delphi.cmu.edu (128.2.25.162) is the hostname for our main website, but it also serves as a proxy to api.delphi.cmu.edu (aka api.covidcast.cmu.edu) for API requests. I believe this forwarding exists because the API server and the server for the website co-existed on the same machine in the past, and when their functionality was divided onto different hosts, we did not want to break old patterns used to access the API. Some client libraries and documentation still referred to the old hostname as recently as May 2023 (see https://github.com/cmu-delphi/delphi-epidata/pull/1164 ), and there are still some users who make API requests via that hostname.
This leads to some inaccuracy in the logs, as the "real" IP addresses of proxy users are not reported, but instead they all show up as "128.2.25.162". That also means that some proxy users could effectively DoS other proxy users due to the way we measure and enforce rate limiting (though users with API keys should be immune).
We can consider delphi.cmu.edu to be a trusted proxy in our chain... Add a special case to get_real_ip_addr() so that it uses "one level deeper" when the resulting IP would otherwise show up as "128.2.25.162". Some more explanation on this "depth" can be found here.
delphi.cmu.edu
(128.2.25.162) is the hostname for our main website, but it also serves as a proxy toapi.delphi.cmu.edu
(akaapi.covidcast.cmu.edu
) for API requests. I believe this forwarding exists because the API server and the server for the website co-existed on the same machine in the past, and when their functionality was divided onto different hosts, we did not want to break old patterns used to access the API. Some client libraries and documentation still referred to the old hostname as recently as May 2023 (see https://github.com/cmu-delphi/delphi-epidata/pull/1164 ), and there are still some users who make API requests via that hostname.This leads to some inaccuracy in the logs, as the "real" IP addresses of proxy users are not reported, but instead they all show up as "128.2.25.162". That also means that some proxy users could effectively DoS other proxy users due to the way we measure and enforce rate limiting (though users with API keys should be immune).
We can consider
delphi.cmu.edu
to be a trusted proxy in our chain... Add a special case toget_real_ip_addr()
so that it uses "one level deeper" when the resulting IP would otherwise show up as "128.2.25.162". Some more explanation on this "depth" can be found here.