Opened 10 months ago

Closed 5 months ago

Last modified 3 months ago

#15339 closed task (no change required)

Haiku IP addresses are blocked in Russia

Reported by: diver Owned by: haiku-web
Priority: critical Milestone:
Component: Website Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

Ever since the move from online.net to DigitalOcean Haiku websites and package repos are unavailable from Russia.

This is because 104.248.198.131/32 network was blocked in Russia on 13.04.2018.

https://blocklist.rkn.gov.ru

Change History (19)

comment:1 by kallisti5, 10 months ago

We spoke about this one on telegram (ironically)... turns out Russia censors *all* of DigitalOcean, AWS, GCP and who knows how many other IP ranges as an attempt to censor... telegram.

https://www.theguardian.com/world/2018/apr/17/russia-blocks-millions-of-ip-addresses-in-battle-against-telegram-app

I really don't have an easy solution to this one. There's no process to request an IP be "removed from the blacklist"

Some options:

  • Throw haiku-os.org, discuss, gerrit, etc behind a WAF (web application firewall), these start at $10/month and would give us some attack/DDOS protection while "changing" the ingress IP.
    • We would have to make sure the WAF provider doesn't use pretty much any cloud providers.
  • Spin up separate mirrors for Russia.. this won't solve the site + services being censored from Russian though.
Last edited 10 months ago by kallisti5 (previous) (diff)

comment:2 by kallisti5, 10 months ago

As I understand it, using VPNs, Tor, and other "workarounds" is extremely common in Russia. However, with Haiku not supporting any of these solutions users running Haiku will have difficulty obtaining updates.

I'm tempted to target a solution around "providing repository mirrors" for Russia as the solution. It's not great... but it is also pretty abysmal that Russia employs these methods of censorship.

comment:3 by diver, 10 months ago

It seems that DigitalOcean is not completely blocked. Some people recreated servers at DO (sometimes 4 times or more) to get new ip which is not blocked. Can we try that?

comment:4 by diver, 10 months ago

Another option is to use Сloudflare.com as a proxy.

comment:5 by waddlesplash, 10 months ago

-10 to Cloudflare. Is our IPv6 blocked too?

comment:6 by kallisti5, 10 months ago

It seems that DigitalOcean is not completely blocked. Some people recreated servers at DO (sometimes 4 times or more) to get new ip which is not blocked. Can we try that?

I really don't want to "redo everything" every time Russia decides to block a new IP range, that's not really sustainable.

Cloudflare is *way* too much for our pockets. There are some cheaper WAF protections out there... then again they can't be based on AWS,GCP, or DigitalOcean :-|

We could improve our support of VPN's within Haiku :-)

in reply to:  5 comment:7 by luroh, 10 months ago

Replying to waddlesplash:

-10 to Cloudflare. Is our IPv6 blocked too?

I don't think so. Possibly useful: https://isitblockedinrussia.com

comment:8 by kallisti5, 10 months ago

I've flipped on IPv6. Let me know if this helps the situation any.

in reply to:  8 ; comment:9 by korli, 10 months ago

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

I now can't push a change.

in reply to:  8 comment:10 by diver, 10 months ago

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

Didn't make a difference for me.

in reply to:  9 comment:11 by korli, 10 months ago

Replying to korli:

Replying to kallisti5:

I've flipped on IPv6. Let me know if this helps the situation any.

I now can't push a change.

Tip: I had to define the v4 IP in /etc/hosts to have it working again.

comment:12 by pulkomandy, 10 months ago

That hints to git not using getaddrinfo with the appropriate flags to make sure it doesn't try to use an IPv6 address on an IPv4 only system.

comment:13 by waddlesplash, 9 months ago

Milestone: R1/beta2Unscheduled

comment:14 by diver, 5 months ago

Seeing that Russian Haiku Telegram group (https://t.me/HaikuOS_RU_chat) is ~300 members and Haiku english group (https://t.me/haiku_os) is ~200 members as of 02.2020 it would't be nice to ignore this issue completely. We need to come up with some easy to use workaround.

Right now the workaround is to add haiku DNS records through 3dEyes's DigitalOcean (oh, irony!) proxy droplet.

comment:15 by pulkomandy, 5 months ago

Can you document here the proxy setup and IP address? We could try to make it a more official part of the infra, maybe serving as an alternate DNS entry or by having a "ru.haiku-os.org" pointing to it or something?

Also, did we seriously look into getting the IP unlocked by russian government? Probably not easy, but is it not at least worth a try?

comment:16 by kallisti5, 5 months ago

This one is more of a "I honestly don't know what to do" issue. This one came out of left field to me.

  • The Russian government is blocking massive portions of the internet with little oversight. (AWS, GCP, DigitalOcean, etc)
  • The process to get ip's unbanned has a documented success rate of 0%

I think the real solution is to greatly improve the VPN support in Haiku. If we had solid OpenVPN / Wireguard support, the workarounds would be easy and more sustainable than us "moving all of our infrastructure around" whenever the Russian government decides to suddenly block a new block of IP addresses.

Welcome to the results of a massive decline of Net Neutrality.

comment:17 by kallisti5, 5 months ago

I created a PR to add VPN Support to the GSOC 2020 idea page. https://github.com/haiku/website/pull/354

comment:18 by diver, 5 months ago

Resolution: no change required
Status: newclosed

RKN unblocked 2 million ip addresses and Haiku network among them.

comment:19 by nielx, 3 months ago

Milestone: Unscheduled

Remove milestone for tickets with status = closed and resolution != fixed

Note: See TracTickets for help on using tickets.