Modern Vespa

I'm getting a HTTP/1.1 403 Forbidden error when trying to use chrome. Firefox works ok.

Do i need to clear my cache or something like that, or have i upset someone?

You're being punished by the Vespa gods

It'll be yellow boots next.

Don't you forgot it. It's a major award which makes me a major member in my head.

Same for me on Chrome desktop. Fine using Chrome on phone though (Android).

Yeah, kinda weird. I'm fine on my phone...

I have also been 'dubbed thee unforbidden.'

It's only Chrome.. I sacrificed my soul and tried Edge and everything is fine.. safari on my phone is also fine. Or I wouldn't be posting this.

Same issue with Chrome here. Thought it might be my IP (I'm in Serbia, kinda dodgy) but no, seems to be a global problem.

There are a variety of things that can trigger a 403 Forbidden error. Is there any other informative text below the 403?

How long has it been happening? What were you doing when it first happened?

One potential reason for a 403 error is if a lot of requests are made in a very short amount of time -- the server is protecting itself against bots. Obviously, you all are not bots, but it is possible that Chrome is doing something that makes the server think it's a bot.

I'm using Chrome right now (on macOS) and not seeing any obvious problems. I'd really like to hear more about what specific activities are involved.

broken on Brave on Windows (both computers that I tried), works on Brave on Android. This is posted using Edge on the same computer.

I did nothing. Just got out of bed, picked up my laptop, walked to the cafe and tried to surf MV while drinking my liquid breakfast. No go.

here's the details from brave

request
------
Request URL: https://modernvespa.com/forum/new
Request Method: GET
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-AU,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Cookie: mv_token=XXXXXXXXXXXX (removed)
Host: modernvespa.com
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Brave";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-GPC: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110


response
-----
Status Code: 403 Forbidden
Remote Address: 50.18.170.78:443
Referrer Policy: strict-origin-when-cross-origin
Connection: Keep-Alive
Content-Length: 132
Content-Type: text/html; charset=UTF-8
Date: Thu, 09 Mar 2023 08:04:31 GMT
Keep-Alive: timeout=5, max=99
Referrer-Policy: strict-origin-when-cross-origin
Server: Apache/2.4.54 () OpenSSL/1.0.2k-fips PHP/7.4.33
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/7.4.33

<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>HTTP/1.1 403 Forbidden</h1>
<p></p>
</body>
</html>

Thanks for that. It doesn't tell me a lot, but it does tell me that the error is being returned from the application layer (the forum software) rather than some lower-level server component.

The funny thing is that nothing on the server has actually changed for weeks.

did a bit more digging ...

ya know when you press F12 and get the debugging tab (forget the name) there is a button that lets you make it emulate different devices - eg pretend to be an iphone 12 or a pixel 5 etc. if I turn on that button and refresh it then works (turn off and refresh and it breaks again). So I looked at the headers during that and it doesn't include the "sec-ch-xxx" set of headers (the other Sec-Fetch and Sec-GPS are still there)

Try regular chrome (with the default user agent) again and tell me if it works.

(I removed a ban on a specific agent that was triggered by an overlimit client)

don't have regular chrome handy (bit lazy to install it just for this test).

Anyone else wanna check with regular Chrome?

Or Brave.

it works!

Does Brave use the standard Chrome user agent?

it says Chrome in it so ... guess so?

It's not the word Chrome that triggers it, it's the exact user agent string. It looks like the output you pasted in doesn't include the tail end of the user agent string, but the rest of it matches the problem user agent that was put in the penalty box for being overlimit (i.e. too many requests in a short amount of time).

There is a subset of malicious bots that uses constantly-changing IP addresses to barrage the server with requests, but uses the same user agent for all the requests. The code in question was trying to catch that behavior, but snagged all Windows Chrome users (presumably using the latest version) in the process.

I will have to rethink that aspect of session management. I've commented it out for now, so hopefully it won't snag any other innocent bystanders.

Thanks much for the assist.

All back to normal now

Are you using WAF or CloudFront to get the Shield Basic protections? Either of those would protect you, albeit at a (potentially-minimal) cost. The default edge security just provides basic packet hygiene, so protection for IP Stack level stuff like syn floods.

Also back up and running.

I know zero about code, so thank you to SteelBytes for saying all of those computer words to Jess.

And thank you to Jess who, I think, took all of the computer words from SteelBytes and resolved it.

About 24 hours on access for me either. Pretty sure Jess just banned us for some fun lol

We use CloudFront as a CDN for all the attachments and the other various non-dynamic assets (icons, fonts, images, etc). This keeps the load off the main server and means we can run a fairly lightweight main server instance. Plus, of course, all the images load faster around the world.

We don't use CloudFront on the main server (modernvespa.com) at all. Nor WAF. The defense mechanisms we use predate both CloudFront and WAF (by a lot) and have largely grown organically with the site. I'm not sure converting to WAF at this point would be straightforward -- it would be hard to capture all the different rules that I've put into place over the last (checks watch) 17 years.

I'll give it a closer look and see if it seems plausible, at least.

Yeah, not my idea of a good time.

That makes sense. Assuming the main server is sitting behind an ALB or ELB, it would be pretty simple to turn WAF on. Unless the legacy protections are very site-specific, you'd probably find that those events Just Went Away with WAF turned on.

And not that I'm totally shilling for AWS (but, full transparency, I *do* work there) the cost of WAF would probably be near zero unless MV does a lot more traffic than I think.

The main server is just a standard EC2 instance without any load balancing. And not a very big instance at that -- currently t4g.small. Some of the protections are very site specific. We're running a very, very old (and very modified) version of phpBB2. Scripted forum attacks for phpBB2 and phpBB3 have been commonly used by spammers and other malicious actors, and I've found that altering the basic environment in ways that are unique to MV has kept us largely free of automated spam. The spam that does get through is manually posted by low-paid grunts, mostly in India these days. I'm actually a bit of an AWS fanboy, and have incorporated quite a few AWS services into the MV code in ways that would make it difficult to run MV on any other host. I'm comfortable with that.

I don't think the cost would be zero -- a brief look at the pricing chart for US West (Northern California) puts the cost at $5 per month and $1 per rule. I suspect the number of rules I would need would be the kicker, as phpBB's very old design distributes entry points across about a hundred different PHP files, each with subtly different requirements. It's a mess, actually. I'm still reading the docs to get a better sense of what WAF can do.