While working on proxymanager I noticed that proxylistener does not verify that a request originates from the Tools project. This allows project administrators in Labs who set up (custom) ident servers to manipulate all proxy forwards for https://tools.wmflabs.org/. But this is so unlikely and there is so little to gain from that that I think low priority is appropriate for this.
With the new DNS scheme, it's (relatively) easy to verify that an IP belongs to the Toolforge project:
- Look up the PTR record for the IP: 10.68.17.49 → tools-exec-1201.tools.eqiad.wmflabs.
- Check that the host name ends in .$labsproject.eqiad.wmflabs.
- Look up the A record for the host name: tools-exec-1201.tools.eqiad.wmflabs → 10.68.17.49.
- Check that both IPs are the same.
proxymanager currently has the same fault.