Opened 3 months ago

Last modified 7 weeks ago

#15339 new task

Haiku IP addresses are blocked in Russia

Reported by: diver Owned by: haiku-web
Priority: critical Milestone: Unscheduled
Component: Website Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

Ever since the move from online.net to DigitalOcean Haiku websites and package repos are unavailable from Russia.

This is because 104.248.198.131/32 network was blocked in Russia on 13.04.2018.

https://blocklist.rkn.gov.ru

Change History (13)

comment:1 by kallisti5, 3 months ago

We spoke about this one on telegram (ironically)... turns out Russia censors *all* of DigitalOcean, AWS, GCP and who knows how many other IP ranges as an attempt to censor... telegram.

https://www.theguardian.com/world/2018/apr/17/russia-blocks-millions-of-ip-addresses-in-battle-against-telegram-app

I really don't have an easy solution to this one. There's no process to request an IP be "removed from the blacklist"

Some options:

  • Throw haiku-os.org, discuss, gerrit, etc behind a WAF (web application firewall), these start at $10/month and would give us some attack/DDOS protection while "changing" the ingress IP.
    • We would have to make sure the WAF provider doesn't use pretty much any cloud providers.
  • Spin up separate mirrors for Russia.. this won't solve the site + services being censored from Russian though.
Last edited 3 months ago by kallisti5 (previous) (diff)

comment:2 by kallisti5, 3 months ago

As I understand it, using VPNs, Tor, and other "workarounds" is extremely common in Russia. However, with Haiku not supporting any of these solutions users running Haiku will have difficulty obtaining updates.

I'm tempted to target a solution around "providing repository mirrors" for Russia as the solution. It's not great... but it is also pretty abysmal that Russia employs these methods of censorship.

comment:3 by diver, 3 months ago

It seems that DigitalOcean is not completely blocked. Some people recreated servers at DO (sometimes 4 times or more) to get new ip which is not blocked. Can we try that?

comment:4 by diver, 3 months ago

Another option is to use Сloudflare.com as a proxy.

comment:5 by waddlesplash, 3 months ago

-10 to Cloudflare. Is our IPv6 blocked too?

comment:6 by kallisti5, 3 months ago

It seems that DigitalOcean is not completely blocked. Some people recreated servers at DO (sometimes 4 times or more) to get new ip which is not blocked. Can we try that?

I really don't want to "redo everything" every time Russia decides to block a new IP range, that's not really sustainable.

Cloudflare is *way* too much for our pockets. There are some cheaper WAF protections out there... then again they can't be based on AWS,GCP, or DigitalOcean :-|

We could improve our support of VPN's within Haiku :-)

in reply to:  5 comment:7 by luroh, 3 months ago

Replying to waddlesplash:

-10 to Cloudflare. Is our IPv6 blocked too?

I don't think so. Possibly useful: https://isitblockedinrussia.com

comment:8 by kallisti5, 3 months ago

I've flipped on IPv6. Let me know if this helps the situation any.

in reply to:  8 ; comment:9 by korli, 3 months ago

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

I now can't push a change.

in reply to:  8 comment:10 by diver, 3 months ago

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

Didn't make a difference for me.

in reply to:  9 comment:11 by korli, 3 months ago

Replying to korli:

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

I now can't push a change.

Tip: I had to define the v4 IP in /etc/hosts to have it working again.

comment:12 by pulkomandy, 3 months ago

That hints to git not using getaddrinfo with the appropriate flags to make sure it doesn't try to use an IPv6 address on an IPv4 only system.

comment:13 by waddlesplash, 7 weeks ago

Milestone: R1/beta2Unscheduled
Note: See TracTickets for help on using tickets.