[01:42:53] @rhinosf1 since you're the person that apparently blocked the bot in the first place, i just wanna refer you to T12417 [01:43:10] not super high priority but just figured i'd get it on your radar 👍 [02:28:46] was reading https://wikitech.wikimedia.org/wiki/Kafka#Multi_Datacenter and read kafka mario maker [03:37:44] https://issue-tracker.miraheze.org/T12417 [03:37:50] if you want a direct link [06:15:16] Ack, not really convinced yet as to why we should unblock it [06:15:38] If we've blocked it, then we had probable cause to think it was likely to cause an outage if it carried on [06:15:57] I might be able to set a really low rate limit on it [06:16:12] Instead though [06:18:01] I don't think I'm just going to hope it follows robots.txt [06:20:15] I was originally going to post this on the Phorge task, but since I receive an unhandled exception when I do so I'll post it here: https://ahrefs.com/robot and https://yep.com/yepbot/ are relevant sources I found after a quick browse [06:23:40] I'll have a look at logs [06:37:43] <.labster> Every time I think our website has terrible performance, I try to load WikiApiary. I mean, seriously, something over there must be O(N²). [06:39:37] "so how's the database move going?" [07:08:42] as @tali64 mentioned, it does in fact follow robots.txt [07:09:15] currently the way it’s configured, MH wikis are entirely unsearchable on yep [07:10:57] Doesn't mean I trust it to [07:11:54] fair [07:12:02] though it’s following robots.txt as we speak [07:14:42] anyways point being [07:14:54] I feel it’s something we should at least test and experiment with [10:31:32] @rhinosf1 what are the requirements for cloudflare to recognize that X domain is pointed to us? When does Cloudflare generate a certificate for it and all that? [10:32:06] HTTP verification is used [10:32:19] but we can't work out how to do CNAME at the apex using GDNSD [10:32:30] so only people using CNAMEs can migrate at the moment [10:33:22] so when someone using some DNS that's not Cloudflare points to cf-lb.miraheze.org what happens? [10:34:51] we add them as a custom hostname and it does verification over HTTP [10:35:11] we have to add them via CF's dashboard then? [10:35:18] I see... [10:35:52] ye [11:08:42] [1/2] maybe write a gdnsd plugin that does CNAME flattening CF style? I don't think gdnsd will like this though. [11:08:42] [2/2] Use SVCB? Alias mode SVCB is specifically made to allow basically CNAMEs at the root domain: https://www.rfc-editor.org/rfc/rfc9460.html#name-aliasmode, too bad there's no SVCB support yet https://github.com/gdnsd/gdnsd/issues/242. We could write a plugin for it, but BIND does support SVCB records since 9.16.21. [11:09:11] All options [11:54:49] @bluemoon0332 can you get me a list of all custom domains [11:56:47] or @cosmicalpha [11:57:15] I'll add them so we can move mw-lb [11:57:28] I can get you a list of all wgServer fields tomorrow if OS doesn't beat me. [11:58:00] I can't get a list another way, unless you have a way for only mw-lb wikis? [12:00:27] @cosmicalpha manual check against dns repo [12:04:59] huh? dns repo? I thought you wanted non-dns ones, make a python script checking ns if pointed ns skip then get the wgserver for only mw-lb was my idea, easier than manual but that is just me lol [12:05:35] i was just going to look at what domains didn't exist in dns [12:05:38] and then add them [14:11:54] @rhinosf1 I'm going to make a origin certificate on cloudflare for *.miraheze.org [14:12:13] if the Sectigo-signed wildcard works, an Origin CA-signed wildcard should as well [14:12:23] we also save money on having to renew it in the future [14:12:32] We pay for certs? [14:13:01] Origin CA certs for all traffic would be ideal [14:13:58] We don't [14:14:32] It just something something available to CF by default [14:16:47] the