[Wikipedia-l] Using X-Forwarded-For from selected external proxies

[Tim Starling]

Some proxies give an X-Forwarded-For (XFF) header, with the IP address
of the user for whom they are forwarding a request. This is how our web
servers get the IP addresses of users, despite the fact that they are
behind a battery of squids configured as "accelerators". It's been
suggested before that if a user is behind a proxy, we should display
their real IP address as reported by X-Forwarded-For, rather than the
address of the proxy. But if we did this, anyone could forge the XFF
header and masquerade as another user. Also, the XFF header often
contains private addresses which are not unique, e.g. 192.168.0.1.

Some ISPs force their users to use a proxy, and some of these proxies
give a valid XFF header. These ISPs can be reasonably trusted not to
forge the header. Thus, it makes sense to use whatever user-specific
address they report, for the purposes of blocking and user
identification. This is what I've just implemented -- a means to specify
a list of partially trusted proxies. Most of the code was already written.

Walter von Kalken's open proxy is in this category, and I have entered
it into the list. Thus he will no longer be blocked by the SORBS
blocklist. We should probably set up a page somewhere with suggestions
for additions.

-- Tim Starling