Merge pull request 'reduce metric cardinaility' (#49) from develop into master

Reviewed-on: #49
2024-11-30 21:16:03 -06:00 · 2024-11-30 21:16:03 -06:00 · 72413ef4b4
commit 72413ef4b4
parent ef46005e84 9d1632ce20
3 changed files with 10 additions and 11 deletions
--- a/packages/backend/src/server/ServerService.ts
+++ b/packages/backend/src/server/ServerService.ts
@ -57,7 +57,7 @@ function categorizeRequestPath(path: string): 'api' | 'health' | 'vite' | 'other
 const mRequestTime = metricHistogram({
 	name: 'misskey_http_request_duration_seconds',
 	help: 'Duration of handling HTTP requests in seconds',
-	labelNames: ['host', 'cate', 'method', 'path'],
+	labelNames: ['cate', 'method', 'path'],
 	buckets: [0.001, 0.1, 0.5, 1, 2, 5],
 });

@ -88,19 +88,19 @@ const mTooManyRequestsServed = metricCounter({
 const mAggregateRequestsServed = metricCounter({
 	name: 'misskey_http_requests_served_total',
 	help: 'Total number of HTTP requests served including invalid requests',
-	labelNames: ['host', 'cate', 'status'],
+	labelNames: ['cate', 'status'],
 });

 const mRequestsServedByPath = metricCounter({
 	name: 'misskey_http_requests_served_by_path',
 	help: 'Total number of HTTP requests served',
-	labelNames: ['host', 'cate', 'method', 'path', 'status'],
+	labelNames: ['cate', 'method', 'path', 'status'],
 });

 const mFatalErrorCount = metricCounter({
 	name: 'misskey_fatal_http_errors_total',
 	help: 'Total number of HTTP errors that propagate to the top level',
-	labelNames: ['host', 'cate', 'method', 'path'],
+	labelNames: ['cate', 'method', 'path'],
 });

 const mLastSuccessfulRequest = metricGauge({
@ -172,7 +172,6 @@ export class ServerService implements OnApplicationShutdown {
 				const url = new URL(request.url, this.config.url);
 				const logPath = sanitizeRequestURI(url.pathname);
 				mFatalErrorCount?.inc({
-					host: request.hostname,
 					method: request.method,
 					path: logPath,
 					cate: categorizeRequestPath(logPath),
@ -187,7 +186,6 @@ export class ServerService implements OnApplicationShutdown {
 				const received = reply.getHeader('x-request-received') as string;

 				mAggregateRequestsServed?.inc({
-					host: request.hostname,
 					cate,
 					status: reply.statusCode,
 				});
@ -211,7 +209,6 @@ export class ServerService implements OnApplicationShutdown {
 					if (received) {
 						const duration = (+new Date()) - parseInt(received);
 						mRequestTime?.observe({
-							host: request.hostname,
 							method: request.method,
 							cate,
 						}, duration / 1000);
@ -234,7 +231,6 @@ export class ServerService implements OnApplicationShutdown {
 					const duration = (+new Date()) - parseInt(received);

 					mRequestTime?.observe({
-						host: request.hostname,
 						method: request.method,
 						cate,
 						path: logPath,
@ -253,7 +249,6 @@ export class ServerService implements OnApplicationShutdown {
 				}

 				mRequestsServedByPath?.inc({
-					host: request.hostname,
 					method: request.method,
 					path: logPath,
 					cate,
--- a/yume-mods/legal/privacy-policy-zh.md
+++ b/yume-mods/legal/privacy-policy-zh.md
@ -62,6 +62,8 @@ TL;DR 非正式版本：據我們所知，我們是聯邦宇宙中最透明、

 雖然您的網頁請求永遠不會直接發送給第三方，但您查找外部資源的請求（例如透過 URL 上傳文件、遠端使用者和註釋查找）將導致從我們的伺服器向外部伺服器發出請求，並且取決於是否外部伺服器聲稱他們需要用戶身份驗證，該請求可能會追溯到您。

