Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filtering multiple proxy server IPs #2055

Closed
robocoder opened this issue Feb 2, 2011 · 6 comments
Closed

Filtering multiple proxy server IPs #2055

robocoder opened this issue Feb 2, 2011 · 6 comments
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@robocoder
Copy link
Contributor

The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.

Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.

Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).

@robocoder
Copy link
Contributor Author

Should support CIDR notation (previously suggested for SitesManager in #1775).

For example, CloudFlare's IP range is:

  • 204.93.240.0/24
  • 204.93.177.0/24
  • 199.27.128.0/21
  • 173.245.48.0/20
    Expressing the last one using wildcards is very tedious, e.g., 173.245.48., 173.245.49., 173.245.50., 173.245.51. ... etc ... 173.245.63.*

@robocoder
Copy link
Contributor Author

This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,

  • 10.0.0.0/8 (private)
  • 172.16.0.0/12 (private)
  • 192.168.0.0/16 (private)
  • 169.254.0.0/16 (auto-configuration)
  • 127.0.0.0/8 (loopback)
  • 224.0.0.0 - 239.255.255.255 (multicast)

@robocoder
Copy link
Contributor Author

(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion

Notes:

  • Installer no longer checks for IPv6, so the related messages should be deleted from translations
  • IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
  • users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;

@robocoder
Copy link
Contributor Author

The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.

The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)

@robocoder
Copy link
Contributor Author

(In [4539]) refs #2055 - add unit tests

@robocoder
Copy link
Contributor Author

(In [4540]) fixes #2055

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

1 participant