amout of security events blocked shot up [14:16:54] We do [14:17:03] from prior to having cf [14:17:32] Hm? [14:17:41] Didn’t we use LE? [14:17:51] not for *.miraheze.org [14:18:03] What [14:18:04] Why [14:18:05] looks to be a mix of Amazonbot and Go [14:18:07] we don't use CF's origin cert? [14:18:13] Go! [14:18:15] nope [14:18:25] yes, Go is really popular with idiots [14:18:40] Like [14:18:43] The lang? [14:19:41] ye [14:20:47] Time to make a config PR while my breakfast cooks [14:20:58] Why is my dining room so dark [14:24:30] @kiju1108 does change this require approval from community or stewards or tech to smt [14:27:45] Probably requires approval from tech but I'm not sure [14:28:01] @reception123? [14:28:08] For https://issue-tracker.miraheze.org/T12526 [14:29:26] @bluemoon0332 so now we just need to deal with our dns [14:29:37] yep [14:30:16] fair drop on https://grafana.wikitide.net/d/arhCmd7Mz/nginx-cache-proxies?orgId=1&refresh=5s&from=now-3h&to=now [14:31:16] Good or bad? [14:31:57] good [14:32:41] coderabbit doesn't like os.system https://github.com/miraheze/puppet/pull/3905 [14:33:05] it's not wrong [14:33:28] it shows how much traffic to cp* dropped [14:34:19] Hel yea [14:34:55] we want it to say 0 eventually [14:35:24] Mod mod [15:45:42] How do I add an interwiki link to my wiki in the [[Special:Interwiki]] table? [15:45:43]

[15:50:13] I believe you are already bureaucrat in your wiki and have access to ManageWiki, you will have to give yourself the permission to edit them [15:50:21] You need to grant yourself the interwiki right in special:ManageWiki/permissions [15:50:32] Ok, thank you. [15:51:35] pizzatower.wiki seems to work fine, but gogigantic.wiki straight up won't open [15:51:58] unable to make safe connection etc [15:57:23] `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` at gogigantic.wiki [15:58:23] For how long [15:59:35] [1/2] I checked just 5 min ago [15:59:36] [2/2] 5 hours ago were no problems, I blocked a spam account and reported in #cvt [15:59:51] I'm fixing my TV [15:59:54] Then I can look [16:17:19] fixed (cc @theoneandonlylegroom ) [16:22:34] for some reason it had got stuck [16:29:48] thanks [16:50:19] @rhinosf1 cf sends a header back on a curl right? [16:50:34] ye [16:51:44] Okay so it’s not behind yet [16:51:55] Thought we had put them all behind CF already [16:52:54] everything that's using CNAME [16:53:07] and everything not at the apex of the domain [16:53:17] Apex? [16:53:26] not got aa subdomain [16:53:41] @bluemoon0332 what's your plan for updating SSL [16:53:52] So all root domains should not be [16:53:56] Okay [16:54:05] well we should be able to migrate to BIND before the LE certs expire hopefully [16:54:05] Got confused [16:54:25] then we can just add the origin cert wildcard to all of them [16:54:35] well they expire at different times [16:54:41] unless it's on https://github.com/search?q=repo%3Amiraheze%2Fdns%20%22%40%09%09DYNA%09geoip!cp%22&type=code [16:54:46] everything else is migrated [16:55:35] btw here's that cert: https://github.com/miraheze/ssl/commit/23a47dba1ebe96e9c1e4b272ce08fbf0c3e495ac [16:59:05] @bluemoon0332 anything with a subdomain can be moved now [16:59:25] only thing not moved is stuff using our DNS at the root of the domain [17:01:06] we can switch them all over to that cert then [17:02:13] What’s the difference between CNAME and using our dns servers when [17:02:15] Even* [17:02:26] <- does not understand certs and dns [17:02:29] yup [17:02:42] because GDNSD doesn't support CNAME at the root [17:03:04] what the FUCK is a GDNSD [17:03:09] I’m dumb remember [17:03:44] GDNSD is what both us and wikimedia use for DNS [17:06:18] So software [17:06:29] And again we fall into the trap of being limited because we copied wikimedia [17:06:35] Recurring theme [17:08:13] We can move to something