[Labs-l] Full Text Reference Tool: Approved exposing of ip addresses to an external API

Jake Orlowitz jorlowitz at gmail.com
Thu May 29 13:59:09 UTC 2014


Hi all,

I'm new to the list and to labs, so please bear with me... :)

BACKGROUND
I'm a WMF IEG grantee working on The Wikipedia Library.  We've partnered
with the global library organization OCLC who has a neat API that can
return links to full text sources from Wikipedia article citations.  This
functionality will be built into a userscript on English Wikipedia.

In order to do this we need the user's ip address.  We need the remote/real
ip address because we're sending the ip address to the OCLC api and then to
a proxy server at a university library to get access to full text of
references.  All of that depends on a unique, real ip.

WMF legal has approved opt-in use of this on Wikipedia provided their is
full privacy disclosure that would accompany any install pages related to
this script.  So to my understanding legally, it's ok as long as it's
opt-in and we detail what is being shared.

PROBLEM
We're working on local-reference-api in Tool Labs.  It's pairing with this
userscript: https://en.wikipedia.org/wiki/User:Nischayn22/OCLC.js

The problem is that we get $_SERVER['REMOTE_ADDR'] as 10.68.16.4 instead of
the real, unique, remote IP address of the client.

I understand that this is because Tools webserver strips the 'remote',
'real' ip address to enforce privacy and Terms and Conditions, so we end up
with Tools' ip address instead of the user's.

SOLUTION?
We've been told we can get a separate project on Wikimedia labs, our own
machine, our own Instance, which could see the real ip, but we would have
to set up the webserver and database with puppet scripts and handle all of
the configuration and maintenance, all of which requires
additional sysadmin skills that neither I nor the programmer I'm working
with really have.

QUESTIONS
Are there any approved exceptions where user ip addresses could be exposed
on Tool Labs (say, if WMF said it was ok)?  Would this be technically
possible?

If we have to run our own instance, will That allow us to share real ip
addresses?

Is there some workaround here that I'm missing, or that would be much
simpler?

Could this script be hosted elsewhere within WMF?

Thanks very much, Jake (Ocaasi)

p.s. Thanks to andrewbogott for all of his advice.  Superm401 suggested I
post here as there was some uncertainty around what would work best in this
situation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20140529/bb0f50ad/attachment.html>


More information about the Labs-l mailing list