Wordpress handles 404s really slowly? I'm kind of surprised it works at all then, as at least in my logs there's a very steady stream of bots probing it for vulnerabilities by trying random URLs.
It may intentionally 404 slowly? One web service I worked on added a few hundred milliseconds delay in returning 404s to slow down this kind of probing attack
I managed to get around it with litespeed Cache which does cache 404 pages. I was previously using WP Super Cache which does not. Note I also wasn’t running a CDN so there’s no reverse proxy cache either.
Over time, I found that BetterLinks was slowing down my site significantly (600ms) . It wasn’t like this when I first investigated. It became slow over the course of a year or so. I ended up replacing it with Simple 301 Redirects. I think this is a separate issue though, unrelated to my original overload, but looked very similar to when Firefox DOSed my site.
I experimented with CDNs to cache things reverse proxy style as a catch all. Eventually I caved and enabled Cloudflare CDN because QUIC.cloud kept having problems where a POP node kept hitting 403 Forbidden. I’d say the site is pretty functionally performant now.
I think most sites that claim Wordpress handles high loads really well have at least two layers of caching in front of it and are running on dedicated boxes. Remove both of those and suddenly it’s super easy to DOS.
Another common DOS exploit is to repeatedly spam the Forgot Password form, since there’s a lot of guaranteed processing with that and it’s not cacheable. I hid mine behind a captcha which helps a lot.
It's an open source project, with a good discussion of the technical issues on GitHub[1]. Probably linked to certain user behaviors, like having hundreds of tabs open, but surely also contingent on the complexity of wedging a browser in iOS. Like maneuvering an excavator into a sandbox.
I also wonder how these requests "beat the shit out of the web server." It's requesting the feed and the favicon, both of which could be cached by a CDN. Even if they aren't, how much traffic are you gonna see from this compared to some other page trending on HN? Wasteful, sure, but hardly that big a deal
Why should you need to provision a CDN when If-Modified-Since / Etags exist?
I get that not every client is well behaved, but you'd hope that Firefox would be, given Mozilla's presence in web standards.
(Which, tbh makes me think this issue is the "on iOS" bit, given it's Firefox. I presume Apple still has their "only Safari's rendering engine" rule in place for... ...reasons)
I opened the Github issue linked. For us it represented, at times, thousands of requests per second across multiple users. And that was with affected users getting IP-banned temporarily.
Some of which were 404s which you typically absolutely do not want cached. Or 405s (on HEAD /favicon.ico for example). Or 429s. Or 403s.
Browsers are expected to:
1. Use the favicon specified in meta if any (we do have one, /favicon.svg)
2. Respect cache headers (immutable + multi-months max-age)
3. Not make completely random requests to things they should ignore (such as OpenGraph tags)
Yes CDNs do help with these kinds of issues, but they absolutely do not fix them all. Which is why even though we have a pretty damn elaborate setup in that regard we were being annoyed by the issue.
But also Firefox on iOS should be not-completely-broken.
Pretty weird to think that running a web server also means you should operate "a geographically distributed network of proxy servers and their data centers".
I also think it's pretty weird to defend thoroughly defect software with "waste ful, sure, but hardly that big a deal".
I can easily have hundreds of Chrome tabs open, and none of this happens. I can have hundreds of tabs inadvertently open in iOS Safari, and none of this happens.
Would you kindly refrain from blaming users for what clearly is a bug in the application?
Just yesterday I blocked the bots from my blog using this[1]. Of course whether these bots respect robots.txt nowadays is a different question altogether
Given the seriously negative sibling comments, I thought I'd weigh in with my own experience. I'm unaware of anything behind the scenes, but I've always enjoyed the user experience in Firefox on Android, at least for the last couple years before the rewrite. I don't like browsing the web on my phone, but it's made it bearable.
I can't speak to the problems behind the scenes though, and they certainly merit attention.
Firefox on Android is a godsend to me, and the secret is that I can install uBlock origin and noscript on my mobile. I get a whiplash when I see someone else browsing the web without these, it is absurd how much attention people will allow to be just stolen away.
