BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/258136
Change subject: VCL: do not expose X-Real-IP to applayer
......................................................................
VCL: do not expose X-Real-IP to applayer
Change-Id: I550bcaf31de54a20181bcce54ddf9e69997ec959
---
M modules/varnish/templates/vcl/wikimedia.vcl.erb
1 file changed, 11 insertions(+), 21 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/36/258136/1
diff --git a/modules/varnish/templates/vcl/wikimedia.vcl.erb
b/modules/varnish/templates/vcl/wikimedia.vcl.erb
index 92c761b..973b9b7 100644
--- a/modules/varnish/templates/vcl/wikimedia.vcl.erb
+++ b/modules/varnish/templates/vcl/wikimedia.vcl.erb
@@ -424,9 +424,8 @@
// XRIP is not yet set and XFF is directly from external.
if (!req.http.X-Real-IP) {
// direct-to-port-80 case, set XRIP ourselves
- set req.http.X-Real-IP = client.ip;
- set req.http.X-Client-IP = req.http.X-Real-IP;
- set req.http.X-Trusted-Proxy = netmapper.map("proxies",
req.http.X-Real-IP);
+ set req.http.X-Client-IP = client.ip;
+ set req.http.X-Trusted-Proxy = netmapper.map("proxies",
req.http.X-Client-IP);
// normalize to boolean post-netmapper (varnish-3.0.4...)
if (req.http.X-Trusted-Proxy == "") {
unset req.http.X-Trusted-Proxy;
@@ -440,7 +439,8 @@
// least XRIP at the end, possibly prepended by other addrs
// set externally by some proxy.
set req.http.X-Client-IP = req.http.X-Real-IP;
- set req.http.X-Trusted-Proxy = netmapper.map("proxies",
req.http.X-Real-IP);
+ unset req.http.X-Real-IP;
+ set req.http.X-Trusted-Proxy = netmapper.map("proxies",
req.http.X-Client-IP);
// normalize to boolean post-netmapper (varnish-3.0.4...)
if (req.http.X-Trusted-Proxy == "") {
unset req.http.X-Trusted-Proxy;
@@ -477,24 +477,14 @@
}
// From this (very early) point forward, regardless of cache tier/layer:
- // client.ip ->
- // the network-level source address, hop-by-hop - could be an
- // internal address within our infrastructure as we traverse
- // various cache/proxy layers.
- // req.http.X-Real-IP ->
- // the network-level source address when this request first
- // entered our public traffic infrastructure at the edge, with no
- // other decoding. Could still be a trusted external proxy.
- // req.http.X-Trusted-Proxy ->
- // If X-Real-IP mapped to the address of a trusted proxy in our
- // "proxies" database (such as OperaMini), this will be the
- // official name of the trusted proxy. Otherwise it will be unset
- // (boolean false).
// req.http.X-Client-IP ->
- // Iff XTP above is set, *and* the trusted-proxy-supplied X-F-F
- // had a legitimate-looking address at the end, X-Client-IP will
- // contain the claimed client IP directly behind the trusted
- // proxy. Otherwise this will alias X-Real-IP.
+ // This is our standard notion of the Client/UA's real IP, after
+ // decoding XFF for our internal infrastructure addresses as well
+ // as any trusted proxies.
+ // req.http.X-Trusted-Proxy ->
+ // If the traffic pass through a trusted proxy in our "proxies"
+ // database (such as OperaMini), this will be the official name of
+ // the trusted proxy. Otherwise it will be unset (boolean false).
// req.http.X-Carrier ->
// If X-Client-IP matches a network in our "carriers" database,
// this will contain the MCC-MNC code for that carrier. Otherwise
--
To view, visit https://gerrit.wikimedia.org/r/258136
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I550bcaf31de54a20181bcce54ddf9e69997ec959
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
