The wording "globally blocked" sounds like a real global block and there is one listed at https://meta.wikimedia.org/wiki/Special:GlobalBlockList?ip=47.243.0.0%2F16 for the range

It seems https://meta.wikimedia.org/wiki/Steward_requests/Global is the page to request unblock of the range, with the entry to TrustedXFF it should be trustable to do so. Maybe some stewards already reading here and can help.

Also, there is only one IP address that has been added to the XFF list, not the whole /16...

在T335176#8798993中，@Reedy写道：

In T335176#8798649, @Umherirrender wrote:

It seems https://meta.wikimedia.org/wiki/Steward_requests/Global is the page to request unblock of the range, with the entry to TrustedXFF it should be trustable to do so. Maybe some stewards already reading here and can help.

Indeed. It's certainly not something that would be handled via Phabricator.

Shouldn't any existing blocks be ineffective? Including local and global blocks. Why is it possible to bypass local blocks on the Chinese Wikipedia, but not global blocks?

Addition: It is now possible to bypass the existing local blocks.

在T335176#8798649中，@Umherirrender写道：

The wording "globally blocked" sounds like a real global block and there is one listed at https://meta.wikimedia.org/wiki/Special:GlobalBlockList?ip=47.243.0.0%2F16 for the range

It seems https://meta.wikimedia.org/wiki/Steward_requests/Global is the page to request unblock of the range, with the entry to TrustedXFF it should be trustable to do so. Maybe some stewards already reading here and can help.

In my email exchange with Tim Starling, we asked:
"Will any existing blocks or bans have no impact on these IPs?"
He confirmed that "Yes, your proxy will be treated similarly to Wikimedia cache servers. Existing bans will have no impact."

Therefore, regardless of whether the block is "real" or not, it should have no effect.

Okay, I tried again and now the situation is different.

I am able to edit and reset password normally on Meta-Wiki, but on the Chinese Wikipedia, I am still getting the message that my IP (47.243.0.0/16) is globally blocked.

I am not sure if this is because the extension on each wiki takes effect at different times.

As Reedy written there is only one ip of the range now treated as trusted xff header and no block check is done for this ip. Not sure if that is the current IP used for access trough the proxy or if the proxy is using more ips for load balancing.

Any local block of the users ip may now show up instead of the proxy block.

Global blocks does not look for trusted xff if I understand the code correct (no use of ProxyLookup::isTrustedProxy), all xff are checked

The local block is shown on https://zh.wikipedia.org/wiki/Special:ListBlock?wpTarget=47.243.0.0%2F16&uselang=en

Let me describe the situation again.

Expected behavior: The IP address added to the trusted list (47.243.198.62) should not be affected by any bans, regardless of whether the IP range it belongs to (47.243.0.0/16) is banned or not.

Current status: Local bans for 47.243.198.62 on the Chinese Wikipedia can be bypassed, but it is still affected by global bans for 47.243.0.0/16. Everything is now working correctly on the Meta-Wiki (which was not the case when the task was originally created).

在T335176#8799183中，@Umherirrender写道：

As Reedy written there is only one ip of the range now treated as trusted xff header and no block check is done for this ip. Not sure if that is the current IP used for access trough the proxy or if the proxy is using more ips for load balancing.

I can assure you that it is only using the current IP because I have control over it.

Could it be because we use $wgApplyIpBlocksToXff = true; ?

As far as I can see only one IP was added to the trusted hosts whitelist. If it helps, I can reduce the block to anonymous users only, but I'd not remove the whole global rangeblock unless there are no more proxies in that range (or the proxies are in a narrower range, which we could then block instead).

Being able to exempt individual IPs or subranges of current global rangeblocks would be helpful as well. See: T42439 and T121098.

Mentioning @Urbanecm as fellow steward and with more experience on TrustedXFF than me.

在T335176#8801731中，@MarcoAurelio写道：

If it helps, I can reduce the block to anonymous users only, but I'd not remove the whole global rangeblock unless there are no more proxies in that range (or the proxies are in a narrower range, which we could then block instead).

Thank you very much. Let's just do it your way for now. Any bit of functionality is better than nothing.

But, the problem is that "users (including anonymous and registered users) are prompted that the IP is globally blocked," and "anonymous users only" is just treating the symptoms rather than the root cause, and the problem is not fully resolved. If possible, the block of 47.243.198.0/16 should be lifted and then blocks should be applied to 47.243.0.0/17, 47.243.128.0/18, 47.243.192.0/22, 47.243.196.0/23, 47.243.198.0/27, and so on.

Going back to the point, I think it's a bug with the relevant extension. Special:MyContributions can display the user's own IP, indicating that the xff header can be recognized, but when they try to edit a page, they are prompted and blocked in that way.

I just tested it out, and it turns out that even though "Special:MyContributions" can display the user's own IP correctly, on wikis other than the Meta-Wiki, anonymous users still cannot create accounts or reset passwords. I now have to redirect them to the corresponding page on the Meta-Wiki (which seems to be able to ignore the global block). I still have no solution to the issue of "users (including anonymous and registered users) not being able to edit pages."

I don't think changing the block to "anonymous users only" will solve this problem.

I believe the simplest solution, without changing any code, is to remove the global block on this IP. It's been four to five days already, so is there anything that can be done in the meantime? For example, could someone with the appropriate permissions look into the request? It seems to have been "ignored" due to this task and its related discussions.

I filed T335390 for the GlobalBlocking issue.

It has been a month, is there anyone who can take any of the above-mentioned solutions?

Even if only the block is changed to be apply to anonymous users, it's better than doing nothing.

Thank you all.