Mediawiki behind reverse proxy populates user IP address with proxy address

Question

I have apache running on a fw machine that reverse proxies different folders to different back end servers, and also wraps the connection in SSL. ...a fairly common setup.

Predictably, the backend mediawiki instance believes all access is coming from 1 IP, that of the reverse proxy. Since it's a significant part of mediawiki functionality that is lost, is it possible to pass the correct IP address for mediawiki to reference and use for user management and logging i.e. IP assertion? HTTP headers would make sense.

Answer 1

You could try the following module for apache

# yum info mod_extract_forwarded
Name        : mod_extract_forwarded
Arch        : x86_64
Version     : 2.0.2
Release     : 8.el6
Size        : 15 k
Repo        : epel
Summary     : Extract real source IP for forwarded HTTP requests
URL         : http://www.openinfo.co.uk/apache/
License     : ASL 1.1
Description : mod_extract_forwarded hooks itself into Apache's header parsing phase and looks
            : for the X-Forwarded-For header which some (most?) proxies add to the proxied
            : HTTP requests. It extracts the IP from the X-Forwarded-For and modifies the
            : connection data so to the rest of Apache the request looks like it came from
            : that IP rather than the proxy IP.

Answer 2

Absolutely.

If you are using mod_proxy_http, Apache is likely already sending the real IP in the X-Forwarded-For headers.

It looks like MediaWiki supports this out of the box by enabling a variable in your configuration:

$wgUsePrivateIPs = true;
$wgSquidServers = array( 'proxy fqdn', 'proxy ip address' );

More info: https://www.mediawiki.org/wiki/Manual:$wgUsePrivateIPs

Enabling this will tell MediaWiki to read the client IP from X-Forwarded-For headers.