While working on `proxymanager` I noticed that `proxylistener` does not verify that a request originates from the Tools project. This allows project administrators in Labs who set up (custom) `ident` servers to manipulate all proxy forwards for https://tools.wmflabs.org/. //But// this is so unlikely and there is so little to gain from that that I think low priority is appropriate for this.
With the new DNS scheme, it's (relatively) easy to verify that an IP belongs to the #Tool-Labs project:
1. Look up the `PTR` record for the IP: `10.68.17.49` → `tools-exec-1201.tools.eqiad.wmflabs`.
2. Check that the host name ends in `.$labsproject.eqiad.wmflabs`.
3. Look up the `A` record for the host name: `tools-exec-1201.tools.eqiad.wmflabs` → `10.68.17.49`.
4. Check that both IPs are the same.
`proxymanager` currently has the same fault.