+然而，與上游實現不同的是，YumechiNoKuni 要求所有外部查找都使用現代加密套件透過連接埠443 透過HTTPS 進行，這意味著當您查找特定用戶或連結時，您可以確保查找的資訊不會洩露給其他人。
+
 #### 第三方應用程式

 雖然我們使用了所有主流瀏覽器強制執行的安全功能，但我們不能保證第三方應用程式將保持相同的安全等級。如果您使用網站或 PWA（「新增至主畫面」功能）以外的服務，您應該注意，我們無法保證我們在上一節中所做的承諾。
@ -77,5 +79,5 @@ TL;DR 非正式版本：據我們所知，我們是聯邦宇宙中最透明、
 ### 帳戶安全

 - **使用強密碼**：為了確保我們的網站不依賴第三方服務，我們僅對失敗的登入嘗試使用冷卻期。請使用不易被猜到的強密碼。
- **啟用雙重認證**：我們支援使用 TOTP 或 WebAuthn 的雙重認證。您可以在「安全性」標籤的帳戶設定中啟用它。我們已經更改了上游的行為，這樣，如果您僅將硬體金鑰用於2FA，我們將不喜歡但不要求您使用密碼保護您的硬體金鑰，因為硬體金鑰的系統使用者通常會保留物理密鑰。
+- **啟用雙重認證**：我們支援使用 TOTP 或 WebAuthn 的雙重認證。您可以在「安全性」標籤的帳戶設定中啟用它。我們已經更改了上游的行為，這樣，如果您僅將硬體金鑰用於2FA，我們將不要求您使用密碼保護您的硬體金鑰，因為硬體金鑰的系統使用者通常會保留物理密鑰。
 - **重置您的登入權杖**：這是目前從上游繼承的限制，我們正在研究解決方案，但與此同時，請不要依賴註銷功能、請轉到“設定”->“安全性”->“重新產生登入權杖”」以重置您的令牌、如果您懷疑您的登入會話不再安全。
--- a/yume-mods/legal/privacy-policy.md
+++ b/yume-mods/legal/privacy-policy.md
@ -64,6 +64,8 @@ However, there are two exceptions to this:

 While your network requests are never directly sent to a third party, your requests to look up external resources such as uploading files by URL, remote user and note lookups, will result in a request from our server to the external server, and depending on whether the external server claims they require user authentication, this request might be traced back to you.

+However unlike the upstream implementation, YumechiNoKuni requires all external lookups to be conducted over HTTPS over port 443 using a modern encryption suite, this means when you lookup a specific user or link, you can be sure that the information of the lookup is not disclosed to other parties.
+
 #### Third-party Apps

 While we used security features that are enforced by all mainstream browsers, we cannot guarantee that third-party apps will maintain the same level of security. If you use services other than the website or PWA (the 'Add to Home Screen' feature), you should be aware that we cannot guarantee the promises we made in the previous section.
@ -79,5 +81,5 @@ This information is sent to a third-party service [Grafana Cloud](https://grafan
 ### Account Security

 - **Use a Strong Password**: In order to guarantee our website does not depend on a third-party service, we only use a cool-down period for failed login attempts. Please use a strong password that is not easily guessable.
- **Enable Two-Factor Authentication**: We support two-factor authentication using TOTP or WebAuthn. You can enable it in your account settings in the "Security" tab. We have changed the behavior from upstream such that if you only use your hardware key for 2FA, we will not prefer but not require you to password-protect your hardware key as it is a common practice for systematic users of hardware keys to keep a physically secure backup key.
+- **Enable Two-Factor Authentication**: We support two-factor authentication using TOTP or WebAuthn. You can enable it in your account settings in the "Security" tab. We have changed the behavior from upstream such that if you only use your hardware key for 2FA, we will prefer but not require you to password-protect your hardware key as it is a common practice for systematic users of hardware keys to keep a physically secure backup key.
 - **Reset your Token**: This is currently a limitation inherited from upstream and we are working on a solution, but in the meantime, please go to Settings -> Security -> Regenerate Login Token from a secure device to invalidate all your sessions whenever you logged in from a public computer or suspect one of your sessions has been compromised.