[CDB] Filter by country - version 1.0.19

[warmweer]

You are a newbie. I started in 2002.

warmweer: Joined: Fri Jul 04, 2003 8:34 am but I was using phpBB before that date (I looked it up some time ago but forgot exactly when I started messing around with phpBB)

[MarkDHamill]

Some notes as I look into this:

• HTTP_CF_CONNECTING_IP is a header added by Cloudflare. There are other CDNs out there and they probably add their own proprietary headers, although Cloudflare can be assumed to be the one most likely to be used. It's not practical to scan for every header a CDN might add.
• Both HTTP_CF_CONNECTING_IP and X_FORWARDED_FOR can return multiple IPs, separated by commas.
• Since I have Nord VPN, I've been testing the IPs it uses. When I pick a country like USA I get an IP that Maxmind determines is from the USA. So I wonder how good my assumption is that if the IP is not found in the Maxmind database it's from a VPN. In this context, a VPN only feature does not make any sense. The only way to know if it belongs to a VPN would be to subscribe to a service that knows which VPNs are IPs. Maxmind's VPN database costs money, so that's not an option. Does anyone know of a free database of VPN IPs?

Thoughts?

[3Di]

Proxies: https://lite.ip2location.com/ip2proxy-lite

Code: Select all

  $ip_keys =
    array(
      'HTTP_CF_CONNECTING_IP',  'HTTP_CLIENT_IP',            'HTTP_X_FORWARDED_FOR',
      'HTTP_X_FORWARDED',       'HTTP_X_CLUSTER_CLIENT_IP',  'HTTP_X_REAL_IP',
      'HTTP_X_COMING_FROM',     'HTTP_PROXY_CONNECTION',     'HTTP_FORWARDED_FOR',
      'HTTP_FORWARDED',         'HTTP_COMING_FROM',          'HTTP_VIA',
      'REMOTE_ADDR'
    );

Ref.: https://stackoverflow.com/questions/163 ... 5#52059045

[MarkDHamill]

Interesting. Hopefully that catches all the generic HTTP headers with possible IPs. So HTTP_X_FORWARDED_FOR is authoritative and X_FORWARDED_FOR is not? X_FORWARDED_FOR seems to be a thing:

https://en.wikipedia.org/wiki/X-Forwarded-For

[3Di]

You might find interesting also this function: https://www.php.net/manual/en/reserved. ... php#122495

[MarkDHamill]

Looks like the VPN only mode will have to be removed in the next release. I see no way to discern whether an IP belongs to a VPN without integrating a commercial database of such IPs, which is not allowed.

[EA117]

Looks like the VPN only mode will have to be removed in the next release. I see no way to discern whether an IP belongs to a VPN without integrating a commercial database of such IPs, which is not allowed.

Agreed; testing through PIA VPN confirmed the MaxMind country database knew about the address for all the of USA and non-USA exit points I tried:

Code: Select all

212.92.113.60   Netherlands   (MaxMind: NL)
89.238.137.38   UK Manchester (MaxMind: GB)
103.208.220.138 Japan         (MaxMind: JP)
196.52.60.21    AU Melbourne  (MaxMind: AU)
205.251.150.162 US Houston    (MaxMind: US)
193.37.252.126  US Florida    (MaxMind: US)
91.207.175.84   US California (MaxMind: US)

Fun while it lasted; if only in our imaginations. The ip2location appears to be a paid database just like MaxMind, in order to identify actual VPNs. Free lite database only identifies public HTTP proxies; and not VPNs, Tor exits, etc.

There are services like http://getipintel.net which aren't a "database", but give a free REST or Json API you can query, and is "free" so long as your queries per hour and per day stay under a defined limit. Probably suitable for a low-traffic site like mine, but doesn't seem really appropriate for trying to create "guaranteed VPN knowledge" in this extension either.

Hopefully that catches all the generic HTTP headers with possible IPs. So HTTP_X_FORWARDED_FOR is authoritative and X_FORWARDED_FOR is not? X_FORWARDED_FOR seems to be a thing: https://en.wikipedia.org/wiki/X-Forwarded-For

I believe what we're looking at in some of these is "the constant used to represent a string that contains the header name", versus the actual header name itself. e.g. "X-Forwarded-For" is the actual header that appears in the HTTP request itself; X_FORWARDED_FOR, HTTP_X_FORWARDED_FOR, and possibly others are just different environment- or namespace-specific constants used to refer to this same header.

