Add special case to get_real_ip_addr() for additional proxy #1433
Labels
api change
affect the API and its responses
devops
building, running, deploying, environment stuff, handy utils, repository-related, engineer QoL, etc
logs and monitoring
logging, monitoring, alerting
delphi.cmu.edu
(128.2.25.162) is the hostname for our main website, but it also serves as a proxy toapi.delphi.cmu.edu
(akaapi.covidcast.cmu.edu
) for API requests. I believe this forwarding exists because the API server and the server for the website co-existed on the same machine in the past, and when their functionality was divided onto different hosts, we did not want to break old patterns used to access the API. Some client libraries and documentation still referred to the old hostname as recently as May 2023 (see #1164 ), and there are still some users who make API requests via that hostname.This leads to some inaccuracy in the logs, as the "real" IP addresses of proxy users are not reported, but instead they all show up as "128.2.25.162". That also means that some proxy users could effectively DoS other proxy users due to the way we measure and enforce rate limiting (though users with API keys should be immune).
We can consider
delphi.cmu.edu
to be a trusted proxy in our chain... Add a special case toget_real_ip_addr()
so that it uses "one level deeper" when the resulting IP would otherwise show up as "128.2.25.162". Some more explanation on this "depth" can be found here.The text was updated successfully, but these errors were encountered: