Page MenuHomePhabricator
Create Task
Maniphest T2843

Feature request: support for HTTP_X_FORWARDED_FOR header
Closed, InvalidPublic
Actions

Description

Author: rob

Description:
Apparently some proxies do add a HTTP X-Forwarded-For header to the request. If
the wikimedia software would support such headers for known proxy servers, this
would allow more selective blocking of vandals using proxies.

  • It would allow other users using the same proxy to keep working even while a

vandal is being blocked.

  • It would make it impossible for a vandal to use proxy hopping

Obviously we can not blindly trust this header in just any request, so my
proposal would be to have a sysop command that marks an IP as a known proxy. If
a request comes from such a marked proxy, the contributor would be taken from
the IP address in the X-Forwarded-For header instead, and this address would be
used for access control instead of the proxy address itself.

Version: unspecified
Severity: enhancement

Details

Reference
bz843

Revisions and Commits

Unknown Object (Diffusion Commit)
Unknown Object (Diffusion Commit)

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 7:02 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz843.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Nov 8 2004, 7:09 PM
bzimport added a comment.Nov 26 2004, 10:01 PM

usr352 wrote:

Please do. I'm forced by my ISP to be behind a transparent proxy and my real IP
address never matches the one displayed. If the proxy's address is banned, a
great amount of users connected via this ISP and others will be banned at the
same time. That's because the proxy belongs to the phone company who provides
the communication means.

Here's a piece of code to obtain the client's IP (from a comment in
http://www.php.net/getenv):

function getIP() {

$ip;

if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR)) $ip = getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR")) $ip = getenv("REMOTE_ADDR");
else $ip = "UNKNOWN";

return $ip;

}

but watch out for commas in the HTTP_X_FORWARDED_FOR result. There's some code
in the mentioned php.net address which explodes the string and returns an array.
I'm not an HTTP_X_FORWARDED_FOR expert so I don't know if the IP address to look
is the first or the last one. The comments there may help.

HTH

bzimport added a comment.Nov 26 2004, 10:18 PM

river wrote:

We already support extracting IPs from proxy headers for Squid support (see
$wgSquidServers and Setup.php). The only thing required to implement this would
therefore be to find a list of ISP proxy servers and add them to
$wgSquidServers--so it's mainly a policy issue rather than an implementation
issue (i.e. do we want to do this or not).

I'm closing this as RESOLVED INVALID for this reason; if people either want it
done on Wikimedia sites or a feature to allow $wgSquidServers to be updated by
sysop, it's probably best to open a new bug.

bzimport added a comment.Sep 18 2005, 12:09 PM

zigger wrote:

*** Bug 1590 has been marked as a duplicate of this bug. ***

epriestley added a commit: Unknown Object (Diffusion Commit).Mar 4 2015, 8:20 AM
epriestley added a commit: Unknown Object (Diffusion Commit).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL