not handling X-Forwarded-For properly



7 years ago
5 years ago


(Reporter: reed, Assigned: nmaul)


Details is showing internal IPs/hosts for commenters on posts rather than their real IP. Guessing the list of valid proxy servers is not configured correctly in WPMU so X-Forwarded-For is getting ignored (or whatever header is supposed to be used).
Specifically, I'm seeing:

Author : offshore bank account (IP: ,

Comment 2

7 years ago
I judging by some comments I see, I think this stopped working properly when moved from SJC1 to PHX1. Either Zeus or the Netscaler in SJC1 was tweaking X-Forwarded-For, and Wordpress was configured to pick up on this and use it instead.

However, Zeus in PHX1 was not configured to touch X-Forwarded-For. By default, it instead adds an X-Cluster-Client-IP header. I have added a chunk to the wp-config.php to use this header if it exists... we can configure Zeus to also mess with X-Forwarded-For, but it seems more future-proof to make Wordpress deal with *both* scenarios, so that's what I've attempted. This will work on any Zeus cluster right out of the box with no special rules, or on anything that munges X-Forwarded-For.

I waited around a few minutes after deploying, and eventually a spam comment came in for the main blog. It shows an external IP, so this appears to be fixed!

Thanks for catching this. :)
Assignee: server-ops → nmaul
Last Resolved: 7 years ago
Resolution: --- → FIXED
Component: Server Operations: Web Operations → WebOps: Other
Product: → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.