Page MenuHomePhabricator
Create Task
Maniphest T32330

geoiplookup returns bad data over HTTPS
Closed, ResolvedPublic
Actions

Description

Author: kudu

Description:
When going to http://geoiplookup.wikimedia.org/, the utility returns correct data. However, when accessing https://geoiplookup.wikimedia.org/, it returns something like this, which isn't correct for my IP (in fact, it's totally different):

Geo = {"city":"San Francisco","country":"US","lat":"37.769699","lon":"-122.393303","IP":"208.80.152.21","netmask":"22"}

Version: unspecified
Severity: normal

Details

Reference
bz30330

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:49 PM
bzimport added a project: WMF-General-or-Unknown.
bzimport set Reference to bz30330.
bzimport created this task.Aug 11 2011, 6:36 PM
bzimport added a comment.Aug 11 2011, 7:49 PM

bugs wrote:

I can reproduce this issue. It looks like the HTTPS one is pulling something related to the office, and not the person viewing it.

RyanLane added a comment.Aug 11 2011, 8:04 PM

Yes. This is known. Since HTTPS is set up as an SSL termination cluster the varnish servers for geoiplookup see the IP address of the SSL cluster, and not that of the client. To fix this I've patched the geoiplookup code to use the X-Forwarded-For header if the request is coming from one of the SSL cluster nodes.

One of the four varnish nodes in pmtpa is running this code, and therefore returns the correct data. I plan on pushing the change out to other nodes when I get back from Israel.

For more information about how things work, see:

http://wikitech.wikimedia.org/view/Https

Catrope added a comment.Aug 12 2011, 9:40 AM

(In reply to comment #2)

Yes. This is known. Since HTTPS is set up as an SSL termination cluster the
varnish servers for geoiplookup see the IP address of the SSL cluster, and not
that of the client.

208.80.152.21 reverse-DNSes to yvon.wikimedia.org, which is a box in Tampa, right? Then it's a bit strange to me that geoip returns "San Francisco, CA" and a set of coordinates in Mission Bay (an area in SF). Is the geoip database (and possibly other DBs as well) misinformed as to the location of our datacenter and do they think that because we own the IP range, and we're in SF, the IP range is in SF?

(Not that this matters terribly, of course, it just jumped out at me.)

MarkAHershberger added a comment.Aug 12 2011, 8:32 PM

bump for Ryan to deploy now that he is back.

RyanLane added a comment.Aug 15 2011, 6:22 PM

This should now be fixed. Try it out and let me know.

bzimport added a comment.Aug 15 2011, 6:30 PM

bugs wrote:

Working for me. Thanks, Ryan!

Catrope added a comment.Sep 4 2011, 2:24 PM

This is still broken for traffic going through esams:

http://geoiplookup.wikimedia.org/ :
Geo = {"city":"Assen","country":"NL","lat":"53.000000","lon":"6.550000","IP":"CENSORED","netmask":"CENSORED"}

https://geoiplookup.wikimedia.org/ :
Geo = {"city":"(null)","country":"NL","lat":"52.500000","lon":"5.750000","IP":"91.198.174.122","netmask":"24"}

IP resolves to maerlant.esams.wikimedia.org , which is not documented on wikitech but according to the server admin log seems to be the IPv6-v4 proxy in esams.

Catrope added a comment.Sep 6 2011, 7:31 PM

Ryan fixed this.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL