Opened 3 years ago

Closed 3 years ago

#2055 closed Bug (fixed)

Filtering multiple proxy server IPs

Reported by: vipsoft Owned by: vipsoft
Priority: low Milestone: 1.4 - Piwik 1.4
Component: Core Keywords:
Cc: Sensitive: no

Description

The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.

Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.

Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).

Change History (7)

comment:1 Changed 3 years ago by vipsoft (robocoder)

  • Milestone changed from Feature requests to 1.x - Piwik 1.x
  • Owner set to vipsoft

Should support CIDR notation (previously suggested for SitesManager in #1775).

For example, CloudFlare's IP range is:

  • 204.93.240.0/24
  • 204.93.177.0/24
  • 199.27.128.0/21
  • 173.245.48.0/20

Expressing the last one using wildcards is very tedious, e.g., 173.245.48.*, 173.245.49.*, 173.245.50.*, 173.245.51.* ... etc ... 173.245.63.*

comment:2 Changed 3 years ago by vipsoft (robocoder)

This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,

  • 10.0.0.0/8 (private)
  • 172.16.0.0/12 (private)
  • 192.168.0.0/16 (private)
  • 169.254.0.0/16 (auto-configuration)
  • 127.0.0.0/8 (loopback)
  • 224.0.0.0 - 239.255.255.255 (multicast)

comment:3 Changed 3 years ago by vipsoft (robocoder)

  • Milestone changed from 1.x - Piwik 1.x to 1.3 - Piwik 1.3

comment:4 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion

Notes:

  • Installer no longer checks for IPv6, so the related messages should be deleted from translations
  • IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
  • users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
    select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;
    
  • Windows: IPv6 inet_pton()/inet_ntop() not supported until php 5.3; see #2351

comment:5 Changed 3 years ago by vipsoft (robocoder)

  • Resolution fixed deleted
  • Status changed from closed to reopened

The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.

The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)

comment:6 Changed 3 years ago by vipsoft (robocoder)

(In [4539]) refs #2055 - add unit tests

comment:7 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [4540]) fixes #2055

Note: See TracTickets for help on using tickets.