-
-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gunicorn causes signed GET requests (e.g. AUTHORIZED_FETCH) to fail in Production #2844
Comments
I can confirm you have the |
My Mastodon (Hometown) environment:
In particular I haven't messed with My Bookwyrm environment:
|
Thanks @futzle for all this detail. This is a confusing one. I'm trying to think through the possible causes here, and I may need to spin up a test mastodon server on the weekend to try to get to the bottom of it, but here's a list of possibilities I can think of:
Something that might be helpful to narrow things down is to test whether you can send DMs in both directions to/from non-secure Mastodon or other Bookwyrm instances. If that also throws a |
I caught some HTTP logs on the Mastodon Hometown instance (old.mermaid.town) and on the Bookwyrm instance (outside.ofa.dog). Hometown instance old.mermaid.town IP: 2400:8907::f03c:93ff:fe78:43a2 Bookwyrm instance outside.ofa.dog IP: 2400:8907::f03c:93ff:fec5:bf6a Search for https : //outside.ofa.dog/user/bookwyrm_user from old.mermaid.town:outside.ofa.dog nginx log:
Other logs have no interesting traffic. Attempt to follow bookwyrm_user from hometown_user at UTC 00:23:25:outside.ofa.dog nginx log:
outside.ofa.dog bookwyrm journal:
old.mermaid.town nginx_log:
old.mermaid.town mastodon journal:
My wild guess as to the events:
Is it possible that Hometown is rejecting the signature, or that it considers the signed context invalid? |
I temporarily disabled AUTHORIZED_FETCH on Mastodon Hometown instance old.mermaid.town and the follow went straight through. Now that the follow is connected, both accounts can talk to each other just fine, even after re-enabling AUTHORIZED_FETCH. Seems that it's just the following workflow that's being interfered with. |
Ahhh I think the problem is |
Au contraire, they do exist! I created a user |
Aha!
Yes. Sending a signed request with the instance actor after getting a 401 on an unsigned user request is intended behaviour to deal with authorized fetch. We should not be getting a |
Is it possible for you to check whether following now works for other users on old.mermaid.town without having to disable |
OMG it is a "first use" problem. Following from Old Mermaid Town to a different user on Outside of a Dog works perfectly, with AUTHORIZED_FETCH subsequently turned on. Logs are much simpler now, I guess because the two instances trust each other. old.mermaid.town nginx log:
Note that there is no GET on /users/hometown_user like the above log, which is the bit that was getting a 401 error. Is that because outside.ofa.dog doesn't need to verify this server's existence any more? So the suspected failure path has been bypassed? old.mermaid.town Mastodon log:
Same request as the nginx log shows. outside.ofa.dog nginx log:
If I attempt to follow from Hometown instance old.mermaid.town a user on a different Bookwyrm server (one which has a bookwyrm.instance.actor user, so has #2613 applied), I get the originally described hanging behaviour. |
Thanks this is very helpful. I need to think about this more but from what you're saying yes this is something about when a whole new ActivityPub server is encountered, rather than simply a new-to-our-server user.
The prior |
This appears to be something to do with
The code added in #2613 appears to be the same on both branches, so it's something else. My guess is something to do with the The only other thing that is different other than the branches, is that I'm using ngrok to maintain real domain names when testing: usually on @mouse-reeve do you have any ideas here? |
FWIW, I'm encountering the same issue. From my hometown account https://weirder.earth/web/@eldang I can't follow either of my Bookwyrm accounts https://outside.ofa.dog/user/eldang or https://books.theunseen.city/user/eldang Because I have been able to follow my account on the flagship instance -- https://bookwyrm.social/user/eldang -- I had assumed that #2613 was working as intended and this had to be a config issue with books.theunseen.city. But when I joined outside.ofa.dog I found I had the same issue. The first use issue probably explains that discrepancy. I'm afraid I have no insight into how this might be fixed, but if any permutation of my accounts are helpful for testing I'm happy to try stuff out. |
@hughrun what is your HTTPS setup like on each of those? that's something that's different on the prod and main branches, prod has certbot by default. I presume ngrok does HTTPS termination in both cases? |
I don't really understand how this is all supposed to work, but one question I have is — doesn't the Mastodon server need to get the key for |
Yes that's right. Mastodon should reject the initial This all works correctly on I think I didn't set it up properly when I was trying to test @futzle is also having an issue where statuses are published twice: I suspect this is related and we also have an Issue where someone else had the same problem. |
Having the same issue here with a working Mastodon- and BookWyrm-instance. The latter was reverted from an offline snapshot and since then, the user feed disappeared (to be specific, the status updates so far did - new ones are displayed as they should) and Mastodon wasn't able to follow the BookWyrm-user anymore. I can request a follow (same procedure: Mastodon tells me that I am following, after refreshing and looking at the profile it seems to be "just" a follow request) but the BookWyrm-instance tells me that I've got a new follower - which is somehow odd as the account isn't displayed as being followed from Mastodon. Using the latest commits here and everything went fine BEFORE the snapshot. |
@OliverPifferi is your Bookwyrm instance using Docker, or the Dockerless setup? |
Sorry, forgot to mention that - it's deployed via Dockerless setup. |
I have done further testing on this with latest Bookwyrm, and latest Mastodon+Hometown.
