Possibly use this:

https://schematics.readthedocs.org/en/latest/

We must support CORS headers for the client to be able to effectively all into this service.

I filed mozilla/activity-stream#251 earlier but it may be easier to handle request timeouts from the proxy directly.

I was stuck waiting on a embedly proxy response for ~30 seconds (which ultimately came back as a 502). Not sure if we want to tighten that to fail after 5-10s if we can't get a response, or ...

The Onyx data collection service implements an IP blacklist to block malicious traffic. We should periodically pull down the IP black list from the Onyx service and reject calls which match the list.

On heartbeat calls increment a statds counter. We should also capture the timing of calls to find out if calls that reach out to embedly take too much time.

Presently if a caller submits an array of null values, we raise a 500. This should be validated and signalled to the caller correctly.

Add a dev make command that starts the Flask dev server, also move those commands out of views.py into dev_server.py

There's no need in alpha to preserve the V1 GET API so we should promote the V2 API to V1 rather than having a separate endpoint.

See here:

https://github.com/mozilla-services/Dockerflow/blob/master/circle.yml

Split the embedly extraction logic and the flask views into two separate views and alter the tests to unit test the extraction logic directly rather than through the views. The views should then only have a simple integration test.

Yep.

Adding this to track this issue for production server HTTPS / certs

Add rate limiting to the embedly proxy to ensure that rapid callers do not take the server down.

If a call to embedly results in a timeout we should explicitly handle this case and signal the client correctly.

Ops has provided a docker spec here:

https://github.com/mozilla-services/Dockerflow

When the application is configured to run in HTTPS mode, we should enable HSTS and HPKP.

Now, since we're terminating the TLS connection at the load balancer, HTTPS mode will have to be a configuration item of the embedly proxy

We should send a metric to datadog for every event of interest.

Steps to reproduce:

1. Call the proxy with an offensively long list of URLs:

http://embedly-proxy.dev.mozaws.net/extract?urls=http%3A%2F%2Fideatown.dev%3A8000%2F&urls=http%3A%2F%2Flocalhost%3A1963%2Factivity-streams.html&urls=http%3A%2F%2Fidea-town-dev.elasticbeanstalk.com%2F...

Actual results:

_Bad Request_
Request Line is too large (5966 > 4094)

If we request a URL from embedly and the URL they return is transformed or missing, rather than omitting it from the result set, we should include it with a payload that indicates that the URL data returned from embedly was malformed in some way.

Add a Make file for the following:

• build (just the embedly container)
• test (build the container and run tests inside)
• dev server (compose build, compose up)
• gunicorn (run just the embedly container)
• deploy (to the dev instances controlled by docker-machine)

We should add an outer layer to the response data which includes information about the request, for instance:

{
    url_count: <int> // number urls in response
    url_data: {
        <url>: <url dict> // data from embedly about a url
    }
    error: <str> // a string which optionally contains information about what went wrong during the request
}

@k88hudson @oyiptong @pdehaan thoughts?

If there's an exception raised by the URL extractor we should return it to the client with a 500 status.

We should have a configuration parameter which determines the maximum number of URLs that may be sent in a single query to the embedly proxy. Perhaps 25 is a sane starting point.

We should create a Sentry DSN to log exceptions.

Found in https://embedly-proxy.stage.mozaws.net/__version__ (8682d12):

{ "commit": "8682d1204c9ae5210b517d949619689589ccc268",
  "version": "0.5",
  "source": "https://github.com/mozilla/embedly-proxy.git" }

Steps to reproduce:

1. Go to https://testpilot.firefox.com/experiments/activity-stream (log in w/ mozilla email).
2. Open the Browser Console (Tools > Web Developer > Browser Console).
3. Enable the Activity Stream experiment.

Actual results:

I saw a few HTTP 500 POSTs to https://embedly-proxy.stage.mozaws.net/v2/extract

Expected results:

No HTTP 500 errors in console.

Use a blueprint for the views and move the app creation into a separate file.

I'm guessing there's probably just one bad URL in here that's causing an unhandled error:

curl 'http://embedly-proxy.dev.mozaws.net/extract?urls=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Ffirefox%2Fnightly%2Ffirstrun%2F%3Foldversion%3D45.0&urls=https%3A%2F%2Faccounts.google.com%2FServiceLogin%3Fservice%3Dwise%26passive%3D1209600%26continue%3Dhttps%3A%2F%2Fdrive.google.com%2Fdrive%2Fmy-drive%26followup%3Dhttps%3A%2F%2Fdrive.google.com%2Fdrive%2Fmy-drive%23identifier&urls=https%3A%2F%2Faccounts.google.com%2FServiceLogin%3Fservice%3Dcl%26passive%3D1209600%26osid%3D1%26continue%3Dhttps%3A%2F%2Fcalendar.google.com%2Fcalendar%2Frender%26followup%3Dhttps%3A%2F%2Fcalendar.google.com%2Fcalendar%26scc%3D1%23identifier&urls=https%3A%2F%2Fwww.tumblr.com%2Flogin&urls=https%3A%2F%2Fwww.tumblr.com%2F&urls=https%3A%2F%2Ftumblr.com%2F&urls=http%3A%2F%2Ftumblr.com%2F&urls=http%3A%2F%2Fsmile.amazon.com%2F&urls=https%3A%2F%2Fgithub.com%2Fmozilla%2Factivity-streams%2Fpull%2F172&urls=https%3A%2F%2Fgithub.com%2Fnchapman%2Fsummarizer-server%2Fblob%2Fmaster%2Fapp%2Fcontrollers%2Fembedly_controller.rb&urls=https%3A%2F%2Fgithub.com%2Fnchapman%2Fsummarizer-server%2Ftree%2Fmaster%2Fapp%2Fcontrollers&urls=https%3A%2F%2Fgithub.com%2Fnchapman%2Fsummarizer-server%2Ftree%2Fmaster%2Fapp&urls=https%3A%2F%2Fgithub.com%2Fnchapman%2Fsummarizer-server&urls=https%3A%2F%2Fgithub.com%2Fnchapman%3Ftab%3Drepositories&urls=https%3A%2F%2Fgithub.com%2Fnchapman%2F&urls=http%3A%2F%2Fgithub.com%2Fnchapman%2F&urls=http%3A%2F%2Fembed.ly%2Fpricing&urls=http%3A%2F%2Fembed.ly%2F&urls=https%3A%2F%2Fapp.embed.ly%2Forganization%2Fchronicle%2Fapi&urls=https%3A%2F%2Fapp.embed.ly%2Forganization%2Fchronicle%2Fapi%2Fextract%2Fusage%2F20160204%2F20160303&urls=https%3A%2F%2Fapp.embed.ly%2Forganization%2Fchronicle%2Fapi%2Fkey&urls=https%3A%2F%2Fapp.embed.ly%2Forganization%2Fchronicle%2Fapi%2Fembed%2Fusage%2F20160204%2F20160303&urls=https%3A%2F%2Fapp.embed.ly%2Forganization%2Fchronicle&urls=https%3A%2F%2Fapp.embed.ly%2Flogin' -H 'Host: embedly-proxy.dev.mozaws.net' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Origin: resource://activity-streams' -H 'Connection: keep-alive'