The format of these other headers isn't known to me, and may each require their own research. For example, the actual "official" Forwarded: header (https://tools.ietf.org/html/rfc7239) has a completely unique format. (But like some other "official" standards on the Internet, might still be the least likely one to actually encounter.) It's agreed that the ones mentioned earlier potentially have a comma-separated list zero or more proxies the request has been forwarded through in addition to the original request.

[MarkDHamill]

I will search for both HTTP_X_FORWARDED_FOR and X_FORWARDED_FOR.

[MarkDHamill]

This is a back to the future edition: the VPN-only mode is gone because, well, it was based on a faulty assumption. Also gone temporarily due to the many language changes is the Dutch language pack.

As requested, this version allows for IPs to be in many HTTP headers aside from REMOTE_ADDR. All are checked. Since multiple IPs are possible, the security operates on the most paranoid approach: If any of the IPs are from a blocked country, access is denied.

A complete list of changes since the last version can be seen here.

The extension is also downgraded from Release Candidate to Beta due to the introduction of so many changes. It's not fair to call it feature complete at this time.

Download links are in the first post.

[EA117]

You too might have already seen viewtopic.php?f=496&t=2527936 and had the same thought. Filter by Country would be in the position to create a template variable for every page (or at least every page it wasn't filtered from handling) which reveals the information learned from the MaxMind database. e.g. At minimum the ISO country code, or maybe an array of all the information. In case a template author wanted to then make use of that information for other purposes.

Not saying that's the best solution for viewtopic.php?f=496&t=2527936, which maybe they would prefer a "site wants to use your location"-type prompt to get more accurate and potentially device GPS-based info. But just came to mind as "a possible additional feature" Filter by Country could have on the list for consideration, since it's seemingly "within easy reach." For what it's worth.

[MarkDHamill]

The purpose of this extension is mostly to block spam bots if they come principally from certain countries. It can be also used to allow in only those from other countries.

Connecting it to the navigator.geolocation function is an interesting idea because the browser has to ask for permission from the user to provide the geolocation. So presumably it means some human has taken action or denied action.

I don't recall if this works only with mobile device or if the browser makes an assumption. Do you know?

[EA117]

Connecting it to the navigator.geolocation function is an interesting idea because the browser has to ask for permission from the user to provide the geolocation. So presumably it means some human has taken action or denied action.

Agreed the "location" feature requires human consent at some level (either at the moment the site is accessed, or "in advance" by consenting to all such location requests), and is not appropriate for Filter by Country's purpose.

My suggestion / idea suggestion wasn't that Filter by Country was going to change how the extension attempts to identify the user or country.

The suggestion was that the country information Filter by Country is already using -- and already determining via MaxMind -- could be made available to the page templates. e.g. The extension simply making it's decision information available via {FILTER_BY_COUNTRY_ISO} or similar, in case a page template would like to make a decision based on the country that Filter by Country had determined.

e.g. In the case of the site wanting to provide alternate information or links based on whom was accessing the site, being able to know what Filter by Country had determined might provide part of a potential solution.

[MarkDHamill]

So if this extension were installed, another extension could use the information. In other words, FBC would become a dependent for other extensions.

Wouldn't my extension then need to publicly display the information for another extension to use it?

[EA117]

It was an idea which came to mind when seeing someone say "I wish I could present information based on where the user is." And thinking that even though Filter by Country went to great length to determine the country, that existing info/decision couldn't have been easily leveraged even if the board was already running Filter by Country.

I wasn't intending to make some kind of complicated or elaborate mechanism or change idea suggestion, though. Whether right or wrong, in my mind the suggestion was just "create a template variable that contains the info determined by Filter by Country." So that if someone wanted to leverage this information as part of the conditional decisions being made in the templates, they could do it.

I wasn't even thinking "for use by another extension", although that makes perfect sense too. Creating some kind of interface into Filter by Country that other extensions could invoke sounds more complicated though, and perhaps something to defer until there is someone who specifically intends to use it. But yes, in both cases (extensions or just templates), the intention is to make the "where is this visitor" information potentially knowable from outside of Filter by Country itself.

Sorry for the long discussion; really just meant for this to be an easy point to add to your "Hmm, maybe" list for future consideration.

[MarkDHamill]

I could certainly embed the country code somewhere in the HTML, perhaps in a HTML remark. Showing it on the screen I don't think serves much purpose, except as explaining why access is denied, which the extension already does. I guess I could attach it to a header or footer event and show some text like "Your county is the United States (US), as determined by the free MaxMind country code database." Think this would actually be of any value? I'm sure MaxMind would like more credit that being in a README.