Firefox on Android is NOT amazing. For MANY YEARS the user agent included the exact model of your phone. They seem to be incompetent. (Edit: this is a bit harsh, and to clarify, directed at the company and not any specific people in their employ.) Exactly what Google wants -- plausible deniability when it comes to monopoly, but an awful alternative.
To address this, we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.
Even if you turn telemetry off it will still call home
>...directed at the company and not any specific people in their employ.
They are the same thing, until you get to the upper levels, that own the place ie 'take full responsibility'.
We are fa-mily.
Until the shit hits the fan.
iOS requires a browser to use the OS-provided WebKit, but you can still use your own networking layer, and doing your own scripts injection (e.g. for extensions, like what Orion is doing). Firefox for iOS used to use Alamofire as its networking engine, but switched over to NSURLSession/URLSession at some point. Chrome for iOS uses Cronet which was extracted from Chromium's networking stack (or maybe used, I have not followed the development recently).
> I thought firefox on ios was just safari with a reskin
It is. It does avoid some of the tracking/ad content, so I guess it does do some things somewhat differently. But if it's such a scourge, add a favicon.
BTW, I've never seen this, and I regularly use Firefox on iOS to test.
I'm another who loves firefox on android. It annoys me that to some degree Android forces chrome on you, even if firefox is set as your default. The full plugin support that got added in the last year really took it up a notch too.
My experience with Firefox Nightly for ~1 year below. Ironically, the nightly sounds more consistently stable than the current release build then!:
* Never had this tabs problem
* I can see about:config
* Bookmarks are fine and there's no mention of Pocket. Bookmarks show up ON the homepage, but yeah not being able to set a bookmark / any URL AS a homepage is a bit of an annoying feature lack
* URL completion works as I expect it to, although it does bug me how it strips the protocol from the URL so I have to manually type in `http://` for plaintext sites even when I've visited them before; depending on who you ask that is considered a "security feature" but kinda annoying. Other than that, I start typing in a URL and it shows me suggestions from my history followed by option to use my preferred search engine to search it.
All in all, I've not really felt FF (even nightly) be particularly different or unstable to using chrome.
Second comment I've made in this thread where I'm replying (ever so helpfully) "Huh, but it works for me" so I'll stop now :-). I promise the Mozilla Foundation aren't bribing nor blackmailing me.
Pocket is the worst. It tried to get me to read some article where the author was whinging that her daughter was pretty and people were complementing her as such.
The author of this site usually takes pains to obfuscate whatever big commercial entity she's talking about who did dumb stuff. But when it's Firefox, she names names. Huh.
I remember something similar with Internet Explorer back in the day, where it would ask for the favicon (which we didn’t have setup at the time) so our 404 page would be returned, which then seemed to trigger another request for a favicon. (╯°□°)╯︵ ┻━┻
Though they aren't common enough that it needs to be a built-in, especially as you can already specify a page specific icon via a link tag in your page's head which every up-to-date stable browser has had support for since 2010 or before (ref: https://caniuse.com/?search=link-icon).
Readit News
Basically Firefox loaded favicons 4x the number of tabs opened to that website. It would do this every time I opened or closed any tab.
https://aggressivelyparaphrasing.me/2022/12/12/why-does-my-l...
It was resolved a while back so maybe it’s similar symptoms but different root cause, or maybe it’s people using older versions?
Over time, I found that BetterLinks was slowing down my site significantly (600ms) . It wasn’t like this when I first investigated. It became slow over the course of a year or so. I ended up replacing it with Simple 301 Redirects. I think this is a separate issue though, unrelated to my original overload, but looked very similar to when Firefox DOSed my site.
I experimented with CDNs to cache things reverse proxy style as a catch all. Eventually I caved and enabled Cloudflare CDN because QUIC.cloud kept having problems where a POP node kept hitting 403 Forbidden. I’d say the site is pretty functionally performant now.
I think most sites that claim Wordpress handles high loads really well have at least two layers of caching in front of it and are running on dedicated boxes. Remove both of those and suddenly it’s super easy to DOS.
Another common DOS exploit is to repeatedly spam the Forgot Password form, since there’s a lot of guaranteed processing with that and it’s not cacheable. I hid mine behind a captcha which helps a lot.