Returns:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request.  Either the server is overloaded or there is an error in the application.</p>

If a URL contains unicode it is failing the Python urllib.urlquote_plus call here:

https://sentry.prod.mozaws.net/operations/embedly-proxy-prod/issues/330908/

Embedly returns more data that content needs. We need to measure how much data that is.

If it is big, we can investigate various mitigation strategies like:

• gzip (which we probably should do anyway)
• pruning the data sent from embedly

Basically, this issue is about evaluating how much bandwidth ingress we cause the clients.
If the cost will be prohibitive, we can discuss how to make things better.

See here:

https://github.com/mozilla-services/Dockerflow#automating-the-build

Add a deploy command to deploy to the dev stack using docker-machine.

Use the nose testrunner to simplify multiple test runs

We should be logging requests somewhere, however there are privacy considerations here because if we log an entire request that includes multiple query URLs then that can be used to reconstruct a partial window of a user's history, which we do not want. So we should figure out what we need to log for application health and performance but that does not compromise user privacy.

Tracking issues raised by @jvehent for security audit.

• ensure embedly doesn't return any images that are hosted by embedly controlled domains (ie. embedly.com)
• send @jvehent example logs from production NGINX
• audit any/all application logs to ensure no user history is logged
• ensure user IP addresses are not relayed to embedly

If embedly returns an error message like so:

{u'type': u'error', u'error_message': u'Invalid "urls" parameter: 25 urls sent, this exceeds max urls per call of 20. See "urls" in http://embed.ly/docs/endpoints/arguments', u'error_code': 400}

We presently fail hard and raise 500. This should be handled.

If a communication with Embedly results in an error, do not return the Embedly return message to the calling client. It may leak private information including our private key.

We should be silencing all logs so long as the GET API is in use. This can be accomplished by setting the log-driver to none in the docker-compose file. See here:

https://docs.docker.com/compose/compose-file/#logging

A feature was added to resolve multiple URLs into the same URL by stripping out protocol and query strings, however many websites put page dependent information in the query string, so we should not be removing this information from the cache key. Remove this logic for now.

We should accept URLs in a POST body as well as through GET parameters

Currently this throws an Internal Server Error:
http://embedly-proxy.dev.mozaws.net/extract?urls=

Internal Server Error

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

We may just want to return an empty object in this weird edge case (which was me accidentally hitting the enter key on my keyboard while testing).

We should remote the V1 API entirely as it is no longer needed.

Currently the add-on prefs point to a stage server. We may want to stand up a production server before release because technically after that point that'd be a production server with a confusing name.

Plus, we may want to make sure #28 is addressed before release.

Rather than querying embedly synchronously during a request flow, we should defer uncached URLs to a queue and have an asynchronous worker query embedly and store the results in the cache. This will reduce overall load on the request handlers, reduce latency, and lower the likelihood of the servers being DOSed.

If we send a URL which is too long to Embedly it will respond with 414. We should do something to handle this case.

https://sentry.prod.mozaws.net/operations/embedly-proxy-prod/issues/330912/

When we retrieve a response from embedly we should ensure that the URL returned is not transformed in any way by comparing it to the original URL as it was passed in during the extract call, ie here:

https://github.com/mozilla/embedly-proxy/blob/master/embedly/embedly/extract.py#L81

We presently use Sentry to log exceptions, however this will send the POST body in its entirety to our ops controlled sentry instance which will contain unobfuscated URLs which come from users histories. We should be omitting or obfuscating this in some way to prevent leaking users histories.

This was accidentally filed in mozilla-services/location-leaderboard#261

When testing this locally I ran into the issue with the query string being too long, which returns a 400 Bad Request / Request Line is too large error if you curl it, but the client gets a Cross-Origin Request Blocked error instead. Maybe we want to add CORS for error responses as well?

The service should expect all URL GET parameters to be URIencoded by the client.

The following URLs should evaluate to the same cache key:

https://www.google.ca/?utm_thing=stuff
http://www.google.ca/?q=cats

We can only send 25 URLs to embedly per request, so if there are more than 25 URLs, we should make multiple requests and aggregate the results.