Page MenuHomePhabricator

Users editing from 127.0.0.1 (due to experimenting with ATS terminating TLS)
Closed, ResolvedPublic

Description

When checking certain users (can give more info privately) via checkuser, it returns 127.0.0.1. Additionally, autoblocks are propagating from vandals to random other users due to the 127.0.0.1 edits.

This appears to only affect some logged-in users.

Sample response:

127.0.0.1 (block) (14:52, 23 September 2019 -- 15:12, 23 September 2019) [18] (~697 from all users)

This is on enwiki.

I cleared an autoblock on 127.0.0.1: https://en.wikipedia.org/w/index.php?title=Special:Log&offset=20190923192600&limit=1&type=&user=Reaper+Eternal

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Sep 23, 7:36 PM
ST47 added a subscriber: ST47.Mon, Sep 23, 7:37 PM
SQL added a subscriber: SQL.Mon, Sep 23, 7:40 PM
Restricted Application added a subscriber: MGChecker. · View Herald TranscriptMon, Sep 23, 7:41 PM
Anomie added a subscriber: Anomie.Mon, Sep 23, 7:44 PM

I see cuc_xff resembles "$VALIDIP, 127.0.0.1, 10.128.0.127, 10.128.0.XXX, 10.192.0.XXX" for all of the entries with cuc_ip_hex = 7F000001 on enwiki. Note that 10.128.0.127 is present just after 127.0.0.1 in all instances.

I haven't checked other wikis.

I'm going to poke this at Traffic, since it seems unlikely that 127.0.0.1 is supposed to be showing up in XFF there. Is 10.128.0.127 somehow configured differently?

Restricted Application added a project: Operations. · View Herald TranscriptMon, Sep 23, 7:56 PM

Mentioned in SAL (#wikimedia-operations) [2019-09-23T19:57:53Z] <cdanis> T233657 ✔️ cdanis@cp4027.ulsfo.wmnet ~ 🕓🍵 sudo -i depool

10.128.0.127 is cp4027 which @Vgutierrez was using to experiment with ATS terminating TLS (see also T231627)

I've depooled it for now, which should stop this.

dmaza added a subscriber: dmaza.Mon, Sep 23, 8:00 PM

I've depooled it for now, which should stop this.

I confirm that new entries with 127.0.0.1 have stopped showing up in cu_changes on enwiki since the depool.

CDanis closed this task as Resolved.Mon, Sep 23, 8:08 PM
CDanis claimed this task.
Aklapper renamed this task from Users editing from 127.0.0.1 to Users editing from 127.0.0.1 (due to experimenting with ATS terminating TLS).Mon, Sep 23, 8:32 PM