When handling requests, you are likely to come across several different possible scenarios when looking at the IP address section. This page aims to guide you through what the tool is trying to tell you.
When the tool receives a request from a newbie, the tool records the newbie's IP address as seen by the
server on which ACC runs. However, there is sometimes a proxy between the tool and the newbie - when
that is the case, the IP address seen by the server is that of the proxy, not the newbie. Some proxy
servers include a special header, known as X-Forwarded-For, in which they append the IP
address of the end user to this header before passing the request on. If there are multiple proxy
servers, multiple IP addresses get added to this header.
If there is no proxy server, this is what you would see:
This scenario, however, is not likely to ever appear for the simple reason that Wikimedia Cloud Services have placed their own proxy server in front of the tool. Thus, there will always be at least one proxy server.
When there is only the WMCS proxy in place, this is what you are likely to see something more like this:
This request came from 172.16.0.164, stating it was forwarded for 192.0.2.1 via the X-Forwarded-For HTTP header. The IP address which Wikipedia will see is the first "untrusted" IP address in the list below. Links are shown for all addresses starting from where the chain becomes untrusted. IPs past the first untrusted address are not trusted to be correct. Please see the XFF demo for more details.
| trusted |
172.16.0.164
Non-routable address Location unavailable |
|
| origin |
192.0.2.1
RDNS: client.users.example.org San Francisco, California, United States |
The above scenario has passed through one server we trust (172.16.0.164), and that
server
has indicated it received a request from 190.0.2.1. At this point, the XFF chain stops,
and we assume that 192.0.2.1 is the client's IP address.
We also augment each IP address with some extra information, including the estimated location of the IP address, and the reverse DNS name of the IP address. These can help give some indication of the type of IP address - whether it's a residential ISP, a hosting provider, or otherwise.
Occasionally, we will get a request from a user who is using a proxy service which we trust to provide accurate XFF headers. It's worth noting here that Wikimedia takes the XFF headers as truth where the provider of the XFF header is trusted. We use the same trust list here, but we display all the data anyway. The essence of it is that the last "trusted" IP address in the list will be the one that Wikimedia uses.
In this example, the user has passed through a trusted proxy provider before hitting the WMCS proxy. Both proxy servers are listed and marked as trusted, and we don't show the IP links for those trusted proxy servers.
This request came from 172.16.0.164, stating it was forwarded for 192.0.2.1, 198.51.100.123 via the X-Forwarded-For HTTP header. The IP address which Wikipedia will see is the first "untrusted" IP address in the list below. Links are shown for all addresses starting from where the chain becomes untrusted. IPs past the first untrusted address are not trusted to be correct. Please see the XFF demo for more details.
| trusted |
172.16.0.164
Non-routable address Location unavailable |
|
| trusted |
198.51.100.123
RDNS: trustedproxy.example.com Location unavailable |
|
| origin |
192.0.2.1
RDNS: client.users.example.org San Francisco, California, United States |
Conversely to the above, sometimes people will request an account from a proxy server which publishes the client IP address, but not one that we trust to be accurate.
As each server on the chain of proxies has the option to rewrite the entire XFF header, we should not use any entries from servers we don't trust. If we trust a server to not forge the XFF header, we can trust the next item in the chain is accurate, but no further. It is at this point that the trust chain breaks, and we start seeing lots of red flags.
This request came from 172.16.0.164, stating it was forwarded for 192.0.2.1, 198.51.100.234 via the X-Forwarded-For HTTP header. The IP address which Wikipedia will see is the first "untrusted" IP address in the list below. Links are shown for all addresses starting from where the chain becomes untrusted. IPs past the first untrusted address are not trusted to be correct. Please see the XFF demo for more details.
| trusted |
172.16.0.164
Non-routable address Location unavailable |
|
| untrusted |
198.51.100.234
RDNS: sketchyproxy.example.com Location unavailable |
|
| untrusted origin |
192.0.2.1
RDNS: client.users.example.org San Francisco, California, United States |
In this scenario, because we trust the first IP address, we can believe that it's correct in telling
us that 198.51.100.234 is indeed where the request has come from. However, we cannot
trust that server is telling the truth.
The second server is reporting that the third server exists, but Wikimedia will only believe that the client is on the second IP address, and so this is the IP address we should check. It is worth checking the third too, because it's possible that the trust lists between ACC and Wikimedia have drifted.
If someone really wants to play with the XFF headers, they are welcome to do so as they send in the request. If they're putting crazy things in the header, it's not outside the realm of possibility that something like this will occur:
This request came from 172.16.0.164, stating it was forwarded for 192.0.2.1, 198.51.100.234 via the X-Forwarded-For HTTP header. The IP address which Wikipedia will see is the first "untrusted" IP address in the list below. Links are shown for all addresses starting from where the chain becomes untrusted. IPs past the first untrusted address are not trusted to be correct. Please see the XFF demo for more details.
| trusted |
172.16.0.164
Non-routable address Location unavailable |
|
| trusted |
198.51.100.123
RDNS: trustedproxy.example.com Location unavailable |
|
| untrusted |
198.51.100.234
RDNS: sketchyproxy.example.com Location unavailable |
|
| untrusted trusted link |
198.51.100.124
RDNS: trustedproxy2.example.com Location unavailable |
|
| untrusted origin |
192.0.2.1
RDNS: client.users.example.org San Francisco, California, United States |
This example has three trusted servers - 172.16.0.164, 198.51.100.123, and
198.51.100.124. However, this indicates the breaking of the trust chain - because the
request passed through an untrusted server, we can't tell if the untrusted server is forging the information
leading to the trusted server. As such, we indicate that the 198.51.100.124 would be
trusted, had the trust chain not already been broken.
In this case, the IP address that Wikipedia will see is 198.51.100.234 - the first untrusted
IP address in the list.
The estimates of request volumes in this documentation is a vague guess only based on intuition of a long-term ACC user, and is quite likely to be inaccurate.
This documentation uses IP addresses in the RFC 1918 range 172.16.0.0/12 to represent internal Wikimedia IP addresses, and IP address in the RFC 5737 ranges 192.0.2.0/24 and 198.51.100.0/24 to represent external IP addresses. Both of these address blocks are not routable on the public internet, and thus do not have any privacy implications by being part of this documentation.