February 10th, 2004

red sign


Ok, I posted this in the support forum, and they told me to post here instead :-)

I've had a long running problem with the "bind to IP address" feature simply logging me out of LJ when I was accessing the site through a squid proxy.

I finally tracked this down to the presence of the X-Forwarded-For header in the HTTP requests that squid is generating. Configuring squid to suppress this header fixes the problem.

This appears to be related to code in LiveJournal.pm, which looks at various headers including X-Forwarded-For, presumably in an attempt to get the original IP address from your front-end proxy servers.

Somehow the presence of this header in the original request (as seen by LJ) seems to confuse LJ's notion of what IP address I'm coming from.

This is clearly a bug (and a frustrating one, because the cause of the problem is not at all obvious to the user), though I realize probably not a high priority.

However, this also raises another concern: is it possible for someone to fool this code into thinking they're coming from an address of their choice, simply by adding appropriate headers to their HTTP request, and thus bypass the protection of the "bind to IP address" feature?


Update: Reported in Zilla as bug #1697. Technical discussion of this should probably take place there, rather than in comments here.