subject:"\[MediaWiki\-commits\] \[Gerrit\] Allow XFF spoofing from the trusted IPs \- change \(operations\/puppet\)"

[MediaWiki-commits] [Gerrit] Allow XFF spoofing from the trusted IPs - change (operations/puppet)

2013-05-02 Thread Yurik (Code Review)

Yurik has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/62103


Change subject: Allow XFF spoofing from the trusted IPs
..

Allow XFF spoofing from the trusted IPs

In order to do automated testing of the varnish+zero configurations,
allow test frameworks to spoof source IP so that varnish would treat
request as if comming from a Zero carrier.

Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
---
M templates/varnish/mobile-frontend.inc.vcl.erb
1 file changed, 5 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/03/62103/1

diff --git a/templates/varnish/mobile-frontend.inc.vcl.erb 
b/templates/varnish/mobile-frontend.inc.vcl.erb
index 6c16ffb..069cbf8 100644
--- a/templates/varnish/mobile-frontend.inc.vcl.erb
+++ b/templates/varnish/mobile-frontend.inc.vcl.erb
@@ -513,9 +513,11 @@
 }
 
 sub vcl_recv {
-   /* if the request comes from Opera Mini's accelerating proxies, grab
-* XFF Header and replace client ip value */
-   if (client.ip ~ opera_mini) {
+   /* if the request comes from Opera Mini's accelerating proxies, or it 
came
+* from the allowed_xff ip range and the XFF header is set,
+* replace client ip value with the XFF Header
+*/
+   if (req.http.X-Forwarded-For && (client.ip ~ opera_mini || client.ip ~ 
allow_xff)) {
C{
struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);
struct sockaddr_in *client_ip_si = (struct sockaddr_in *) 
client_ip_ss;

-- 
To view, visit https://gerrit.wikimedia.org/r/62103
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yurik 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Allow XFF spoofing from the trusted IPs - change (operations/puppet)

2013-05-26 Thread Faidon (Code Review)

Faidon has submitted this change and it was merged.

Change subject: Allow XFF spoofing from the trusted IPs
..


Allow XFF spoofing from the trusted IPs

In order to do automated testing of the varnish+zero configurations,
allow test frameworks to spoof source IP so that varnish would treat
request as if comming from a Zero carrier.

Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
---
M templates/varnish/mobile-frontend.inc.vcl.erb
1 file changed, 13 insertions(+), 3 deletions(-)

Approvals:
  Faidon: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/templates/varnish/mobile-frontend.inc.vcl.erb 
b/templates/varnish/mobile-frontend.inc.vcl.erb
index d094fc2..fbbf6be 100644
--- a/templates/varnish/mobile-frontend.inc.vcl.erb
+++ b/templates/varnish/mobile-frontend.inc.vcl.erb
@@ -9,6 +9,14 @@
 
 include "device-detection.inc.vcl";
 
+acl carrier_testing {
+   "216.38.130.160"/28;// WMF office
+   "208.80.152.165";   // fenari
+   "2620:0:860:2:21e:c9ff:feea:ab95";  // fenari
+   "208.80.154.149";   // bast1001
+   "2620:0:861:2:7a2b:cbff:fe09:11ba"; // bast1001
+}
+
 acl carrier_dtac {
"1.46.0.0"/15;
"103.1.164.0"/22;
@@ -428,9 +436,11 @@
 }
 
 sub vcl_recv {
-   /* if the request comes from Opera Mini's accelerating proxies, grab
-* XFF Header and replace client ip value */
-   if (client.ip ~ opera_mini) {
+   /* In case the XFF header is present, trust it in case it comes from
+* Opera Mini's accelerating proxies, or from a carrier_testing ip 
range,
+* and replace client ip value with the first value from the XFF Header
+*/
+   if (req.http.X-Forwarded-For && (client.ip ~ opera_mini || client.ip ~ 
carrier_testing)) {
set req.http.X-Orig-Client-IP = client.ip;
C{
struct sockaddr_storage *client_ip_ss = VRT_r_client_ip(sp);

-- 
To view, visit https://gerrit.wikimedia.org/r/62103
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I25e2b0bf01bac1f2739f90efa3725e18e4494a01
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yurik 
Gerrit-Reviewer: Andrew Bogott 
Gerrit-Reviewer: Asher 
Gerrit-Reviewer: Dfoy 
Gerrit-Reviewer: Dr0ptp4kt 
Gerrit-Reviewer: Faidon 
Gerrit-Reviewer: Mark Bergsma 
Gerrit-Reviewer: MaxSem 
Gerrit-Reviewer: Ryan Lane 
Gerrit-Reviewer: Tim Starling 
Gerrit-Reviewer: Yurik 
Gerrit-Reviewer: awjrichards 
Gerrit-Reviewer: jenkins-bot

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Allow XFF spoofing from the trusted IPs - change (operations/puppet)

[MediaWiki-commits] [Gerrit] Allow XFF spoofing from the trusted IPs - change (operations/puppet)

2 matches

Site Navigation

Mail list logo

Footer information