Dead Comment
[1] https://github.com/mozilla-mobile/firefox-ios/issues/12113
This attitude is why so much software is garbage, and why people with limited connections or hardware can't have a good time on the internet.
I get that not every client is well behaved, but you'd hope that Firefox would be, given Mozilla's presence in web standards.
(Which, tbh makes me think this issue is the "on iOS" bit, given it's Firefox. I presume Apple still has their "only Safari's rendering engine" rule in place for... ...reasons)
I opened the Github issue linked. For us it represented, at times, thousands of requests per second across multiple users. And that was with affected users getting IP-banned temporarily.
Some of which were 404s which you typically absolutely do not want cached. Or 405s (on HEAD /favicon.ico for example). Or 429s. Or 403s.
Browsers are expected to: 1. Use the favicon specified in meta if any (we do have one, /favicon.svg) 2. Respect cache headers (immutable + multi-months max-age) 3. Not make completely random requests to things they should ignore (such as OpenGraph tags)
Yes CDNs do help with these kinds of issues, but they absolutely do not fix them all. Which is why even though we have a pretty damn elaborate setup in that regard we were being annoyed by the issue.
But also Firefox on iOS should be not-completely-broken.
I also think it's pretty weird to defend thoroughly defect software with "waste ful, sure, but hardly that big a deal".
Would you kindly refrain from blaming users for what clearly is a bug in the application?
[1]: https://github.com/fardog/fardog.io/commit/b2e3eac838ea25209...
That is, they are just skins
On android, browsers can ship their own engines, and they do. There is actually some freedom on android.
Firefox on android is amazing with its plugin support, though I still prefer their pre-2021 UI
I can't speak to the problems behind the scenes though, and they certainly merit attention.
The internet is unusable on mobile otherwise. But go on and let google continue to 'wow'you with their amazing ad tech.
Firefox on android IS AMAZING.
To address this, we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry.
Even if you turn telemetry off it will still call home
https://blog.mozilla.org/data/2018/08/20/effectively-measuri...
They are the same thing, until you get to the upper levels, that own the place ie 'take full responsibility'. We are fa-mily. Until the shit hits the fan.
It is. It does avoid some of the tracking/ad content, so I guess it does do some things somewhat differently. But if it's such a scourge, add a favicon.
BTW, I've never seen this, and I regularly use Firefox on iOS to test.
* Tabs get stuck frequently, and can only be revived by closing, then undoing close.
* Can no longer access about:config in release builds
* Bookmarks got demoted in favor of Pocket, can no longer set bookmarks as default home page
* URL autocompletion got dumbed down, first on mobile and then also on desktop
* etc.
* Never had this tabs problem
* I can see about:config
* Bookmarks are fine and there's no mention of Pocket. Bookmarks show up ON the homepage, but yeah not being able to set a bookmark / any URL AS a homepage is a bit of an annoying feature lack
* URL completion works as I expect it to, although it does bug me how it strips the protocol from the URL so I have to manually type in `http://` for plaintext sites even when I've visited them before; depending on who you ask that is considered a "security feature" but kinda annoying. Other than that, I start typing in a URL and it shows me suggestions from my history followed by option to use my preferred search engine to search it.
All in all, I've not really felt FF (even nightly) be particularly different or unstable to using chrome.
Second comment I've made in this thread where I'm replying (ever so helpfully) "Huh, but it works for me" so I'll stop now :-). I promise the Mozilla Foundation aren't bribing nor blackmailing me.
https://time.com/6990734/ugly-side-of-pretty-essay/
Deleted Comment
I can't imagine she is working for them all.
I thought it was basically Firefox with another HTML rendering engine (and I guess javascript runtime).
Having a path-specific favicon actually sounds like a feature.
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes...
Can you provide at least a couple of use-cases for a path specific favicons?
Though they aren't common enough that it needs to be a built-in, especially as you can already specify a page specific icon via a link tag in your page's head which every up-to-date stable browser has had support for since 2010 or before (ref: https://caniuse.com/?search=link-icon).