So problem definitely seems to be with @mouse-reeve is it possible the issue here is something gunicorn does differently to Django's |
I genuinely have no idea at this point 😬 |
@hughrun it should be possible to test that by running something like:
on the |
@WesleyAC good thinking. OMG I just wasn't patient enough. IT WORKS!!! So, this is caused by something in the way gunicorn is handling ...something. |
Thanks @WesleyAC I think I now have a solution for this 🎉 I don't profess to know enough about http requests and threading to understand exactly why this happens, but the answer looks to be " See this Stack Overflow answer to a similar problem. The answer refers to "workers" but they are actually talking about threads. See Gunicorn documentation on threads. More on how to mix workers and threads in Gunicorn and how they differ. I have successfully tested adding an extra thread in the web:
build: .
env_file: .env
command: gunicorn bookwyrm.wsgi:application --threads=2 --bind 0.0.0.0:8000 This fixes the problem reported here by @futzle. If anything, adding one or more extra threads seems like it should result in improved performance in most instances, but I'd like more opinions from perf champ @WesleyAC and Fearless Leader @mouse-reeve before I log a simple PR for this, in case there are other ramifications. |
!!! I've edited
Let's see how things go after that change. Update: So it looks like this change has helped. The view from a Mastodon server now is:
This dance seems to apply only when the first user on any given instance attempts to follow. Afterwards follow requests seem to be instant. (Needs further verification!) I have seen the same behaviour when following a Takahē instance from a Mastodon server with AUTHORIZED_FETCH turn on, so I wonder if this is just normal for Mastodon. |
fascinating! it's really strange that this has the effect it does. on bookwyrm.social we're using |
Ah, reading the stack overflow post you linked the deadlock makes sense, and the real fix is #2717, presumably the |
This is also making me wonder if we should always send outgoing GET requests to webfinger and external ids as signed requests from |
Agree with everyone that it looks like there's something being unexpectedly re-entrant, and having strictly one thread is leading to something timing out because there's no thread left to handle the inner request. #2717 looks like a place to spend some effort. After a day, with the extra |
Various issues have been raised regarding requests that seem to be dropped. The real fix for this in bookwyrm-social#2717 - "Stop making HTTP requests in views" This commit is a quick fix in some circumstances - particularly bookwyrm-social#2844 - signed GET requests failing in production. It adds an extra thread to Gunicorn to make the default configuration multi-threaded. This will now match the multi-threaded nature of the development environment, which is why we have not been able to replicate these errors in dev.
For what it's worth, I had msub2 add this on books.theunseen.city (on 0.6.4) and I am still having the same issue of being unable to follow my account (weirder.earth -> books.theunseen.city, one example the same as eldang above). |
A user on Mastodon 4.2.3 instance eigenmagic.net is encountering this issue following a user on Bookwyrm 0.6.3 instance outside.ofa.dog, even with the Edit: I don't have access to the eigenmagic.net logs but the logs on outside.ofa.dog are just the same as above. |
This should be fixed by #3434 |
Describe the bug
On production branch, dockerless, still getting Unauthorized: /user/bookwyrmuser/inbox on follow from a Mastodon instance.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The follow should complete, and it should be visible at both ends.
Instance
https://outside.ofa.dog/
https://old.mermaid.town/
Additional context
This issue looks just like closed issues #2734, #1964, #2626, which are all supposed to be fixed by #2613. Yet I'm pretty sure that my installation, new on 8 May 2023, includes #2613 and I'm still getting the exact same behaviour.
Users on other instances can follow me on Bookwyrm, even users on other Mastodon instances.
I can't seem to follow any Bookwyrm instances from old.mermaid.town.
I tried two users on Mastodon instance old.mermaid.town and had the same result.
Mastodon server has errors in sidekiq logs:
I tried to follow my Bookwyrm account from a user on Mastodon 4.1 instance aus.social (which AFAIK has AUTHORIZED_FETCH turned off) and the follow succeeded at both ends.
Desktop (please complete the following information):
- OS: MacOS
- Browser Firefox
- Version 112
The text was updated successfully, but these errors were encountered: