Page MenuHomePhabricator
Create Task
Maniphest T89688

Varnish GeoIP is broken for HTTPS+IPv6 traffic
Closed, ResolvedPublic
Actions

Description

When accessing URLs over HTTPS from my IPv6 connection, I get the following header:

Set-Cookie: GeoIP=NL::52.3667:4.9000:v4; Path=/; Domain=.wikinews.org

I'm obviously not in the Netherlands — this is geolocating esams' IPs (the cookie was introduced in https://gerrit.wikimedia.org/r/#/c/119014/ ).

Non-HTTPS hits do not exhibit the same issue, nor are non-IPv6. This explains why this has gone undetected for as long as it has.

Related Objects
Search...

Event Timeline

faidon created this task.Feb 17 2015, 12:32 AM
faidon assigned this task to BBlack.
faidon raised the priority of this task from to Medium.
faidon updated the task description. (Show Details)
faidon added projects: acl*sre-team, Varnish.
faidon subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2015, 12:32 AM
Krenair subscribed.Feb 17 2015, 12:49 AM
Ottomata subscribed.Feb 17 2015, 4:21 PM

Hm, so this is an aside, but:
I would love it if we could figure out a way to standardize this algorithm across the organization. Analytics has at least one place where client ip extraction is done, and right now the algorithm is very naive. We should have a canonical implementation of this (maybe just in pseudo code on wikitech) that is the official way to get client ip out of XFF. Thoughts?

BBlack added a comment.Feb 17 2015, 6:24 PM

Well, we get different versions of XFF at different layers, and there are probably different considerations for whether we trust XFF's that came from the outside world, too. But the basics are to consider XFF + the real IP the XFF came in over as a stack of addresses, where the real IP is the virtual final element of the (possibly empty) list from XFF.

We have a pretty decent implementation in VCL for dealing with this from varnish-frontend's perspective for the Zero case that we could/should probably use everywhere to set our own custom internal header(s) to communicate the real client IP to MediaWiki and/or Analytics as appropriate. There are two views of that: one where we trust outside XFF-setting proxies, and one where we don't. It's probably ok to trust them for stats and GeoIP, but it might not be for other cases.

https://github.com/wikimedia/operations-puppet/blob/production/templates/varnish/zero.inc.vcl.erb#L13

Ottomata added a comment.Feb 17 2015, 6:27 PM

we could/should probably use everywhere to set our own custom internal header(s) to communicate the real client IP to MediaWiki and/or Analytics as appropriate.

That would be amazingly useful!

Yurik subscribed.Feb 18 2015, 4:04 PM

X-Analytics=ip=..... , and as discussed before, we should do T89838 to make proxy IP management easier

BBlack mentioned this in rOPUP6603527d8d75: varnish: fix GeoIP's get_relevant_ip function.Feb 19 2015, 6:01 PM
BBlack added a project: Traffic.Apr 22 2015, 2:42 PM
BBlack set Security to None.
Ottomata unsubscribed.May 1 2015, 8:25 PM
BBlack closed this task as Resolved.Nov 12 2015, 4:28 PM

Basic isssue here seems resolved with https://gerrit.wikimedia.org/r/#/c/252442/ . Obviously, we still don't have good v6 data, but that's the mmdb upgrade in T99226

Yurik mentioned this in T116678: Country mapping routine for proxied requests.Nov 13 2015, 6:51 AM
BBlack moved this task from Backlog to Done on the Traffic board.Nov 30 2015, 6:02 PM
Nemo_bis added a parent task: T100902: Get rid of geoiplookup service.Aug 18 2016, 5:44 AM
Nemo_bis added a project: HTTPS.
Nemo_bis updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits