Last modified: 2010-05-15 15:37:20 UTC
It seems that Mediawiki records the IP address of a user's
transaparent proxy if they are behind one instead of the
actual user's IP address.
I believe that the HTTP_REFERRER tag can be used to pick up a
client's IP address even if behind a transparent proxy
We only get the IP address that's exposed to us. X-Forwarded-For headers added by
proxies are not reliable; often they may be missing, and they are easy to forge,
becoming a security issue if relied upon.
For specific known-good proxies, sometimes we may add them to our list of known proxies
by which the headers are checked. For your own site, try adding them to
It is just frustrating when phpBB and the like get the
true IP, yet MediaWiki picks up the proxy's IP (which in
the case of a transparent proxy is improper).
Would you prefer it when any vandal can fake their IP address with a completely false
They can do so using an anonymous proxy anyway. It is not
common practie to record the transparent proxy's IP
address. That is why they are transparent proxys because
you can see the client through them.
The proxy would be, in fact, their actual IP address.
Not so with a transparent proxy. So much so when I visit
my own site the web server records my true IP address, yet
mediawiki picks the proxy.
1) Is your own web site on the *inside* of the proxy?
2) If not, please provide the source code for the bit of the site that picks the
address, and I'll let you know if it's vulnerable to attack with false headers.