Ticket #567 (closed New feature: fixed)

Opened 3 years ago

Last modified 14 months ago

Piwik_Common::getIP() - filter for public IP or from trusted proxy

Reported by: vipsoft Owned by: vipsoft
Priority: normal Milestone: Piwik 1.1
Component: Core Keywords:
Cc: Sensitive: no

Description (last modified by vipsoft) (diff)

Currently, getIp() only returns a single client IP address, looking at HTTP_CLIENT_IP, HTTP_X_FORWARD_FOR (XFF), and REMOTE_ADDR (in that order).

It's possible that getIp() returns a private IP address. We should make it configurable to return the first "public" IP address which can be geolocated, unless you want the current behavior (e.g., #1054 intranet subnet identification).

These are some private IP address ranges:

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255

Another consideration is XFF spoofing (increasing popular with various browser addons). Perhaps we should log both the result from getIp() and REMOTE_ADDR?

(Above two scenarios may or may not involve a reverse proxy.)

Another consideration is #1553 ... the IP address from PiwikTracker should override any logic here.

Change History

Changed 3 years ago by vipsoft

Also, it looks like there are a couple of unreachable codepaths in the current implementation of getIp(). [to be reviewed]

Changed 2 years ago by vipsoft

  • status changed from new to closed
  • sensitive unset
  • resolution set to duplicate

Rolling requirements into #43.

Changed 2 years ago by koteiko

Changed 23 months ago by vipsoft

  • status changed from closed to reopened
  • resolution duplicate deleted

Re-opening as a separate ticket.

Changed 23 months ago by vipsoft

  • owner set to vipsoft
  • status changed from reopened to new

Changed 23 months ago by vipsoft

For intranets, this may be undesirable. So, I'm guessing we'd want to make this configureable. See #1054 use case.

Changed 23 months ago by matt

Why is it not desirable for intranets? I'm afraid my network knowledge is limited.

Changed 23 months ago by vipsoft

intranets tend to use ip addresses in the private ip address ranges; excluding these would be bad unless configurable.

Changed 23 months ago by vipsoft

  • status changed from new to closed
  • description modified (diff)
  • resolution set to wontfix
  • summary changed from For proxies, Piwik_Common::getIp() should get the first public IP address to Piwik_Common::getIP() - enhancements
  • keywords outofscope added
  • type changed from Bug to New feature

Changed 23 months ago by vipsoft

  • description modified (diff)

Changed 23 months ago by vipsoft

(In [2013]) refs #567 / comment:ticket:567:1 - clean up getIp()

Changed 17 months ago by vipsoft

  • keywords outofscope removed
  • status changed from closed to reopened
  • resolution wontfix deleted
  • milestone changed from Features requests 1.x or 2.x to 1.1 - Piwik 1.1

Changed 17 months ago by vipsoft

  • description modified (diff)

Changed 16 months ago by vipsoft

  • summary changed from Piwik_Common::getIP() - enhancements to Piwik_Common::getIP() - filter for public IP or from trusted proxy

Changed 16 months ago by vipsoft

  • status changed from reopened to closed
  • resolution set to fixed

(In [3211]) fixes #567

Changed 16 months ago by vipsoft

(In [3225]) refs #567

Changed 16 months ago by vipsoft

(In [3226]) refs #567

Changed 16 months ago by vipsoft

(In [3232]) refs #567

Changed 14 months ago by vipsoft

  • status changed from closed to reopened
  • resolution fixed deleted

Changed 14 months ago by vipsoft

This fix was undone by work in #1897, and needs to be revisited.

Changed 14 months ago by vipsoft

The fix is to use the last IP in the comma separated list.

Changed 14 months ago by vipsoft

  • status changed from reopened to closed
  • resolution set to fixed

(In [3463]) fixes #567

Note: See TracTickets for help on using tickets.