A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

X-sub-request-filters in RESTBase configuration

Ciencia-Al-Poder

In RESTBase, the example config files (like config.example.yaml in the root directory) contains this code:

        x-sub-request-filters:
          - type: default
            name: http
            options:
            allow:
              - pattern: http://localhost/w/api.php
                forward_headers: true
              - pattern: http://localhost:8142
                forward_headers: true
              - pattern: /^https?:\/\//

What’s exactly this code for?

Apparently this is some sort of outgoing request filtering, per https://gerrit.wikimedia.org/r/#/c/277836/ (the general documentation of RESTBase is very poor) but I’m not sure how to configure it properly. Are they public-facing URLs or internal requests (RESTBase<->Parsoid)? Because localhost may not be correct in this case.

I’ve tried to comment-out the contents of the allow section but leaving just one random URL, and VisualEditor saves just fine. Is this configuration actually doing anything? Or do I need to enable something?

Tgr

What are you trying to do? x-sub-request-filters is a functionality-agnostic mechanism to set configuration flags for subrequests that match a given URL pattern. This specific snippet sets a parameter for the http filter which uses that to determine whether to forward Cookie and other relevant headers of the incoming request. Usually you only need it on private wikis.

Ciencia-Al-Poder

Well, everything works OK (apparently) no matter what I have configured on that setting. I was just trying to understand what it does by asking here, since there’s no documentation about what it does.

I was thinking that it may be some sort of rules to disallow making requests to arbitrary URLs from the API (in case that would be possible), and limit requests only to those configured URLs, but if its only used to forward headers where it’s usually not needed, I guess it’s OK to leave it empty or with the defaults. Thanks.

ppchelko

@Tgr is correct - this is used to specify where do we allow forwarding headers and which headers, in particular, are allowed. You can also prohibit internal requests to arbitrary URIs if you comment out a fallback /https?/ pattern - then you’d be able to white-list which domains RESTBase is allowed to contact.

Here’s what it’s set to in production https://github.com/wikimedia/mediawiki-services-restbase-deploy/blob/master/scap/templates/config.yaml.j2#L153-L166

That means we forward headers to MW API, Parsoid and AQS, but we allow requests to other domains, but do not forward the headers.