prometheus exporter to log how many requests are stored in the anon cache vs used by the anon cache. This metric allows us to fine tune cache behaviors
2019-09-02 04:45:35 -04:00
headers["X-Discourse-Cached"] = "store"
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
else
parts = response
end
[status, headers, parts]
end
def clear_cache
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
Discourse.redis.del(cache_key_body)
Discourse.redis.del(cache_key_other)
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
end
end
def initialize(app, settings = {})
@app = app
end
FIX: Exclude `DELETE` methods from invalid request with payload. Follow-up 105d560177e166a0491b3f0be04dd068178fb3d5 Our client side code is sending params as part of the request payload so that is going to be tricky to fix.
2020-08-03 05:02:50 -04:00
PAYLOAD_INVALID_REQUEST_METHODS = %w[GET HEAD]
SECURITY: 413 for GET, HEAD or DELETE requests with payload.
2020-08-03 02:11:17 -04:00
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
def call(env)
SECURITY: Don't reuse CSP nonce between anonymous requests
2023-07-28 07:53:44 -04:00
return @app.call(env) if defined?(@@disabled) && @@disabled
SECURITY: 413 for GET, HEAD or DELETE requests with payload.
2020-08-03 02:11:17 -04:00
if PAYLOAD_INVALID_REQUEST_METHODS.include?(env[Rack::REQUEST_METHOD]) &&
env[Rack::RACK_INPUT].size > 0
SECURITY: Disallow caching of MIME/Content-Type errors (#14907) This will sign intermediary proxies and/or misconfigured CDNs to not cache those error responses.
2021-11-12 13:52:25 -05:00
return 413, { "Cache-Control" => "private, max-age=0, must-revalidate" }, []
SECURITY: 413 for GET, HEAD or DELETE requests with payload.
2020-08-03 02:11:17 -04:00
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
helper = Helper.new(env)
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
force_anon = false
FIX: move crawler blocking into anon cache This refinement of previous fix moves the crawler blocking into anonymous cache This ensures we never poison the cache incorrectly when blocking crawlers
2018-07-03 21:14:43 -04:00
if helper.blocked_crawler?
env["discourse.request_tracker.skip"] = true
FIX: error in response body to blocked crawlers, showing 500 Internal Server Error with status of 403
2018-09-14 15:39:24 -04:00
return 403, {}, ["Crawler is not allowed!"]
FIX: move crawler blocking into anon cache This refinement of previous fix moves the crawler blocking into anonymous cache This ensures we never poison the cache incorrectly when blocking crawlers
2018-07-03 21:14:43 -04:00
end
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
if helper.should_force_anonymous?
force_anon = env["DISCOURSE_FORCE_ANON"] = true
helper.force_anonymous!
end
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
PERF: backoff background requests when overloaded (#10888) When the server gets overloaded and lots of requests start queuing server will attempt to shed load by returning 429 errors on background requests. The client can flag a request as background by setting the header: `Discourse-Background` to `true` Out-of-the-box we shed load when the queue time goes above 0.5 seconds. The only request we shed at the moment is the request to load up a new post when someone posts to a topic. We can extend this as we go with a more general pattern on the client. Previous to this change, rate limiting would "break" the post stream which would make suggested topics vanish and users would have to scroll the page to see more posts in the topic. Server needs this protection for cases where tons of clients are navigated to a topic and a new post is made. This can lead to a self inflicted denial of service if enough clients are viewing the topic. Due to the internal security design of Discourse it is hard for a large number of clients to share a channel where we would pass the full post body via the message bus. It also renames (and deprecates) triggerNewPostInStream to triggerNewPostsInStream This allows us to load a batch of new posts cleanly, so the controller can keep track of a backlog Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2020-10-13 01:56:03 -04:00
if (env["HTTP_DISCOURSE_BACKGROUND"] == "true") && (queue_time = env["REQUEST_QUEUE_SECONDS"])
DEV: ensure queue_time and background_requests are floats (#10901) GlobalSetting can end up with a String and we expect a Float
2020-10-13 03:08:38 -04:00
max_time = GlobalSetting.background_requests_max_queue_length.to_f
if max_time > 0 && queue_time.to_f > max_time
PERF: backoff background requests when overloaded (#10888) When the server gets overloaded and lots of requests start queuing server will attempt to shed load by returning 429 errors on background requests. The client can flag a request as background by setting the header: `Discourse-Background` to `true` Out-of-the-box we shed load when the queue time goes above 0.5 seconds. The only request we shed at the moment is the request to load up a new post when someone posts to a topic. We can extend this as we go with a more general pattern on the client. Previous to this change, rate limiting would "break" the post stream which would make suggested topics vanish and users would have to scroll the page to see more posts in the topic. Server needs this protection for cases where tons of clients are navigated to a topic and a new post is made. This can lead to a self inflicted denial of service if enough clients are viewing the topic. Due to the internal security design of Discourse it is hard for a large number of clients to share a channel where we would pass the full post body via the message bus. It also renames (and deprecates) triggerNewPostInStream to triggerNewPostsInStream This allows us to load a batch of new posts cleanly, so the controller can keep track of a backlog Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2020-10-13 01:56:03 -04:00
return [
429,
{ "content-type" => "application/json; charset=utf-8" },
[
{
errors: I18n.t("rate_limiter.slow_down"),
extras: {
wait_seconds: 5 + (5 * rand).round(2),
},
}.to_json,
]
]
end
end
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
result =
if helper.cacheable?
FIX: report cached controller and action to loggers Previously we would treat all cached hits in anon cache as "other" This hinders analysis of cache performance and makes logging inaccurate
2019-09-02 20:51:49 -04:00
helper.cached(env) || helper.cache(@app.call(env), env)
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
else
@app.call(env)
end
FIX: specify path for dosp cookie
2018-04-23 23:24:26 -04:00
result[1]["Set-Cookie"] = "dosp=1; Path=/" if force_anon
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
FEATURE: if site is under extreme load show anon view If a particular path is being hit extremely hard by logged on users, revert to anonymous cached view. This will only come into effect if 3 requests queue for longer than 2 seconds on a *single* path. This can happen if a URL is shared with the entire forum base and everyone is logged on
2018-04-18 02:58:40 -04:00
result
remove rack cache, it has been causing trouble instead implement an aggressive anonymous cache that is stored in redis this cache is sitting in the front of the middleware stack enabled only in production TODO: expire it more intelligently when stuff is created
2013-10-16 01:39:18 -04:00
end
end
end