Given the recent problems with a user using many different HTTP proxies to edit Wikipedia, we should consider using the information in the HTTP_X_FORWARDED_FOR header supported by well-behaved proxies. If _any_ address in a HTTP_X_FORWARDED_FOR header is in our IP block list, the request should be treated as if it had come directly from a blocked address.
This works well, as the various paranoid scenarios I can think of (eg spurious headers) only work against the interests of the user sending the headers, or make no difference from using their own IP address.
Anonymizing/spoofing proxies will have to be dealt with one-by-one as usual.
-- Neil
On Wed, 10 Mar 2004 12:15:40 +0000, Neil Harris wrote:
Given the recent problems with a user using many different HTTP proxies to edit Wikipedia, we should consider using the information in the HTTP_X_FORWARDED_FOR header supported by well-behaved proxies. If _any_ address in a HTTP_X_FORWARDED_FOR header is in our IP block list, the request should be treated as if it had come directly from a blocked address.
This works well, as the various paranoid scenarios I can think of (eg spurious headers) only work against the interests of the user sending the headers, or make no difference from using their own IP address.
Anonymizing/spoofing proxies will have to be dealt with one-by-one as usual.
A first step in this direction would be to store the complete header in the db, then sysops have much better information about a user to start with. The HTTP_X_FORWARDED_FOR header is already parsed into an array in latest cvs, all it would need for blocking based on this would be matching the array values against a blocklist.
wikitech-l@lists.wikimedia.org