Last modified: 2010-05-15 15:37:20 UTC
It seems that Mediawiki records the IP address of a user's transaparent proxy if they are behind one instead of the actual user's IP address. I believe that the HTTP_REFERRER tag can be used to pick up a client's IP address even if behind a transparent proxy
We only get the IP address that's exposed to us. X-Forwarded-For headers added by proxies are not reliable; often they may be missing, and they are easy to forge, becoming a security issue if relied upon. For specific known-good proxies, sometimes we may add them to our list of known proxies by which the headers are checked. For your own site, try adding them to $wgSquidServersNoPurge.
It is just frustrating when phpBB and the like get the true IP, yet MediaWiki picks up the proxy's IP (which in the case of a transparent proxy is improper).
Would you prefer it when any vandal can fake their IP address with a completely false header?
They can do so using an anonymous proxy anyway. It is not common practie to record the transparent proxy's IP address. That is why they are transparent proxys because you can see the client through them.
The proxy would be, in fact, their actual IP address.
Not so with a transparent proxy. So much so when I visit my own site the web server records my true IP address, yet mediawiki picks the proxy.
1) Is your own web site on the *inside* of the proxy? 2) If not, please provide the source code for the bit of the site that picks the address, and I'll let you know if it's vulnerable to attack with false headers. (Probably is.)