else [17:08:17] we probably have to [17:08:39] Rip [17:09:06] BIND supports what we need for this: https://issue-tracker.miraheze.org/T12518#250374 [17:09:27] how hard would it be to move to BIND [17:09:33] I don't know actually [17:09:55] but it is a quite famous daemon so it won't be for a lack of docs or blog posts about it [17:10:33] @bluemoon0332 are you insane enough to try it? [17:14:20] This is miraheze [17:15:39] So are we going to have to move to a whole other software for the apex wikis? [17:16:11] Probably [17:16:29] Drat [17:16:30] We don't really need to host our own dns tbh [17:16:57] Time for a side quest? [17:18:31] So using a third party service instead of moving to a new software of our own [17:19:19] Just use free cloudflare [17:19:29] oh [17:19:52] so pretty easy to move? [17:20:13] Well you only need to set a CNAME [17:21:56] so would everyone need to switch their domains [17:25:33] not all, except for those who don't want to move, which they will have to repoint their domain to an legacy address [17:28:04] If we stop offering dns at some point then yes but I'm not sure whether we will [17:28:57] One possible idea is move to custom nameservers in Cloudflare [17:29:04] So we control them [17:30:00] Please only use mw-lb-legacy if things are broken until we fix it [17:30:15] what would that mean effectively [17:30:28] Doesn't matter if we don't do it [17:30:47] mw-lb-legacy is going as soon as all wikis are successfully working [17:32:56] I mean what would not offering dns mean [17:33:59] Either that we create everyone cloudflare tenancies for their domain which is the likely option or you find your own dns [17:34:37] honey the cache servers are on fire again! [17:34:40] dear god [17:34:42] 7 down [17:35:16] How [17:35:25] They are getting half the traffic they were this morning [17:35:44] we breached 2k unclaimed jobs [17:35:57] oh hell nah [17:36:16] actually [17:36:17] Is it controlled though? [17:36:29] the jobs seem to be the cache regenerating [17:36:55] All but one of the top jobs os parsoidCacheRewarm [17:37:06] huh [17:37:11] the chart says otherwise [17:37:24] never mind the pie chart is dumb [17:38:12] Meh [17:38:40] this is fine? [17:38:50] Meta is a wee bit slow but the error dropped off [17:38:57] Yes [17:39:08] ye [17:41:35] Unclaimed jobs are dropped [17:41:39] 1.5k [17:41:48] all cp are up [17:41:52] we’re good [17:43:20] woo [17:45:32] @pancake.aurora do you still have your script for cleaning the dns repo out? [17:45:49] ProTip: it's 100% manual process [17:45:59] I just did it all by hand [17:46:06] @pancake.aurora wait, that wasn't automated at all? [17:46:13] basically `whois`ing them all [17:46:18] Cause I was gonna say can you run it again [17:46:36] To save me trying to work out what domains in dns actually still point at us [17:48:13] I think it can be quickly automated but not in front of my keyboard rn [17:48:59] (At least quickly check for `dig ns $domain`) [17:58:09] I cleaned up dns a couple months ago, but was all manual [18:00:31] Meh more than a couple months ago [18:00:36] (April) [18:00:44] https://github.com/miraheze/dns/pull/511 [18:01:05] But it removed a total of 79 zones [18:03:02] Some may be pointed but not actually attached to a wiki [18:22:58] Seems like we still need to get things such as Mirabeta under CF [18:29:25] MacFan4000: mirabeta is a domain that is using our dns so it'll be moved at some point [18:30:07] test151 should probably be renamed as test151.mirabeta.org tbh [18:30:16] Not wikitide.net [18:30:35] MacFan4000: ye I want to clean them up again [18:30:45] So we can see wikis that aren't working and remove them [18:31:01] So I don't have to deal with migrating their dns and it not working [18:34:39] Beta is a special case though [18:34:47] Cause it doesn't use the load balancer too [20:17:57]