Improve user IP address detection for mobile users


(Thomas Davis) #1

Google offers a mobile proxy service which makes IP address far less likely to be unique. I was very surprised to find the forum had found several users with the same IP addresses and all were unknowing users of the following service
https://developer.chrome.com/multidevice/data-compression

The result is that the IP address is not correct on the forum. The solution is simple enough, just use the x-forwarded-for header as described in the linked document.


(Matt Palmer) #2

Unfortunately, using the contents of X-Forwarded-For on connections from random IP addresses is a significant security risk, as it allows attackers to mask their true source – since that header is client-controlled, an attacker can set it to whatever they like, and the webserver will use it instead of the real source IP.

Standard practice is for proxy providers (such as Google) who run well-administered proxies that don’t allow X-Forwarded-For forging, to publish the IP address blocks they control from which such proxied traffic can originate, so that origin server operators can whitelist those address ranges and accept X-Forwarded-For for connections coming from those addresses. If and when Google publishes such a list, we’ll certainly use it in our hosted Discourse system, and we can look at adding the config to enable it for all DIscourse instances (as we already do for Cloudflare, for example).


(Thomas Davis) #3

It is a though one, but I like your idea.


(Rafael dos Santos Silva) #4

Since, AFAIK, Google just does this on plain HTTP, you can disable this side-effect running with HTTPS. Its free now with Lets Encrypt!