Talk:2012-8-30 IP/banning issue

uh, what just happened? did it happen by man error on our side or what? yoko5000 (Contributions &bull; Message) 01:29, August 30, 2012 (EDT)


 * The wiki's routing all the traffic thru one IP (we think its the wiki firewall). You need to join us on the IRC! Yawgmoth ( IRC &bull; Message )  01:36, August 30, 2012 (EDT)



Situation Update:

The wiki server is operating on a 255.0.0.0 subnet and listing all users as the same IP. The wiki's been routing all the IP's thru a firewall/filter all day. So when one spammer got banned, it auto flagged the next editor as the same spammer as all editors shared IPs.

Earlier today when blocked, it pulled the flag (not his fault OFC), and it autoflagged ALL editors who had the same IP, which... was all of us. We changed the notice on Home, to reflect that its sorta fixed, but we cant be sure. If you plug into the Get Users portion of the check edits, you will see everybody is listed. So, we admins just shouldnt be banning any user till we have further confirmation.

See also DDO wiki talk:Blocking policy. I think what is needed now to establish this policy, kind of soonish. Xevo's input is must on this one too. yoko5000 (Contributions &bull; Message) 05:56, August 30, 2012 (EDT)



Any IP in the range 10.0.0.0/255.0.0.0 is reserved for private use only, so my guess is that the web traffic to ddowiki.com ( resolving to 209.114.50.105 ) is either getting natted inbound to a web server or getting directly delivered ( end result doesnt matter which of those is happening ) and that web server is acting as a reverse proxy to then pull the web page from the actual web server. The actual web server will treat traffic as having come from the source IP address of 10.183.250.133. Looking at the contribution log for that IP, it looks like it went in to place 2012-08-27 before 10:54 AM. Now, the actual source IP of the requestor can be determined if the reverse proxy is set up correctly, and the web server is looking at the proper variable, so it is possible that this set up has been in place for a long time, and a setting changed recently which caused the web server to use the wrong source address. In either case, I looked very briefly at the mediawiki code used to determine if a given edit should be blocked or not ( mediawiki/includes/User.php and mediawiki/includes/Block.php ). User.php function getBlockedStatus calls Block::newFromTarget(...), newFromTarget scans database table ipblocks and returns whether ip is blocked or not. I'm going to look in to this further today to see if i can write a patch to update the query to treat users created before a certain date as valid no matter which IP is reported to the function. I dont really think modifying out of the box code is the best approach, but perhaps with a little bit of work a new feature for the source can be published upstream and it might make it in to future releases. Joenuts Message)



I tested in an environment which has a computer behind a reverse proxy accessing an internal web server running mediawiki. Prior to updating the proxy settings for mediawiki, the log shows activity as having come from the reverse proxy directly ( we dont care what IP is logged on our system as it's all internal ). After changing the proxy settings in the configuration file, the IP of the individual workstation is now logged rather than the address of the reverse proxy, which is I think what might need to happen for ddowiki.

Proxy settings for mediawiki /mediawiki/LocalSettings.php

$wgUsePrivateIPs = true;

$wgSquidServersNoPurge = array( 10.183.250.133 );

Of course, if there are additional (reverse) proxy servers the IPs will need to be added, and I dont know if you will want to use private IPs, change to false and test. Joenuts Message)